Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Enabling FIPS Mode


As Crypto Officer, you must establish a root password conforming to the FIPS password requirements in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode. When you enable FIPS mode in Junos OS on the router or switch, you cannot configure passwords unless they meet this standard.

Local passwords are encrypted with the secure hash algorithm SHA256 or SHA512. Password recovery is not possible in Junos OS in FIPS mode. Junos OS in FIPS mode cannot boot into single-user mode without the correct root password.

To enable FIPS mode in Junos OS on the device:

  1. Zeroize the device to delete all CSPs before entering FIPS mode. Refer to Understanding Zeroization to Clear System Data for FIPS Mode section for details.
  2. After the device comes up in ’Amnesiac mode’, login through console using username root and password "" (blank).
  3. Configure root authentication with at least 10 characters and three different characters set.
  4. Load configuration onto device and commit new configuration. Configure Crypto Officer and login using Crypto Officer credentials.
  5. Install fips-mode package needed for Routing Engine KATS.
  6. Install jpfe-fips package needed for MS-MPC line card KATS. (This is only for MX router having MS-MPC line card).
  7. For MX Series devices with MS-MPC line card,
    • Configure chassis boundary fips by setting set system fips chassis level 1 and commit.

    For EX and MX devices without MS-MPC line card,

    • Configure fips by setting set systems fips level 1 and commit

    Device might display the Encrypted-password must be re-configured to use FIPS compliant hash warning to delete older CSP in loaded configuration.

  8. After deleting and reconfiguring CSPs, commit will go through and device needs reboot to enter FIPS mode.
  9. After rebooting the device, FIPS self-tests will run and device enters FIPS mode.

Related Documentation