Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Understanding Zeroization to Clear System Data for FIPS Mode of Operation

Zeroization completely erases all configuration information on the device, including all plaintext passwords, secrets, and private keys for SSH, local encryption, local authentication, and IPsec. To exit the FIPS mode you need to zeroize the device.

The cryptographic module provides a non-approved mode of operation in which non-approved cryptographic algorithms are supported. When moving from the non-approved mode of operation to the approved mode of operation, the security administrator must zeroize the non-approved mode critical security parameters (CSPs).

Zeroization can be time-consuming. Although all configurations are removed in a few seconds, the zeroization process goes on to overwrite all media, which can take considerable time depending on the size of the media.

Why Zeroize?

Your device is not considered a valid FIPS cryptographic module until all CSPs have been entered—or reentered—while the device is in FIPS mode of operation.

Best Practice:

For FIPS 140-2 compliance, we recommend that you zeroize the device to exit the FIPS mode.

When to Zeroize?

The cryptographic module provides a non-approved mode of operation in which non-approved cryptographic algorithms are supported. When transitioning between the non-approved mode of operation and the approved mode of operation, the Cryptographic Officer must zeroize the approved mode CSPs. This is achieved by removing the vSRX Virtual Firewall virtual machine from the datastore by following the below steps on VMWare vSphere:

  1. Power off the vSRX Virtual Firewall virtual machine.

  2. Ensure that another virtual machine is not sharing the disk. If two virtual machines are sharing the same disk, the disk files are not deleted.

  3. Right click the virtual machine and select All vCenter Actions > Delete from Disk.

  4. Click OK.

As a security administrator, perform zeroization in the following situations:

  • Before FIPS operation—To prepare your device for operation as a FIPS cryptographic module, perform zeroization to remove the non-approved mode critical security parameters (CSPs) and enable FIPS mode on the device.

  • Before non-FIPS operation—To begin repurposing your device for non-FIPS operation, perform zeroization before disabling FIPS mode of operation on the device or loading Junos OS packages that do not include FIPS mode of operation.

    Note:

    Juniper Networks does not support installing non-FIPS software in a FIPS mode of operation, but doing so might be necessary in certain test environments. Be sure to zeroize the system first.

Related Documentation