Datadog FIPS Agent

Docs > Agent > Agent Guides > Datadog FIPS Agent

Try the Preview!

The FIPS Agent is in Preview.

The FIPS Agent is a flavor of the Datadog Agent that natively supports Federal Information Processing Standards (FIPS) compliance. The FIPS Agent replaces the FIPS proxy and includes limited support for integrations that need to collect observability data that is external to the host.

The Datadog FIPS Agent is in Preview and has not been fully audited. Install and test the Agent only on hosts that are not critical to production workloads. For production workloads, see Datadog FIPS Compliance.

Requirements

Linux:

A non-containerized Linux host.
Your Linux OS must be in FIPS-compliant mode. See your OS vendor’s documentation on what steps are required to meet this requirement.
FIPS-compliant storage backing the host file system.

Windows:

A non-containerized Windows host.
Windows must be in FIPS-compliant mode.
FIPS-compliant storage backing the host file system.

In addition to the Operating System (OS) requirements above:

You must have access to a FIPS-compliant Datadog environment (US1-FED or GovCloud).
The FIPS Agent is only available on Agent versions 7.63 and above.

Installation

The Datadog FIPS Agent is in Preview and has not been fully audited. Install and test the Agent only on hosts that are not critical to production workloads.

Remove any fips-proxy installations on the host by uninstalling the datadog-fips-proxy package with your OS package manager. For example:
Red Hat
```
sudo yum remove datadog-fips-proxy
```
Ubuntu/Debian
```
sudo apt-get remove datadog-fips-proxy
```
Ensure that the Agent’s configuration file does not contain any FIPS proxy settings. FIPS proxy settings use the fips.* prefix.
Use the instructions for your OS to uninstall the Datadog Agent.
Install the Agent with FIPS support.
Note: FIPS support is only available on Agent versions 7.63.0 and above:
1. If you’re using the Agent install script, specify the DD_AGENT_FLAVOR="datadog-fips-agent" environment variable in your installation command. For example:
```
DD_SITE="ddog-gov.com" DD_API_KEY="MY_API_KEY" DD_AGENT_FLAVOR="datadog-fips-agent" … bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)"
```
2. If you’re installing with a package, follow the instructions to install the latest datadog-fips-agent package available for your platform.
3. Add GOFIPS=1 to your Datadog environment variables, reload all service units, and restart the Datadog Agent service (datadog-agent.service). For example, if your host is using systemd:
```
echo "GOFIPS=1" | sudo tee -a /etc/datadog-agent/environment
systemctl daemon-reload
systemctl restart 'datadog-agent*'
```
4. Run the datadog-agent status command and make sure you see FIPS Mode: enabled in the status output.

The Datadog FIPS Agent is in preview and has not been fully audited. Install and test the Agent only on hosts that are not critical to production workloads.

Follow the Windows instructions to uninstall the Datadog Agent.
Run the command below to install the FIPS Agent, replacing MY_API_KEY with your API key:
Note: FIPS support is only available on Agent versions 7.63.0 and above:
```
Start-Process -Wait msiexec -ArgumentList '/qn /i "https://s3.amazonaws.com/ddagent-windows-stable/beta/datadog-fips-agent-7.63.0-rc.7-fips-preview.msi" APIKEY="MY_API_KEY" SITE="ddog-gov.com"'
```
To install a different preview version of the FIPS Agent, search the list of stable Agent versions for datadog-fips-agent and replace the MSI in the command above with your desired version.
Run the Agent status command and make sure you see FIPS Mode: enabled in the status output.
```
& "$env:ProgramFiles\Datadog\Datadog Agent\bin\agent.exe" status
```