From f5af2b740c2420cbcc46e47aa78733613eb68cd2 Mon Sep 17 00:00:00 2001
From: Dragos Andriciuc <andriciucdragos@protonmail.com>
Date: Thu, 30 Oct 2025 12:33:20 +0200
Subject: [PATCH 1/2] PG-666 Create FIPS topic

Moved from old pg_tde repo to new.
---
 documentation/docs/how-to/fips.md | 42 +++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 documentation/docs/how-to/fips.md

diff --git a/documentation/docs/how-to/fips.md b/documentation/docs/how-to/fips.md
new file mode 100644
index 000000000..2c9c31847
--- /dev/null
+++ b/documentation/docs/how-to/fips.md
@@ -0,0 +1,42 @@
+# FIPS mode and PostgreSQL
+
+# FIPS mode and PostgreSQL
+
+PostgreSQL can operate in environments where OpenSSL is configured in FIPS mode. This ensures compliance with the U.S. **Federal Information Processing Standard (FIPS) 140**.
+
+!!! note
+    While PostgreSQL itself is **not** a FIPS-certified cryptographic module, it uses OpenSSL for encryption, hashing, and SSL/TLS operations. Therefore, its behavior depends on the OpenSSL configuration.
+
+## OpenSSL and FIPS mode
+
+FIPS enforcement in PostgreSQL depends entirely on the OpenSSL library version and configuration.
+
+| OpenSSL version | FIPS support | Details |
+|:----------------|:-------------|:---------|
+| **1.0.2 (legacy)** | ✅ Supported via dedicated “FIPS module.” Used in older RHEL/Fedora releases. |
+| **1.1.x (patched)** | ✅ Red Hat backported FIPS support for system-wide enforcement. |
+| **3.0+ (modern)** | ✅ Introduces **provider modules** — `default`, `fips`, and `legacy`. The `fips` provider restricts operations to approved algorithms. NIST validation applies only to OpenSSL 3.0, not to later versions (3.1, 3.2). |
+
+### Enabling FIPS mode in OpenSSL
+
+You can activate FIPS mode in one of two ways:
+
+1. **System-wide mode**  
+   Enable FIPS at boot time (for example, with RHEL’s `fips=1` kernel parameter).  
+   All OpenSSL-based applications, including PostgreSQL, will then use the FIPS provider.
+
+2. **Application-level mode**
+
+   Configure OpenSSL 3.x to load the `fips` provider explicitly.  
+
+   Example configuration:
+
+    ```bash
+    openssl_conf = openssl_init
+    [openssl_init]
+    providers = provider_sect
+    [provider_sect]
+    fips = fips_sect
+    [fips_sect]
+    activate = 1
+    ```

From 047af0779a8300d6b99314a6f13d31ae5bf04a75 Mon Sep 17 00:00:00 2001
From: Dragos Andriciuc <andriciucdragos@protonmail.com>
Date: Mon, 10 Nov 2025 10:18:16 +0200
Subject: [PATCH 2/2] Update fips.md

---
 documentation/docs/how-to/fips.md | 47 +++++++------------------------
 1 file changed, 10 insertions(+), 37 deletions(-)

diff --git a/documentation/docs/how-to/fips.md b/documentation/docs/how-to/fips.md
index 2c9c31847..91e45ceb8 100644
--- a/documentation/docs/how-to/fips.md
+++ b/documentation/docs/how-to/fips.md
@@ -1,42 +1,15 @@
-# FIPS mode and PostgreSQL
+# Configure PostgreSQL with FIPS Mode (OpenSSL 3.x)
 
-# FIPS mode and PostgreSQL
+You can activate FIPS mode by inheriting the cryptographic behavior from OpenSSL, so if your OpenSSL is FIPS-validated and runs in FIPS mode, PostgreSQL automatically uses it.
 
-PostgreSQL can operate in environments where OpenSSL is configured in FIPS mode. This ensures compliance with the U.S. **Federal Information Processing Standard (FIPS) 140**.
+in one of two ways:
 
-!!! note
-    While PostgreSQL itself is **not** a FIPS-certified cryptographic module, it uses OpenSSL for encryption, hashing, and SSL/TLS operations. Therefore, its behavior depends on the OpenSSL configuration.
+## Install Prerequisites
 
-## OpenSSL and FIPS mode
+```bash
+sudo apt install build-essential perl git wget
+# or on RHEL / Rocky:
+# sudo dnf groupinstall "Development Tools"
+# sudo dnf install perl-core wget git
+```
 
-FIPS enforcement in PostgreSQL depends entirely on the OpenSSL library version and configuration.
-
-| OpenSSL version | FIPS support | Details |
-|:----------------|:-------------|:---------|
-| **1.0.2 (legacy)** | ✅ Supported via dedicated “FIPS module.” Used in older RHEL/Fedora releases. |
-| **1.1.x (patched)** | ✅ Red Hat backported FIPS support for system-wide enforcement. |
-| **3.0+ (modern)** | ✅ Introduces **provider modules** — `default`, `fips`, and `legacy`. The `fips` provider restricts operations to approved algorithms. NIST validation applies only to OpenSSL 3.0, not to later versions (3.1, 3.2). |
-
-### Enabling FIPS mode in OpenSSL
-
-You can activate FIPS mode in one of two ways:
-
-1. **System-wide mode**  
-   Enable FIPS at boot time (for example, with RHEL’s `fips=1` kernel parameter).  
-   All OpenSSL-based applications, including PostgreSQL, will then use the FIPS provider.
-
-2. **Application-level mode**
-
-   Configure OpenSSL 3.x to load the `fips` provider explicitly.  
-
-   Example configuration:
-
-    ```bash
-    openssl_conf = openssl_init
-    [openssl_init]
-    providers = provider_sect
-    [provider_sect]
-    fips = fips_sect
-    [fips_sect]
-    activate = 1
-    ```