| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 1/5/2030 |
| Caveat | No assurance of the minimum strength of generated SSPs (e.g., keys); No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. |
| Vendor | Pure Storage, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CTR | A4396 |
| AES-ECB | A4396 |
| AES-KW | A4396 |
| Counter DRBG | A4396 |
| HMAC-SHA2-256 | A4396 |
| SHA2-256 | A4396 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Interfaces | 1 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Physical Security | N/A |
| Sensitive Security Parameter Management | 9 |
flowchart LR
%% Deterministic review-risk graph for Purity Encryption Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show status</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C3 --> I3 --> R3 --> E3
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C3,C6 clue;
class I3,I6 infer;
class R3,R6 risk;
class E3,E6 evidence;flowchart LR
%% Deterministic clue tier for Purity Encryption Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show status</i><br/>src: securityPolicy.services"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C3 clueHigh;
class C6 clueLow;Pure Storage, Inc. Purity Encryption Module FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Version: 1.0 October 2024 Pure Storage, Inc.
Mountain View, CA 94041 800-379-7873 Pure Storage Inc. Public Material
| # | Section | Page |
|---|---|---|
| 1 | General Information | 4 |
| 1.1 | Security Levels | 4 |
| 2 | Cryptographic Module Specification | 5 |
| 2.1 | Module Information | 5 |
| 2.2 | Mode of Operation | 5 |
| 2.3 | Operational Environments | 5 |
| 2.4 | Cryptographic Functionality | 7 |
| 2.5 | Cryptographic Module Boundary | 9 |
| 3 | Cryptographic Module Interfaces | 9 |
| 4 | Roles, Services, and Authentication | 10 |
| 4.1 | Roles | 10 |
| 4.2 | Services | 11 |
| 5 | Software/Firmware Security | 12 |
| 5.1 | Integrity Techniques | 12 |
| 5.2 | On-Demand Integrity Test | 12 |
| 6 | Operational Environment | 12 |
| 7 | Physical Security | 12 |
| 8 | Non-invasive Security | 13 |
| 9 | Sensitive Security Parameter Management | 14 |
| 9.1 | Keys and SSPs | 14 |
| 9.2 | DRBG and Entropy Sources | 15 |
| 10 | Self-tests | 15 |
| 10.1 | Pre-operational Self-Tests | 15 |
| 10.2 | Conditional Self-Tests | 16 |
| 11 | Life-cycle assurance | 17 |
| 11.1 | Delivery and Operation | 17 |
| 11.2 | Crypto Officer Guidance | 17 |
| 12 | Mitigation of other attacks | 18 |
| Item | Page |
|---|---|
| Table 1 - Security Levels | 4 |
| Table 2 - Tested Operational Environments | 5 |
| Table 3 - Vendor Affirmed Operational Environments | 7 |
| Table 4 - Approved Algorithms | 8 |
| Table 5 - Non-Approved Algorithms Allowed in Approved mode of operation | 8 |
| Table 6 - Interfaces | 10 |
| Table 7 - Roles, Service Commands, Input and Output | 10 |
| Table 8 - Approved Services | 12 |
| Table 9 - Keys and SSPs | 14 |
| Table 10 - Non-Deterministic Random Number Generation Specification | 15 |
| Name | ISO Section | Requirement | Level | 1 | General |
|---|---|---|---|---|---|
| 2 | 2 | Cryptographic Module Specification | 1 | ||
| 3 | 1 | 3 | Cryptographic Module Interfaces | ||
| 4 | 4 | Roles, Services, and Authentication | 1 | ||
| 5 | 1 | 5 | Software/Firmware Security | ||
| 6 | 6 | Operational Environment | 1 | ||
| 7 | N/A | 7 | Physical Security | ||
| 8 | 8 | Non-invasive Security | N/A | ||
| 9 | 9 | 1 | Sensitive Security Parameter | ||
| 10 | 10 | Self-tests | 1 | ||
| 11 | 1 | 11 | Life-cycle Assurance | ||
| 12 | 12 | Mitigation of Other Attack | N/A |
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # |
|---|---|---|---|---|---|
| 1 | Purity OS 6.4 | FlashArray X20R3 | Intel® Xeon® Silver 4210R | AES-NI | 1 |
| 2 | Purity OS 6.4 | FlashArray X20R3 | Intel® Xeon® Silver 4210R | None | 2 |
2. Cryptographic Module Specification Purity Encryption Module is a standalone cryptographic module for the Purity Operating Environment for FlashArray (Purity//FA). Purity//FA powers Pure Storage's FlashArray family of products which provide economical all-flash storage. Purity Encryption Module enables FlashArray to support always-on, inline encryption of data with an internal key management scheme that requires no user intervention. The cryptographic module is defined as a software module. The Module is intended for use by US Federal agencies and other markets that require FIPS 140-3 validated Data Storage. 2.1 Module Information The validated module name is “Purity Encryption Module”, and the current version is output by the module as “FA-1.5”. The identifier “FA” is used as a module identifier. 2.2 Mode of Operation The module supports a single Approved mode of operation. The Approved mode is enabled upon successful start-up of the module. There are no specific initialization steps required for start-up of the module beyond powering on the FlashArray product. The module does not support a non-approved mode of operation. 2.3 Operational Environments Table 2 lists the operational environments the module was tested on. # Table 2 - Tested Operational Environments Table 3 lists the operational environments that the vendor affirms can be used by the module. No claim is made as to the correct operation of the module or the security strengths of the generated keys when ported to an OE which is not listed on the validation certificate. Pure Storage Inc. Public Material
| Name | Hardware Platform | # | |
|---|---|---|---|
| 1. | FlashArray X20 R4 with Intel® Xeon® Silver 4410Y | 1. | Purity OS 6.4 |
| 2. | FlashArray X50 R4 with Intel® Xeon® Silver 4410Y | 2. | |
| 3. | FlashArray X70 R4 with Intel® Xeon® Gold 5416S | 3. | |
| 4. | FlashArray X90 R4 with Intel® Xeon® Gold 5418N | 4. | |
| 5. | FlashArray C20 R4 with Intel® Xeon® Silver 4410Y | 5. | |
| 6. | FlashArray C50 R4 with Intel® Xeon® Silver 4410Y | 6. | |
| 7. | FlashArray C70 R4 with Intel® Xeon® Gold 5416S | 7. | |
| 8. | FlashArray C90 R4 with Intel® Xeon® Gold 5418N | 8. | |
| 9. | FlashArray C10 R3 with Intel® Xeon® Silver 4208 | 9. | |
| 10. | FlashArray X50 R3 with Intel® Xeon® Silver 4214Y | 10. | |
| 11. | FlashArray X70 R3 with Intel® Xeon® Silver 6230 | 11. | |
| 12. | FlashArray X90 R3 with Intel® Xeon® Silver 6252 | 12. | |
| 13. | FlashArray C60 R3 with Intel® Xeon® Gold 6230 | 13. | |
| 14. | FlashArray C40 R3 with Intel® Xeon® Silver 4210R | 14. | |
| 15. | FlashArray XL130 with Intel® Xeon® Gold 6338 | 15. | |
| 16. | FlashArray XL170 with Intel® Xeon® Platinum 8368 | 16. | |
| 17. | FlashArray X20 R4 with Intel® Xeon® Silver 4410Y | 17. | Purity OS 6.5 |
| 18. | FlashArray X50 R4 with Intel® Xeon® Silver 4410Y | 18. | |
| 19. | FlashArray X70 R4 with Intel® Xeon® Gold 5416S | 19. | |
| 20. | FlashArray X90 R4 with Intel® Xeon® Gold 5418N | 20. | |
| 21. | FlashArray C20 R4 with Intel® Xeon® Silver 4410Y | 21. | |
| 22. | FlashArray C50 R4 with Intel® Xeon® Silver 4410Y | 22. | |
| 23. | FlashArray C70 R4 with Intel® Xeon® Gold 5416S | 23. | |
| 24. | FlashArray C90 R4 with Intel® Xeon® Gold 5418N | 24. | |
| 25. | FlashArray C10 R3 with Intel® Xeon® Silver 4208 | 25. | |
| 26. | FlashArray X20 R3 with Intel® Xeon® Silver 4210R | 26. | |
| 27. | FlashArray X50 R3 with Intel® Xeon® Silver 4214Y | 27. | |
| 28. | FlashArray X70 R3 with Intel® Xeon® Silver 6230 | 28. | |
| 29. | FlashArray X90 R3 with Intel® Xeon® Silver 6252 | 29. | |
| 30. | FlashArray C60 R3 with Intel® Xeon® Gold 6230 | 30. |
# 1. 2. 3. 4. 5. 6. 7. 8. 9. Pure Storage Inc. Public Material
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| AES [FIPS 197] [SP 800-38A] | A4396 | ECB, CTR | Key length: 128, 256 bits Key strength: 128, 256 bits | Symmetric Encryption and Decryption |
| 31. | FlashArray C40 R3 with Intel® Xeon® Silver 4210R | |
|---|---|---|
| 32. | FlashArray XL130 with Intel® Xeon® Gold 6338 | |
| 33. | FlashArray XL170 with Intel® Xeon® Platinum 8368 | |
| 34. | Purity OS 6.6 | FlashArray X20 R4 with Intel® Xeon® Silver 4410Y |
| 35. | FlashArray X50 R4 with Intel® Xeon® Silver 4410Y | |
| 36. | FlashArray X70 R4 with Intel® Xeon® Gold 5416S | |
| 37. | FlashArray X90 R4 with Intel® Xeon® Gold 5418N | |
| 38. | FlashArray C20 R4 with Intel® Xeon® Silver 4410Y | |
| 39. | FlashArray C50 R4 with Intel® Xeon® Silver 4410Y | |
| 40. | FlashArray C70 R4 with Intel® Xeon® Gold 5416S | |
| 41. | FlashArray C90 R4 with Intel® Xeon® Gold 5418N | |
| 42. | FlashArray C10 R3 with Intel® Xeon® Silver 4208 | |
| 43. | FlashArray X20 R3 with Intel® Xeon® Silver 4210R | |
| 44. | FlashArray X50 R3 with Intel® Xeon® Silver 4214Y | |
| 45. | FlashArray X70 R3 with Intel® Xeon® Silver 6230 | |
| 46. | FlashArray X90 R3 with Intel® Xeon® Silver 6252 | |
| 47. | FlashArray C60 R3 with Intel® Xeon® Gold 6230 | |
| 48. | FlashArray C40 R3 with Intel® Xeon® Silver 4210R | |
| 49. | FlashArray XL130 with Intel® Xeon® Gold 6338 | |
| 50. | FlashArray XL170 with Intel® Xeon® Platinum 8368 |
Table 3 - Vendor Affirmed Operational Environments 2.4 Cryptographic Functionality Table 4 below summarizes the approved algorithms supported by the module. Pure Storage Inc. Public Material
| Name | CAVP Cert | Key Size | Use Function | |
|---|---|---|---|---|
| AES [FIPS 197] [SP 800-38F] | A4396 | Key length: 128, 256 bits Key strength: 128, 256 bits | KW | Key Wrapping and Unwrapping |
| KTS (AES) [SP 800-38F] | A4396 | Key length: 128, 256 bits Key strength: 128, 256 bits | AES-KW | Key Wrapping and Unwrapping |
| CTR_DRBG [SP 800- 90Arev1] | A4396 | Key Strength: 256 bits | AES-256 Derivation Function Enabled Prediction Resistance: Yes | Random Number Generation |
| HMAC [FIPS 198-1] | A4396 | Key length: 512 bits Key strength: 512 bits | SHA-256 | Keyed Hash Verification |
| SHS [FIPS 180-4] | A4396 | N/A | SHA-256 | Message Digest |
| Caveat | Algorithm | Use / Function | ||
| CRC32 | CRC32 | No security claimed. | Used as an optional checksum on encrypted | |
| Does not affect the | Does not affect the | data when done during the AES CTR Decrypt | ||
| operation of the approved | operation of the approved | service. The operation is separate from the | ||
| algorithm implementation. | algorithm implementation. | execution of the AES CTR algorithms. |
[SP 80090Arev1] N/A Table 5 contains the non-approved algorithms allowed in the approved mode of operation Table 5 - Non-Approved Algorithms Allowed in Approved mode of operation with No Security Claimed There are no other non-approved algorithms allowed in the approved mode of operation. Pure Storage Inc. Public Material
2.5 Cryptographic Module Boundary The cryptographic boundary of the cryptographic module encompasses: - libcrypto.so - the dynamically linked library libcrypto.so - libcrypto.hash - the configuration file containing the module integrity code. The Tested Operational Environment’s Physical Perimeter (TOEPP) is defined as the physical General Purpose Computer (GPC) host platform on which the module is installed. A block diagram depicting the physical and cryptographic boundaries is shown in the figure below: 3. Cryptographic Module Interfaces As a software-only module, the module does not have physical ports. For the purpose of the FIPS 140-3 validation, the physical ports are interpreted to be the physical ports of the hardware platform on which it runs. The underlying logical interfaces of the module are the C++ language APIs. The module supports four logical interfaces: Data Input, Data Output, Control Input and Status Output. It does not support a Control Output interface. Table 6 defines the logical interfaces. Pure Storage Inc. Public Material
| Name | Physical Port | Logical Interface | Data That Passes | Data that passes over port/interface | ||
|---|---|---|---|---|---|---|
| N/A | N/A | Data Input | The data read from memory area(s) provided to the invoked | N/A | Data Input | |
| N/A | The data written to memory area(s) provided to the invoked | N/A | Data Output | |||
| N/A | The API function invoked, and API function parameters | N/A | Control Input | |||
| N/A | Control | N/A | N/A | N/A | ||
| N/A | Status | N/A | The return value of the invoked API function. |
| Name | Roles | Input | Output | ||||
|---|---|---|---|---|---|---|---|
| AES encrypt | Crypto | Key, IV, plaintext | Ciphertext | Crypto Officer | |||
| AES decrypt | Officer | Key, IV, Ciphertext | Plaintext | ||||
| AES key wrap | Wrapping key, plaintext | Wrapped key | AES key wrap | Wrapped key | |||
| AES key unwrap | Wrapping key, wrapped | AES key unwrap | Plaintext key | ||||
| Random Number | 64-bit random value | ||||||
| Set entropy | Function pointer | Function pointer | |||||
| Perform self-tests | Manual power cycle | Pass/fail | |||||
| Zeroisation | Manual power cycle | ||||||
| Show status | Return code | ||||||
| Show version | Name and version information |
N/A N/A N/A N/A N/A N/A Table 6 - Interfaces 4. Roles, Services, and Authentication 4.1 Roles The module supports the Crypto Officer role, which is assumed implicitly by the operator of the module (the calling application) for all module services. No authentication mechanisms are provided to assume the Crypto Officer role. The module does not support concurrent operators and does not authenticate the Crypto Officer role. Furthermore, it does not support a maintenance role and/or bypass capability. Table 7 below contains the services associated with available role. Table 7 - Roles, Service Commands, Input and Output Pure Storage Inc. Public Material
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator | |
|---|---|---|---|---|---|---|---|
| AES encrypt | Perform AES encryption | CO | AES key | AES-ECB, | W,E | Success/ | |
| AES-CTR | AES-CTR | Failure | |||||
| AES decrypt | Perform AES decryption | CO | AES key | AES-ECB, AES-CTR | W,E | Success/ Failure | |
| AES key wrap | Perform AES key wrap | CO | AES Key | AES-KW | W,E | Success/ Failure | |
| AES key unwrap | Perform AES key unwrap | CO | AES Key- Wrapping Key, AES Key | AES-KW | W,E | Success/ Failure | |
| Random | Call random number generator | CO | Entropy | CTR_DRBG | G,E,Z | Success/ Failure | |
| Set entropy source | Specifies callback function for entropy | CO | n/a | N/A | Success/ Failure | ||
| Perform self- | Power-cycling the host device. | CO | AES, | E | Success/ Failure | ||
| tests | AES-KW, | ||||||
| Zeroisation | Power off/ cycle the host device | CO | All | None | Z | None |
4.2 Services Table 8 below lists the services that can be used in the approved mode of operation with corresponding input and output. The abbreviations of the access rights to keys and SSPs have the following interpretation. G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. N/A= The service does not access any SSP during its operation W,E W,E W,E AES KeyWrapping W,E G,E,Z n/a W n/a R N/A n/a Perform selftests HMAC-SHA256 E Z Pure Storage Inc. Public Material
| Show status | Return code for each | None | N/A | CO | None | None |
|---|---|---|---|---|---|---|
| API call | ||||||
| Show version | Display the version of the module | N/A | None | CO | None | API invocatio n |
N/A N/A n Table 8 - Approved Services
8. Non-invasive Security The requirements of this area are not applicable to the module. This is not currently required by FIPS 140-3. Pure Storage Inc. Public Material
| Name | Strength | Security Function | Generation | Storage | Use | Import Export | Zero- isation |
|---|---|---|---|---|---|---|---|
| 128 and 256 bits | 128 and 256 bits | Imported or | On power down | ||||
| AES-ECB, | AES-ECB, | N/A: No | output | ||||
| AES Key | Encryptio | ||||||
| AES-CTR | AES-CTR | persistent | parameters | ||||
| [Cert A4396] | [Cert A4396] | storage. | (Manual | ||||
| AES Key- wrapping Key (CSP) | 128 and 256 bits | AES-KW [Cert A4396] | N/A: No persistent storage. | Key Transpor t | Imported or exported via API input or output parameters (Manual Distribution / Electronic Entry) | On power down | |
| DRBG | 256 bits | Gathered | On power down | ||||
| N/A: No | N/A: No | DRBG | |||||
| Entropy | DRBG | from | |||||
| persistent | entropy | ||||||
| DRBG | 256 bits | Generate | N/A: No | DRBG | On power down | ||
| seed | d | persistent | state | ||||
| DRBG ‘V’ | 256 bits | Generate | N/A: No | DRBG | On power down | ||
| value | d | persistent | state | ||||
| DRBG | 256 bits | On power down | |||||
| Generate | Generate | N/A: No | DRBG | ||||
| d | d | persistent | state | ||||
| value | [Cert A4396] | ||||||
| internally | internally | storage. | value | ||||
| Software | 512 bits | N/A | |||||
| HMAC | HMAC | ||||||
| the module | Self-test |
9. Sensitive Security Parameter Management 9.1 Keys and SSPs Table 9 summarises the key Sensitive Security Parameters (SSPs) that are used by cryptographic services implemented in the module: h Generation Establishment Zeroisation c n t d d d (NonSSP) Table 9 - Keys and SSPs Pure Storage Inc. Public Material
| Entropy Sources | Minimum number of | Details | ||
|---|---|---|---|---|
| bits of entropy | ||||
| Application specified entropy source | 256-bits | 256-bits | External entropy source set by the | |
| calling application via a callback | ||||
| function. Required to provide full | ||||
| entropy. |
9.2 DRBG and Entropy Sources The module employs a single DRBG instance for the purpose of supplying random numbers to the calling application via the module’s service random number generation service. This DRBG is used for this service only and is not used by the module for any other purpose. This module DRBG is CTR_DRBG with security strength of 256 bits. The module DRBG is seeded from the module’s entropy source, which is set by the calling application via a callback function as input to the applicable service API. The calling application and the supplied entropy source are external to the module boundary. It is a requirement of the FlashArray product that the entropy source configured for the module provides full entropy. As such, the 256-bits of data loaded from the entropy source to seed Table 10 - Non-Deterministic Random Number Generation Specification 10. Self-tests This section specifies the pre-operational self-tests and conditional self-tests performed by the module. They include the software integrity test and the cryptographic algorithm selftests. These tests ensure that the module is not corrupted and the algorithms function as expected. All self-tests are executed automatically when the module is loaded into memory before the module transitions to the operational state. The services of the module are not available prior to the completion of the self-tests. Successful completion of self-tests is indicated by a status message and passing control to the calling application. Failure of any self-test causes the module to enter the Error State, which is indicated by an error message. In this error state, the module is not operational, and no services are available. This is the only error state supported by the module. The module permits operators to initiate the self-tests on demand by power cycling the system.
The module performs the following pre-operational test: Software integrity test (using HMAC SHA256) Pure Storage Inc. Public Material
The module performs the following conditional Cryptographic Algorithm Self-Tests (CASTs) via Known Answer Tests (KAT): AES CTR Encrypt and Decrypt KATs (128, 256 bits) AES ECB Encrypt and Decrypt KATs (128, 256 bits) AES KW Wrap and Unwrap KATs (256 bits) CTR-DRBG KATs for Instantiate, Generate, Reseed SHA-256 KAT HMAC-SHA256 KAT (512 key bits) All CASTs are triggered by the module’s initial load sequence. Pure Storage Inc. Public Material
The module is built into Purity OS. There is no standalone delivery of the module as a software library. The vendor’s internal development process guarantees that the correct version of module is distributed with the intended device. The module does not have any specific maintenance requirements.
There is only one Approved mode of operation. Crypto Officer Role Guidance is provided by the API documentation provided by the module’s header files. Pure Storage Inc. Public Material
12. Mitigation of other attacks The module does not claim mitigation of other attacks. Pure Storage Inc. Public Material