All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Purity Encryption Module

Certificate#4937StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorPure Storage, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 18 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date1/5/2030
CaveatNo assurance of the minimum strength of generated SSPs (e.g., keys); No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.
VendorPure Storage, Inc.

Approved Algorithms (6)

AlgorithmACVP Cert
AES-CTRA4396
AES-ECBA4396
AES-KWA4396
Counter DRBGA4396
HMAC-SHA2-256A4396
SHA2-256A4396

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Interfaces1
Roles, Services, and Authentication4
Software/Firmware Security1
Operational Environment1
Physical SecurityN/A
Sensitive Security Parameter Management9

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Purity Encryption Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show status</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C6 clue;
  class I3,I6 infer;
  class R3,R6 risk;
  class E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Purity Encryption Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show status</i><br/>src: securityPolicy.services"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3 clueHigh;
  class C6 clueLow;

Security Policy, page by page

Page 1

Pure Storage, Inc. Purity Encryption Module FIPS 140-3 Cryptographic Module Non-Proprietary Security Policy Version: 1.0 October 2024 Pure Storage, Inc.

650 Castro Street, Suite #260

Mountain View, CA 94041 800-379-7873 Pure Storage Inc. Public Material

Page 2
Table of Contents
#SectionPage
1General Information4
1.1Security Levels4
2Cryptographic Module Specification5
2.1Module Information5
2.2Mode of Operation5
2.3Operational Environments5
2.4Cryptographic Functionality7
2.5Cryptographic Module Boundary9
3Cryptographic Module Interfaces9
4Roles, Services, and Authentication10
4.1Roles10
4.2Services11
5Software/Firmware Security12
5.1Integrity Techniques12
5.2On-Demand Integrity Test12
6Operational Environment12
7Physical Security12
8Non-invasive Security13
9Sensitive Security Parameter Management14
9.1Keys and SSPs14
9.2DRBG and Entropy Sources15
10Self-tests15
10.1Pre-operational Self-Tests15
10.2Conditional Self-Tests16
11Life-cycle assurance17
11.1Delivery and Operation17
11.2Crypto Officer Guidance17
12Mitigation of other attacks18
Page 3
List of Tables
ItemPage
Table 1 - Security Levels4
Table 2 - Tested Operational Environments5
Table 3 - Vendor Affirmed Operational Environments7
Table 4 - Approved Algorithms8
Table 5 - Non-Approved Algorithms Allowed in Approved mode of operation8
Table 6 - Interfaces10
Table 7 - Roles, Service Commands, Input and Output10
Table 8 - Approved Services12
Table 9 - Keys and SSPs14
Table 10 - Non-Deterministic Random Number Generation Specification15
Page 4
Security level
NameISO SectionRequirementLevel1General
22Cryptographic Module Specification1
313Cryptographic Module Interfaces
44Roles, Services, and Authentication1
515Software/Firmware Security
66Operational Environment1
7N/A7Physical Security
88Non-invasive SecurityN/A
991Sensitive Security Parameter
1010Self-tests1
11111Life-cycle Assurance
1212Mitigation of Other AttackN/A
  1. General Information This document defines the Security Policy for the Purity Encryption Module, hereafter denoted the Module. The Module is a multi-chip standalone software module (within the FlashArray product) and is run on a General Purpose Computer (GPC) with a modifiable 1.1 Security Levels The Overall Security rating of the module is Level
  2. Table 1 contains the security levels for all areas. N/A N/A N/A Table 1 - Security Levels Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).
Page 5
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1Purity OS 6.4FlashArray X20R3Intel® Xeon® Silver 4210RAES-NI1
2Purity OS 6.4FlashArray X20R3Intel® Xeon® Silver 4210RNone2

2. Cryptographic Module Specification Purity Encryption Module is a standalone cryptographic module for the Purity Operating Environment for FlashArray (Purity//FA). Purity//FA powers Pure Storage's FlashArray family of products which provide economical all-flash storage. Purity Encryption Module enables FlashArray to support always-on, inline encryption of data with an internal key management scheme that requires no user intervention. The cryptographic module is defined as a software module. The Module is intended for use by US Federal agencies and other markets that require FIPS 140-3 validated Data Storage. 2.1 Module Information The validated module name is “Purity Encryption Module”, and the current version is output by the module as “FA-1.5”. The identifier “FA” is used as a module identifier. 2.2 Mode of Operation The module supports a single Approved mode of operation. The Approved mode is enabled upon successful start-up of the module. There are no specific initialization steps required for start-up of the module beyond powering on the FlashArray product. The module does not support a non-approved mode of operation. 2.3 Operational Environments Table 2 lists the operational environments the module was tested on. # Table 2 - Tested Operational Environments Table 3 lists the operational environments that the vendor affirms can be used by the module. No claim is made as to the correct operation of the module or the security strengths of the generated keys when ported to an OE which is not listed on the validation certificate. Pure Storage Inc. Public Material

Page 6
Module configuration
NameHardware Platform#
1.FlashArray X20 R4 with Intel® Xeon® Silver 4410Y1.Purity OS 6.4
2.FlashArray X50 R4 with Intel® Xeon® Silver 4410Y2.
3.FlashArray X70 R4 with Intel® Xeon® Gold 5416S3.
4.FlashArray X90 R4 with Intel® Xeon® Gold 5418N4.
5.FlashArray C20 R4 with Intel® Xeon® Silver 4410Y5.
6.FlashArray C50 R4 with Intel® Xeon® Silver 4410Y6.
7.FlashArray C70 R4 with Intel® Xeon® Gold 5416S7.
8.FlashArray C90 R4 with Intel® Xeon® Gold 5418N8.
9.FlashArray C10 R3 with Intel® Xeon® Silver 42089.
10.FlashArray X50 R3 with Intel® Xeon® Silver 4214Y10.
11.FlashArray X70 R3 with Intel® Xeon® Silver 623011.
12.FlashArray X90 R3 with Intel® Xeon® Silver 625212.
13.FlashArray C60 R3 with Intel® Xeon® Gold 623013.
14.FlashArray C40 R3 with Intel® Xeon® Silver 4210R14.
15.FlashArray XL130 with Intel® Xeon® Gold 633815.
16.FlashArray XL170 with Intel® Xeon® Platinum 836816.
17.FlashArray X20 R4 with Intel® Xeon® Silver 4410Y17.Purity OS 6.5
18.FlashArray X50 R4 with Intel® Xeon® Silver 4410Y18.
19.FlashArray X70 R4 with Intel® Xeon® Gold 5416S19.
20.FlashArray X90 R4 with Intel® Xeon® Gold 5418N20.
21.FlashArray C20 R4 with Intel® Xeon® Silver 4410Y21.
22.FlashArray C50 R4 with Intel® Xeon® Silver 4410Y22.
23.FlashArray C70 R4 with Intel® Xeon® Gold 5416S23.
24.FlashArray C90 R4 with Intel® Xeon® Gold 5418N24.
25.FlashArray C10 R3 with Intel® Xeon® Silver 420825.
26.FlashArray X20 R3 with Intel® Xeon® Silver 4210R26.
27.FlashArray X50 R3 with Intel® Xeon® Silver 4214Y27.
28.FlashArray X70 R3 with Intel® Xeon® Silver 623028.
29.FlashArray X90 R3 with Intel® Xeon® Silver 625229.
30.FlashArray C60 R3 with Intel® Xeon® Gold 623030.

# 1. 2. 3. 4. 5. 6. 7. 8. 9. Pure Storage Inc. Public Material

Page 7
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AES [FIPS 197] [SP 800-38A]A4396ECB, CTRKey length: 128, 256 bits Key strength: 128, 256 bitsSymmetric Encryption and Decryption
31.FlashArray C40 R3 with Intel® Xeon® Silver 4210R
32.FlashArray XL130 with Intel® Xeon® Gold 6338
33.FlashArray XL170 with Intel® Xeon® Platinum 8368
34.Purity OS 6.6FlashArray X20 R4 with Intel® Xeon® Silver 4410Y
35.FlashArray X50 R4 with Intel® Xeon® Silver 4410Y
36.FlashArray X70 R4 with Intel® Xeon® Gold 5416S
37.FlashArray X90 R4 with Intel® Xeon® Gold 5418N
38.FlashArray C20 R4 with Intel® Xeon® Silver 4410Y
39.FlashArray C50 R4 with Intel® Xeon® Silver 4410Y
40.FlashArray C70 R4 with Intel® Xeon® Gold 5416S
41.FlashArray C90 R4 with Intel® Xeon® Gold 5418N
42.FlashArray C10 R3 with Intel® Xeon® Silver 4208
43.FlashArray X20 R3 with Intel® Xeon® Silver 4210R
44.FlashArray X50 R3 with Intel® Xeon® Silver 4214Y
45.FlashArray X70 R3 with Intel® Xeon® Silver 6230
46.FlashArray X90 R3 with Intel® Xeon® Silver 6252
47.FlashArray C60 R3 with Intel® Xeon® Gold 6230
48.FlashArray C40 R3 with Intel® Xeon® Silver 4210R
49.FlashArray XL130 with Intel® Xeon® Gold 6338
50.FlashArray XL170 with Intel® Xeon® Platinum 8368

Table 3 - Vendor Affirmed Operational Environments 2.4 Cryptographic Functionality Table 4 below summarizes the approved algorithms supported by the module. Pure Storage Inc. Public Material

Page 8
Approved algorithm
NameCAVP CertKey SizeUse Function
AES [FIPS 197] [SP 800-38F]A4396Key length: 128, 256 bits Key strength: 128, 256 bitsKWKey Wrapping and Unwrapping
KTS (AES) [SP 800-38F]A4396Key length: 128, 256 bits Key strength: 128, 256 bitsAES-KWKey Wrapping and Unwrapping
CTR_DRBG [SP 800- 90Arev1]A4396Key Strength: 256 bitsAES-256 Derivation Function Enabled Prediction Resistance: YesRandom Number Generation
HMAC [FIPS 198-1]A4396Key length: 512 bits Key strength: 512 bitsSHA-256Keyed Hash Verification
SHS [FIPS 180-4]A4396N/ASHA-256Message Digest
CaveatAlgorithmUse / Function
CRC32CRC32No security claimed.Used as an optional checksum on encrypted
Does not affect theDoes not affect thedata when done during the AES CTR Decrypt
operation of the approvedoperation of the approvedservice. The operation is separate from the
algorithm implementation.algorithm implementation.execution of the AES CTR algorithms.

[SP 80090Arev1] N/A Table 5 contains the non-approved algorithms allowed in the approved mode of operation Table 5 - Non-Approved Algorithms Allowed in Approved mode of operation with No Security Claimed There are no other non-approved algorithms allowed in the approved mode of operation. Pure Storage Inc. Public Material

Page 9

2.5 Cryptographic Module Boundary The cryptographic boundary of the cryptographic module encompasses: - libcrypto.so - the dynamically linked library libcrypto.so - libcrypto.hash - the configuration file containing the module integrity code. The Tested Operational Environment’s Physical Perimeter (TOEPP) is defined as the physical General Purpose Computer (GPC) host platform on which the module is installed. A block diagram depicting the physical and cryptographic boundaries is shown in the figure below: 3. Cryptographic Module Interfaces As a software-only module, the module does not have physical ports. For the purpose of the FIPS 140-3 validation, the physical ports are interpreted to be the physical ports of the hardware platform on which it runs. The underlying logical interfaces of the module are the C++ language APIs. The module supports four logical interfaces: Data Input, Data Output, Control Input and Status Output. It does not support a Control Output interface. Table 6 defines the logical interfaces. Pure Storage Inc. Public Material

Page 10
Ports and interfaces
NamePhysical PortLogical InterfaceData That PassesData that passes over port/interface
N/AN/AData InputThe data read from memory area(s) provided to the invokedN/AData Input
N/AThe data written to memory area(s) provided to the invokedN/AData Output
N/AThe API function invoked, and API function parametersN/AControl Input
N/AControlN/AN/AN/A
N/AStatusN/AThe return value of the invoked API function.
Service
NameRolesInputOutput
AES encryptCryptoKey, IV, plaintextCiphertextCrypto Officer
AES decryptOfficerKey, IV, CiphertextPlaintext
AES key wrapWrapping key, plaintextWrapped keyAES key wrapWrapped key
AES key unwrapWrapping key, wrappedAES key unwrapPlaintext key
Random Number64-bit random value
Set entropyFunction pointerFunction pointer
Perform self-testsManual power cyclePass/fail
ZeroisationManual power cycle
Show statusReturn code
Show versionName and version information

N/A N/A N/A N/A N/A N/A Table 6 - Interfaces 4. Roles, Services, and Authentication 4.1 Roles The module supports the Crypto Officer role, which is assumed implicitly by the operator of the module (the calling application) for all module services. No authentication mechanisms are provided to assume the Crypto Officer role. The module does not support concurrent operators and does not authenticate the Crypto Officer role. Furthermore, it does not support a maintenance role and/or bypass capability. Table 7 below contains the services associated with available role. Table 7 - Roles, Service Commands, Input and Output Pure Storage Inc. Public Material

Page 11
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
AES encryptPerform AES encryptionCOAES keyAES-ECB,W,ESuccess/
AES-CTRAES-CTRFailure
AES decryptPerform AES decryptionCOAES keyAES-ECB, AES-CTRW,ESuccess/ Failure
AES key wrapPerform AES key wrapCOAES KeyAES-KWW,ESuccess/ Failure
AES key unwrapPerform AES key unwrapCOAES Key- Wrapping Key, AES KeyAES-KWW,ESuccess/ Failure
RandomCall random number generatorCOEntropyCTR_DRBGG,E,ZSuccess/ Failure
Set entropy sourceSpecifies callback function for entropyCOn/aN/ASuccess/ Failure
Perform self-Power-cycling the host device.COAES,ESuccess/ Failure
testsAES-KW,
ZeroisationPower off/ cycle the host deviceCOAllNoneZNone

4.2 Services Table 8 below lists the services that can be used in the approved mode of operation with corresponding input and output. The abbreviations of the access rights to keys and SSPs have the following interpretation. G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. N/A= The service does not access any SSP during its operation W,E W,E W,E AES KeyWrapping W,E G,E,Z n/a W n/a R N/A n/a Perform selftests HMAC-SHA256 E Z Pure Storage Inc. Public Material

Page 12
Show statusReturn code for eachNoneN/ACONoneNone
API call
Show versionDisplay the version of the moduleN/ANoneCONoneAPI invocatio n

N/A N/A n Table 8 - Approved Services

  1. Software/Firmware Security 5.1 Integrity Techniques The Purity module is a single, shared object, binary component that is in an Executable and Linkable Format (ELF). A software integrity test is performed on this component using HMAC-SHA-256, which is implemented in the module. The integrity test succeeds if the computed integrity value is equal to the expected integrity value, loaded from the module’s configuration file. If the integrity test fails, the module enters the Error State and the module becomes inoperable. 5.2 On-Demand Integrity Test The integrity test is performed as part of the Pre-Operational Self-Tests, which are executed on load of the shared library. It can be also invoked by on demand by power-cycling the
  2. Operational Environment The Module is designated as a modifiable operational environment under the FIPS 140-3 definitions. The operational environment is the Purity Operating System for FlashArray 6.4, which is based on Ubuntu Linux. The operational environment implicitly enforces a single mode of operation by managing process memory of the module and ensuring each calling process is logically separated and protected. No rules, settings or restrictions to the operational environment apply for operation of the
  3. Physical Security The FIPS 140-3 physical security requirements do not apply to the Purity module. Pure Storage Inc. Public Material – May be reproduced only in its original entirety (without revision).
Page 13

8. Non-invasive Security The requirements of this area are not applicable to the module. This is not currently required by FIPS 140-3. Pure Storage Inc. Public Material

Page 14
Sensitive security parameter
NameStrengthSecurity FunctionGenerationStorageUseImport ExportZero- isation
128 and 256 bits128 and 256 bitsImported orOn power down
AES-ECB,AES-ECB,N/A: Nooutput
AES KeyEncryptio
AES-CTRAES-CTRpersistentparameters
[Cert A4396][Cert A4396]storage.(Manual
AES Key- wrapping Key (CSP)128 and 256 bitsAES-KW [Cert A4396]N/A: No persistent storage.Key Transpor tImported or exported via API input or output parameters (Manual Distribution / Electronic Entry)On power down
DRBG256 bitsGatheredOn power down
N/A: NoN/A: NoDRBG
EntropyDRBGfrom
persistententropy
DRBG256 bitsGenerateN/A: NoDRBGOn power down
seeddpersistentstate
DRBG ‘V’256 bitsGenerateN/A: NoDRBGOn power down
valuedpersistentstate
DRBG256 bitsOn power down
GenerateGenerateN/A: NoDRBG
ddpersistentstate
value[Cert A4396]
internallyinternallystorage.value
Software512 bitsN/A
HMACHMAC
the moduleSelf-test

9. Sensitive Security Parameter Management 9.1 Keys and SSPs Table 9 summarises the key Sensitive Security Parameters (SSPs) that are used by cryptographic services implemented in the module: h Generation Establishment Zeroisation c n t d d d (NonSSP) Table 9 - Keys and SSPs Pure Storage Inc. Public Material

Page 15
Entropy SourcesMinimum number ofDetails
bits of entropy
Application specified entropy source256-bits256-bitsExternal entropy source set by the
calling application via a callback
function. Required to provide full
entropy.

9.2 DRBG and Entropy Sources The module employs a single DRBG instance for the purpose of supplying random numbers to the calling application via the module’s service random number generation service. This DRBG is used for this service only and is not used by the module for any other purpose. This module DRBG is CTR_DRBG with security strength of 256 bits. The module DRBG is seeded from the module’s entropy source, which is set by the calling application via a callback function as input to the applicable service API. The calling application and the supplied entropy source are external to the module boundary. It is a requirement of the FlashArray product that the entropy source configured for the module provides full entropy. As such, the 256-bits of data loaded from the entropy source to seed Table 10 - Non-Deterministic Random Number Generation Specification 10. Self-tests This section specifies the pre-operational self-tests and conditional self-tests performed by the module. They include the software integrity test and the cryptographic algorithm selftests. These tests ensure that the module is not corrupted and the algorithms function as expected. All self-tests are executed automatically when the module is loaded into memory before the module transitions to the operational state. The services of the module are not available prior to the completion of the self-tests. Successful completion of self-tests is indicated by a status message and passing control to the calling application. Failure of any self-test causes the module to enter the Error State, which is indicated by an error message. In this error state, the module is not operational, and no services are available. This is the only error state supported by the module. The module permits operators to initiate the self-tests on demand by power cycling the system.

10.1 Pre-operational Self-Tests

The module performs the following pre-operational test: Software integrity test (using HMAC SHA256) Pure Storage Inc. Public Material

Page 16
10.2 Conditional Self-Tests

The module performs the following conditional Cryptographic Algorithm Self-Tests (CASTs) via Known Answer Tests (KAT): AES CTR Encrypt and Decrypt KATs (128, 256 bits) AES ECB Encrypt and Decrypt KATs (128, 256 bits) AES KW Wrap and Unwrap KATs (256 bits) CTR-DRBG KATs for Instantiate, Generate, Reseed SHA-256 KAT HMAC-SHA256 KAT (512 key bits) All CASTs are triggered by the module’s initial load sequence. Pure Storage Inc. Public Material

Page 17
11.1 Delivery and Operation

The module is built into Purity OS. There is no standalone delivery of the module as a software library. The vendor’s internal development process guarantees that the correct version of module is distributed with the intended device. The module does not have any specific maintenance requirements.

11.2 Crypto Officer Guidance

There is only one Approved mode of operation. Crypto Officer Role Guidance is provided by the API documentation provided by the module’s header files. Pure Storage Inc. Public Material

Page 18

12. Mitigation of other attacks The module does not claim mitigation of other attacks. Pure Storage Inc. Public Material