To create a new FIPS 140-2 compliant Looker instance, include the --fipsstartup option when you first start the instance. This puts the new instance in FIPS-compliant mode.
Only new instances can be placed into FIPS-compliant mode. An instance that has an existing Looker database will fail to start when the --fips startup option is specified.
FIPS and SSL
Looker provides FIPS-compliant SSL for outgoing connections (for example, databases, query result delivery endpoints, OAuth, and others). However, the customer must provide an external SSL termination endpoint for incoming https requests.
We recommend using NGINX with a FIPS 140-2 compliant build of OpenSSL, as described in the NGINX documentation.
Any database that was used by a Looker instance that is in FIPS-compliant mode won't work with a Looker instance that is not in FIPS-compliant mode.
Several database dialects that are otherwise supported by Looker are not supported in FIPS-compliant mode. The following dialects are not supported in FIPS-compliant mode:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Enabling FIPS 140-2 level 1 compliance\n\nThe [Federal Information Processing Standard Publication (FIPS) 140-2](https://csrc.nist.gov/pubs/fips/140-2/upd2/final) is a US government computer security standard that is used to approve cryptographic modules. New customer-hosted Looker instances can be created to meet FIPS 140-2 Level 1 standards.\n\nCreating a FIPS 140-2 compliant Looker instance\n-----------------------------------------------\n\nTo create a new FIPS 140-2 compliant Looker instance, include the `--fips` [startup option](/looker/docs/2512/startup-options) when you first start the instance. This puts the new instance in FIPS-compliant mode.\n\nOnly new instances can be placed into FIPS-compliant mode. An instance that has an existing Looker database will fail to start when the `--fips` startup option is specified.\n\nFIPS and SSL\n------------\n\nLooker provides FIPS-compliant SSL for outgoing connections (for example, databases, query result delivery endpoints, OAuth, and others). However, the customer must provide an external SSL termination endpoint for incoming `https` requests.\n\nWe recommend using NGINX with a FIPS 140-2 compliant build of OpenSSL, as described in the [NGINX documentation](https://docs.nginx.com/nginx/fips-compliance-nginx-plus/).\n\nFollow NGINX instructions to [configure SSL termination](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/).\n\nFIPS and database dialects\n--------------------------\n\nAny database that was used by a Looker instance that is in FIPS-compliant mode won't work with a Looker instance that is not in FIPS-compliant mode.\n\nSeveral database [dialects](/looker/docs/2512/dialects) that are otherwise supported by Looker are not supported in FIPS-compliant mode. The following dialects are not supported in FIPS-compliant mode:\n\n- Actian Avalanche\n- Denodo 7\n- Denodo 8\n- Dremio\n- Dremio 11+\n- Druid\n- Exasol\n- IBM Netezza\n- Microsoft SQL Server (MSSQL)\n- PrestoDB\n- PrestoSQL\n- Teradata\n- Trino\n- Vector"]]
