diff --git a/cmd/config/crypto.go b/cmd/config/crypto.go
index 4696f0c1c..4ffeec523 100644
--- a/cmd/config/crypto.go
+++ b/cmd/config/crypto.go
@@ -26,6 +26,7 @@ import (
 	"fmt"
 	"io"
 
+	"github.com/minio/minio/pkg/fips"
 	"github.com/minio/minio/pkg/kms"
 	"github.com/secure-io/sio-go"
 	"github.com/secure-io/sio-go/sioutil"
@@ -62,7 +63,7 @@ func DecryptBytes(KMS kms.KMS, ciphertext []byte, context kms.Context) ([]byte,
 // ciphertext.
 func Encrypt(KMS kms.KMS, plaintext io.Reader, context kms.Context) (io.Reader, error) {
 	var algorithm = sio.AES_256_GCM
-	if !sioutil.NativeAES() {
+	if !fips.Enabled && !sioutil.NativeAES() {
 		algorithm = sio.ChaCha20Poly1305
 	}
 
@@ -141,6 +142,9 @@ func Decrypt(KMS kms.KMS, ciphertext io.Reader, context kms.Context) (io.Reader,
 	if err := json.Unmarshal(metadataBuffer, &metadata); err != nil {
 		return nil, err
 	}
+	if fips.Enabled && metadata.Algorithm != sio.AES_256_GCM {
+		return nil, fmt.Errorf("config: unsupported encryption algorithm: %q is not supported in FIPS mode", metadata.Algorithm)
+	}
 
 	key, err := KMS.DecryptKey(metadata.KeyID, metadata.KMSKey, context)
 	if err != nil {
diff --git a/cmd/http/server.go b/cmd/http/server.go
index 699dec6b7..7df60335c 100644
--- a/cmd/http/server.go
+++ b/cmd/http/server.go
@@ -173,7 +173,7 @@ func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificat
 			NextProtos:               []string{"http/1.1", "h2"},
 			GetCertificate:           getCert,
 		}
-		if secureCiphers || fips.Enabled() {
+		if secureCiphers || fips.Enabled {
 			tlsConfig.CipherSuites = fips.CipherSuitesTLS()
 			tlsConfig.CurvePreferences = fips.EllipticCurvesTLS()
 		}
diff --git a/pkg/fips/api.go b/pkg/fips/api.go
index 6e5073e5c..0fe86ab05 100644
--- a/pkg/fips/api.go
+++ b/pkg/fips/api.go
@@ -34,14 +34,13 @@ package fips
 
 import "crypto/tls"
 
-// Enabled returns true if and only if FIPS 140-2 support
-// is enabled.
+// Enabled indicates whether cryptographic primitives,
+// like AES or SHA-256, are implemented using a FIPS 140
+// certified module.
 //
-// FIPS 140-2 requires that only specifc cryptographic
-// primitives, like AES or SHA-256, are used and that
-// those primitives are implemented by a FIPS 140-2
-// certified cryptographic module.
-func Enabled() bool { return enabled }
+// If FIPS-140 is enabled no non-NIST/FIPS approved
+// primitives must be used.
+const Enabled = enabled
 
 // CipherSuitesDARE returns the supported cipher suites
 // for the DARE object encryption.
diff --git a/pkg/fips/fips.go b/pkg/fips/fips.go
index 2417c0eb4..4cdd063a6 100644
--- a/pkg/fips/fips.go
+++ b/pkg/fips/fips.go
@@ -1,5 +1,3 @@
-// +build fips
-
 // Copyright (c) 2015-2021 MinIO, Inc.
 //
 // This file is part of MinIO Object Storage stack
@@ -17,6 +15,8 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+// +build fips,linux,amd64
+
 package fips
 
 import (
@@ -25,7 +25,7 @@ import (
 	"github.com/minio/sio"
 )
 
-var enabled = true
+const enabled = true
 
 func cipherSuitesDARE() []byte {
 	return []byte{sio.AES_256_GCM}
diff --git a/pkg/fips/no_fips.go b/pkg/fips/no_fips.go
index b22c59b74..e447d519f 100644
--- a/pkg/fips/no_fips.go
+++ b/pkg/fips/no_fips.go
@@ -15,6 +15,8 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+// +build !fips
+
 package fips
 
 import (
@@ -23,7 +25,7 @@ import (
 	"github.com/minio/sio"
 )
 
-var enabled = false
+const enabled = false
 
 func cipherSuitesDARE() []byte {
 	return []byte{sio.AES_256_GCM, sio.CHACHA20_POLY1305}