FIPS 140 is a highly demanding security standard that’s mandatory for almost all high-security and federal environments. It can be hard to get right and may be a daunting part of the journey for those trying to meet compliance requirements like FedRAMP or CMMC. We get a lot of questions about FIPS 140-3, and so we decided to put together this comprehensive collection of video resources to answer the most burning ones we’ve had so far. 

In this collection, you’ll be able to get answers to the most frequently asked FIPS questions, including:

• How to enable FIPS 140-3 on Ubuntu 22.04
• How to check if you’re operating in FIPS mode
Sponsored
• How to enable FIPS on public clouds: AWS, Azure, GCP
• Which modules and hardware have been FIPS 140-3 certified for Ubuntu
• Which FIPS-enabled Docker containers are available in Iron Bank
• What are the most common issues when enabling FIPS 140-3

How to enable FIPS on Ubuntu?

We’ll start with the most common question: how do you enable FIPS on Ubuntu? The basic prerequisite is an Ubuntu Pro subscription, which is available either free for personal use or with a 30-day free trial for enterprise users. After subscribing, you’ll get access to a dashboard where you can find a token that you can attach to an Ubuntu instance and get access to the FIPS certified modules. All you need to do is open your terminal and enter the following commands: 

sudo pro attach 

sudo pro enable fips-updates

sudo reboot

You should see output like the following, indicating that the FIPS packages have been installed:

Installing FIPS Updates packages

FIPS Updates enabled

A reboot is required to complete install.

Enabling FIPS should be performed during a system maintenance window since this operation makes changes to underlying SSL-related libraries and requires a reboot into the FIPS-certified kernel.

How to check if you’re operating in FIPS mode

After enabling FIPS mode, it is good to verify that it is activated. Luckily it’s very straightforward to verify that FIPS mode is enabled. Just run this command in the terminal:

cat /proc/sys/crypto/fips_enabled

The output that indicates that FIPS mode is enabled is “1”. 

How to enable FIPS on public clouds

It is very easy to enable FIPS in public clouds. In contrast to on-prem usage, Ubuntu images for public clouds already have FIPS enabled. Decide on the Ubuntu version you’d like to run, visit the relevant marketplace for your public cloud provider (for example: AWS, Azure, or GCP), and search for the relevant image. Here is an example of how it would look:

Which modules and hardware have been FIPS 140-3 certified

Sometimes it can be tricky to figure out exactly which modules and hardware have been FIPS 140-3 certified. This video goes into extensive detail outlining the modules and components you’ll be able to make full use of with FIPS 140-3 certified Ubuntu. 

To give a brief overview, the following certified cryptographic modules are available with Ubuntu 22.04 LTS:

• OpenSSL v3.0.5
• Libgcrypt v1.9.4
• GnuTLS v3.7.3
• Linux kernel v5.15.0
• StrongSwan v5.9.5

These modules have been developed and tested on a range of hardware platforms:

• Intel/AMD x86_64
• ARM64
• IBM z15

FIPS-enabled containers available in Iron Bank

Canonical’s container images are trusted and pre-approved for high-security use cases. Hardened Ubuntu images are already certified and available in the U.S. Department of Defense’s Iron Bank, the official repository of security-hardened containers for government systems. You can find the code to build your own image here, or get the actual container that passed all the automated compliance checks here. Note, you would need to first register to get access to the platform. 

Canonical has also recently added FIPS and STIG-compliance to Canonical Kubernetes. Built on Ubuntu Pro hosts, Canonical Kubernetes now includes FIPS 140-3 validated crypto modules out of the box and can be hardened for DISA-STIG. This means you can deploy secure, compliant clusters built on Ubuntu, making it much easier to meet FedRAMP and other federal compliance requirements right from your Kubernetes base.

Common issues when enabling FIPS 140-3

Compliance always comes with challenges, but when we know the issues, we can help. The video above explains how to solve the most common issues that teams run into when enabling FIPS 140-3, including: 

• WiFi SSID should be 16 characters
• 32-bit crypto library versions must be removed, if present
• Full-disk encryption requires PBKDF2
  • sudo cryptsetup –pbkdf=pbkdf2 luksAddKey
• Some applications might not expect disallowed operations to fail – we will endeavor to provide fixes where possible

If you’d like to raise a bug/issue with FIPS compliance on Ubuntu, you can do it on Launchpad. Here is an example of OpenSSL bugs. 

Summary

We hope this blog has been useful for you to learn more about FIPS 140-3 on Ubuntu. You can easily get FIPS 140-3 compliance with an Ubuntu Pro subscription, which is free for personal use and offers a free trial for enterprise-focused projects. Additionally, an Ubuntu Pro subscription is not limited to only FIPS 140-3: the subscription also includes access to our hardening automation tools such as Ubuntu Security Guide, expanded security maintenance, Ubuntu fleet management, and more. And if you’re looking for assistance with more complex enterprise use cases, you can simply contact us. 

More reading

• Learn more about FIPS on Ubuntu
• Ubuntu security documentation
• Ubuntu Compliance Guide for the US Public Sector
• All security standards offered on Ubuntu
• Case Study: How Lucid Software became FedRAMP compliant in less than 6 months