Your submission was sent successfully! Close

Enabling Ubuntu FIPS 140 in air-gapped environments

Many US military, government or critical national infrastructure organisation workloads that require FIPS compliance are also required to be deployed in air-gapped environments to provide an extra layer of protection. 

In order to reduce operational and security risks by automating hardening, patch management and compliance to security standards like CIS and DISA-STIG as well as the FIPS 140-2 certifications, we’ve developed Ubuntu Advantage for your private infrastructure and Ubuntu Pro for cloud. 

In this blog, we will look at what having a FIPS-compliant instance means and the different ways you have to enable that in your disconnected environment.

What does enabling FIPS mean?

FIPS 140 tackles the cryptography validation problem from the perspective of the U.S. regulator. By default, Ubuntu comes prepackaged with a series of cryptographic upstream components which do not conform to the stringent US requirements. By choosing Ubuntu Advantage and enabling the FIPS profile on Ubuntu the OS will install the following validated packages, which can then be consumed by your mission applications. In Ubuntu 20.04 these packages are:

  • Linux-image-fips Linux kernel crypto API
  • Libssl1.1 OpenSSL cryptographic backend (includes OpenSSH)
  • Libgcrypt20 library that contains the implementation of many cryptographic functions
  • Strongswan IPSec VPN implementation

The traditional approach to enabling FIPS is using Ubuntu Advantage client native functionality, however, this requires that the servers are able to connect to Canonical. There are many scenarios where these firewall rules cannot be enabled or outbound connections are not permitted. In this case, we offer 2 deployment scenarios based on your environment architecture. 

Distributing FIPS packages with Landscape

Landscape is Canonical’s desktop and server management and monitoring tool. Landscape offers a comprehensive set of management functionalities including, but not limited to, repository management, package mirroring, profile-based automated patching, alerting, granular administrative profiles, and much more.

You should consider this deployment scenario when:

  • The risk of human error associated with manual configuration and management is unacceptable
  • You have a complex workflow that requires custom automation
  • You are considering a greenfield deployment of Ubuntu servers 

Landscape holds a mirror of all FIPS packages in the same way it holds a mirror of any other desired repository. The packages can then be pushed to individual servers

Depending on your security and networking requirements the Landscape server can be deployed in 2 different configurations:

  • a single landscape server in the DMZ for firewall restricted environments, or
  • a stacked configuration for air-gapped environments

Landscape server in DMZ

Single Landscape server in DMZ

In this first scenario, the Landscape server will be deployed in your network DMZ, where it will connect to Canonical in order to fetch the required packages and then push them to the servers based on your specified deployment plan.

While this scenario does not strictly classify as air-gapped it is a good reference architecture to use in all environments that require stricter security measures.

Landscape in air-gapped environments

In air-gapped environments, Landscape will not be allowed to have direct Internet access. In this case, Landscape can also be configured to run in the following stacked configuration:

Stacked Landscape server configuration

In this configuration, the DMZ Landscape will not directly connect to any server, rather it will hold a mirror of the required FIPS packages. The air-gapped Landscape server can then be configured to mirror those packages and distribute them based on the FIPS and upgrade profiles for each group of machines.

You can find more information about Landscape in the product documentation

Distributing FIPS packages with your existing tools

While Landscape offers a seamless user experience for System Administrators, there are edge cases where installing Landscape is not possible for bureaucratic reasons.

Enabling FIPS on Ubuntu Pro is possible even if you are using alternative tools, as long as you are able to fetch the required packages and make them available to the servers that need to have FIPS enabled. UA Client provides a secure and auditable means to enable FIPS on your Ubuntu machines, on a machine by machine basis. Your tools can be configured to interact with the UA Client’s ua command, which produces machine-readable outputs through the –format json and –format yaml parameters.

Our field engineering team has successfully supported integration with many mirroring solutions like apt-mirror, as well as other commercial and proprietary software.

If you want to learn more about how to run Ubuntu FIPS in your air-gapped environment or discuss how we can integrate Ubuntu Pro FIPS with your configuration management solutions do not hesitate to contact us.

Contact us

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Select topics you're
interested in

In submitting this form, I confirm that I have read and agree to Canonical's Privacy Notice and Privacy Policy.

Related posts

Canonical at AWS Summit Washington 2022

Meet our public sector team from May 23-25 at Walter E. Washington Convention Center, Washington, DC Our collaboration wth AWS has started in 2012 making 2022...

Ubuntu Pro 20.04 FIPS is now available for AWS, Azure and GCP

The Ubuntu Pro FIPS profile is now available on AWS, Azure and Google Cloud

Building and running FIPS containers on Ubuntu 18.04

Build and run Ubuntu containers that comply with the US and Canada government FIPS140-2 data protection standard.