FIPS 140-2 certification for Ubuntu 18.04 LTS

Canonical has received FIPS 140-2, Level 1 certification for cryptographic modules in Ubuntu 18.04 LTS, with FIPS-validated OpenSSL-1.1.1. modules included. This certification enables organisations to meet compliance requirements within the public sector, healthcare and finance industries when utilising Ubuntu 18.04 LTS within public and private cloud environments.

Canonical worked with U.S. Government and BSI accredited laboratory, atsec information security, for the 18.04 LTS FIPS certification. The publications related to FIPS standards are issued by the National Institute of Standards and Technology (NIST).

FIPS-certified and FIPS-compliant modules for Ubuntu 18.04 LTS and 16.04 LTS are available through an Ubuntu Advantage for Infrastructure subscription, alongside additional open source security and support services. To get started with an Ubuntu Advantage subscription, contact our team.

On public clouds, Ubuntu Pro for AWS​ and ​Ubuntu Pro for Azure​ include subscriptions to Canonical’s FIPS 140-2 repositories, alongside expanded security and hardening.

Why is FIPS 140-2 important? 

Encryption is key to protecting sensitive data. In the world of encryption, there are several methodologies using different cryptographic algorithms to convert plain text into cipher text. Navigating multiple methodologies and algorithms creates a complex, labour-intensive process for teams evaluating the cryptographic services offered within software components. 

The U.S. Government addresses this challenge by mandating the use of Federal Information Processing Standard Publication (FIPS) 140-2 certified software within all federal agencies and entities that work with these agencies. FIPS 140-2 defines the critical security parameters that must be used for encryption in the products sold into the U.S. public sector.

FIPS 140-2 is, therefore, required under multiple compliance regimes, such as Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act of 2002 (FISMA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

FIPS-certification ensures that software has been thoroughly reviewed and tested before being deployed and utilised within an agency or organisation requiring data encryption. Industries storing and processing sensitive data spans outside the public sector space, leading to FIPS-certified software being widely adopted within the payment card industry, healthcare and other regulated industries. 

Why is OpenSSL-1.1.1 certification important?

The upstream OpenSSL project announced a strategy for its FIPS validation at the end of last year, ending support for its standard 1.0.2 series. The only upstream, validated FIPS module that is compatible with the 1.0.2 series also reached end of life in December 2019. 

The current LTS version of the OpenSSL library upstream is 1.1.1, with no upstream FIPS-validated version currently available. For many users who require FIPS-validated OpenSSL, this creates a significant gap. 

Canonical has achieved its own FIPS validation, however, by porting FIPS patches to the OpenSSL-1.1.1 version shipped by Ubuntu. By using Canonical’s validated OpenSSL-1.1.1, customers benefit from an actively-maintained code base which addresses CVEs as well as non-security related issues.  

Will FIPS-validated modules receive security updates?

Customers have different needs depending on their industry. While FIPS 140-2 certified software is critical for use within federal agencies, there are customers who prefer an actively maintained FIPS software, meaning they would like to get security fixes. 

When a FIPS-validated software is modified in any way (including patching), it loses its certification and will need to be re-certified. The recertification process can easily stretch to months depending on the changes, however, Canonical offers flexibility with both FIPS certified and FIPS compliant updates available

Which Ubuntu releases and component versions are FIPS certified?

The table below outlines the certified Ubuntu releases and component versions.

Ubuntu 18.04 LTS

ComponentDescriptionVersionCMVP Certificate
Linux kernel (generic)The Linux kernel cryptographic library4.15.03647
OpenSSLGeneral purpose cryptographic library that includes TLS implementation1.1.13622
OpenSSH clientSSH server application for operating systems7.9p13633
OpenSSH serverSSH client application for operating systems7.9p13632
StrongSWANIPSec based VPN solution library 5.6.23648
AWS Kernel Kernel optimised for use in AWS clouds4.153664
Azure KernelKernel optimised for use in Azure clouds4.153683

Ubuntu 16.04 LTS

ComponentDescriptionVersionCMVP Certificate
Linux kernel (generic)The Linux kernel cryptographic library4.4.0.10022962
OpenSSLGeneral purpose cryptographic library that includes TLS implementation1.0.2g2888
OpenSSH clientSSH client application for operating systems7.2p22907
OpenSSH serverSSH server application for operating systems7.2p22906
StrongSWANIPSec based VPN solution library 5.3.52978

Pending certification
Expected Q3 2020 – subject to NIST processing times

Ubuntu 18.04 LTS

ComponentDescriptionVersionCMVP Certificate
libgcrypt20The GNUPG cryptographic general purpose library (provides fully certified full disk encryption)1.8.1TBD

How can I get Ubuntu FIPS?

If you are already an Ubuntu Advantage customer, please refer to our FIPS documentation to learn more about accessing your FIPS-certified and FIPS-compliant modules.

For a list of all current security certifications Canonical has, see Ubuntu security certifications and hardening standards.

Both FIPS-certified and FIPS-compliant modules for Ubuntu 18.04 LTS and 16.04 LTS are offered under a comprehensive Ubuntu Advantage for Infrastructure package, starting at $75 per VM per year. 

Additionally, you can get optimised Ubuntu images with FIPS modules and other critical security and compliance services by default for public cloud with Ubuntu Pro for AWS and Ubuntu Pro for Azure.

Talk to us today

Interested in running Ubuntu Desktop in your organisation?

Newsletter signup

Select topics you’re
interested in

In submitting this form, I confirm that I have read and agree to Canonical’s Privacy Notice and Privacy Policy.

Related posts

Infographic: Ubuntu from 2004 to 20.04 LTS

Today, the first point release of Ubuntu 20.04 LTS went live! To celebrate, we wanted to share how Ubuntu has evolved since the first release in 2004 to where...

Mitigating BootHole – ‘There’s a hole in the boot’ – CVE-2020-10713 and related vulnerabilities

Responsible disclosure and coordinated response as a benefit to all Today we released USN-4432-1 announcing updates for a series of vulnerabilities termed...

ROS Security Benchmark open for public comment

We’re pleased to announce that the Center for Internet Security (CIS) has publicly released the ROS Security Benchmark for community discussion. When...