Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Canonical
on 20 May 2020


Canonical has received FIPS 140-2, Level 1 certification for cryptographic modules in Ubuntu 18.04 LTS, with FIPS-validated OpenSSL-1.1.1. modules included. This certification enables organisations to meet compliance requirements within the public sector, healthcare and finance industries when utilising Ubuntu 18.04 LTS within public and private cloud environments.

Canonical worked with U.S. Government and BSI accredited laboratory, atsec information security, for the 18.04 LTS FIPS certification. The publications related to FIPS standards are issued by the National Institute of Standards and Technology (NIST).

FIPS-certified and FIPS-compliant modules for Ubuntu 18.04 LTS and 16.04 LTS are available through an Ubuntu Advantage for Infrastructure subscription, alongside additional open source security and support services. To get started with an Ubuntu Advantage subscription, contact our team.

On public clouds, Ubuntu Pro for AWS​ and ​Ubuntu Pro for Azure​ include subscriptions to Canonical’s FIPS 140-2 repositories, alongside expanded security and hardening.

Why is FIPS 140-2 important? 

Encryption is key to protecting sensitive data. In the world of encryption, there are several methodologies using different cryptographic algorithms to convert plain text into cipher text. Navigating multiple methodologies and algorithms creates a complex, labour-intensive process for teams evaluating the cryptographic services offered within software components. 

The U.S. Government addresses this challenge by mandating the use of Federal Information Processing Standard Publication (FIPS) 140-2 certified software within all federal agencies and entities that work with these agencies. FIPS 140-2 defines the critical security parameters that must be used for encryption in the products sold into the U.S. public sector.

FIPS 140-2 is, therefore, required under multiple compliance regimes, such as Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act of 2002 (FISMA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

FIPS-certification ensures that software has been thoroughly reviewed and tested before being deployed and utilised within an agency or organisation requiring data encryption. Industries storing and processing sensitive data spans outside the public sector space, leading to FIPS-certified software being widely adopted within the payment card industry, healthcare and other regulated industries. 

Why is OpenSSL-1.1.1 certification important?

The upstream OpenSSL project announced a strategy for its FIPS validation at the end of last year, ending support for its standard 1.0.2 series. The only upstream, validated FIPS module that is compatible with the 1.0.2 series also reached end of life in December 2019. 

The current LTS version of the OpenSSL library upstream is 1.1.1, with no upstream FIPS-validated version currently available. For many users who require FIPS-validated OpenSSL, this creates a significant gap. 

Canonical has achieved its own FIPS validation, however, by porting FIPS patches to the OpenSSL-1.1.1 version shipped by Ubuntu. By using Canonical’s validated OpenSSL-1.1.1, customers benefit from an actively-maintained code base which addresses CVEs as well as non-security related issues.  

Will FIPS-validated modules receive security updates?

Customers have different needs depending on their industry. While FIPS 140-2 certified software is critical for use within federal agencies, there are customers who prefer an actively maintained FIPS software, meaning they would like to get security fixes. 

When a FIPS-validated software is modified in any way (including patching), it loses its certification and will need to be re-certified. The recertification process can easily stretch to months depending on the changes, however, Canonical offers flexibility with both FIPS certified and FIPS compliant updates available

Which Ubuntu releases and component versions are FIPS certified?

The table below outlines the certified Ubuntu releases and component versions.

Ubuntu 18.04 LTS

ComponentDescriptionVersionCMVP Certificate
Linux kernel (generic)The Linux kernel cryptographic library4.15.03647
OpenSSLGeneral purpose cryptographic library that includes TLS implementation1.1.13622
OpenSSH clientSSH server application for operating systems7.9p13633
OpenSSH serverSSH client application for operating systems7.9p13632
StrongSWANIPSec based VPN solution library 5.6.23648
AWS Kernel Kernel optimised for use in AWS clouds4.153664
Azure KernelKernel optimised for use in Azure clouds4.153683
LibgcryptThe GNUPG cryptographic general purpose library (provides fully certified full disk encryption)1.8.13748

Ubuntu 16.04 LTS

ComponentDescriptionVersionCMVP Certificate
Linux kernel (generic)The Linux kernel cryptographic library4.4.0.10022962
OpenSSLGeneral purpose cryptographic library that includes TLS implementation1.0.2g2888
OpenSSH clientSSH client application for operating systems7.2p22907
OpenSSH serverSSH server application for operating systems7.2p22906
StrongSWANIPSec based VPN solution library 5.3.5297

How can I get Ubuntu FIPS?

If you are already an Ubuntu Advantage customer, please refer to our FIPS documentation to learn more about accessing your FIPS-certified and FIPS-compliant modules.

For a list of all current security certifications Canonical has, see Ubuntu security certifications and hardening standards.

Both FIPS-certified and FIPS-compliant modules for Ubuntu 18.04 LTS and 16.04 LTS are offered under a comprehensive Ubuntu Advantage for Infrastructure package, starting at $75 per VM per year. 

Additionally, you can get optimised Ubuntu images with FIPS modules and other critical security and compliance services by default for public cloud with Ubuntu Pro for AWS and Ubuntu Pro for Azure.

Related posts


Canonical
5 September 2023

도커(Docker) 컨테이너 보안: 우분투 프로(Ubuntu Pro)로 FIPS 지원 컨테이너 이해하기

FIPS Security

오늘날 급변하는 디지털 환경에서 강력한 도커 컨테이너 보안 조치의 중요성은 아무리 강조해도 지나치지 않습니다. 컨테이너화된 계층도 규정 준수 표준의 적용을 받기 때문에 보안 문제 및 규정 준수 요구 사항이 발생합니다. 도커 컨테이너 보안 조치는 경량의 어플라이언스 유형 컨테이너(각 캡슐화 코드 및 해당 종속성)를 위협 및 취약성으로부터 보호하는 것을 수반합니다. 민감한 개인 데이터를 처리하는 데 의존하는 ...


Henry Coggill
7 December 2023

Ubuntu 22.04 FIPS 140-3 modules available for preview

FIPS Article

Canonical has been working with our testing lab partner, atsec information security, to prepare the cryptographic modules in Ubuntu 22.04 LTS (Jammy Jellyfish) for certification with NIST under the new FIPS 140-3 standard. The modules passed all of atsec’s algorithm validation tests and are in the queue awaiting NIST’s approval. We can’t ...


Lech Sandecki
26 October 2023

Running OpenSSL 1.1.1 after EOL? Stay secure with Ubuntu Pro.

Ubuntu Article

A few months ago, the OpenSSL Project announced the end of life of OpenSSL 1.1.1. It is used by thousands of software components included in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS, with many organisations relying on version 1.1.1. Rest assured that the Ubuntu security team will continue to maintain important security fixes in OpenSSL ...