FIPS 140 for Ubuntu

FIPS 140 validated cryptography for Linux workloads on Ubuntu

Developing and running Linux workloads for U.S. government regulated and high security environments requires a long and expensive validation process. Reduce your accreditation timeline and pass on your validation costs with the FIPS 140 certified cryptographic packages of Ubuntu Pro and Ubuntu Advantage.

Contact us Get Ubuntu Advantage

NIST logo

Run regulated workloads

U.S Federal agencies and anyone deploying systems and cloud services for Federal government agency use, whether directly or through contractors, are required to run workloads with FIPS 140 validated cryptography. FIPS 140 has also been adopted outside of the public sector in industries where data security is heavily regulated, such as financial services (PCI-DSS), healthcare (HIPAA), and other sectors. Ubuntu Pro and Ubuntu Advantage provide FIPS 140 certified cryptographic packages.

Reduce your compliance costs

Developing applications that comply with FIPS 140 can be a challenging task. Validating the used cryptography in-house involves a long and expensive process that requires cryptography expertise and involves reviews from a 3rd party lab and NIST. All these introduce costs and complexity that may delay your launch. Ensure that you ship on time and reduce both validation costs and time by using the Ubuntu validated standard open source packages. The Ubuntu Pro and Ubuntu Advantage packages are validated on common CPU types and are also available for use on the public cloud with Ubuntu Pro FIPS.

Get NIST certified compliance

FIPS 140 ensures that cryptographic algorithms known to be secure are used for data protection, and they are thoroughly tested and attested by a laboratory accredited under the NIST’s Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) in the US and CCCS’s Cryptographic Module Validation Program (CMVP) in Canada. Ubuntu Pro and Ubuntu Advantage provide you with cryptographic packages that are tested and attested by atsec Information Security, a NIST accredited laboratory.

What is FIPS 140?

FIPS 140 is a U.S. and Canada Government data protection standard. It defines security requirements related to the design and implementation of a cryptographic module. The reason for a data protection standard dedicated to cryptography is because cryptography today is omnipresent, and is very hard to get right in a constantly expanding threat model such as today’s Internet. The standard ensures that cryptographic algorithms known to be secure are used for data protection, and they are thoroughly tested and attested by a 3rd party. The testing and validation must be performed by a laboratory, which is accredited under the Cryptographic and Security Testing (CST) Laboratory Accreditation Program (LAP) and is part of NIST's National Voluntary Laboratory Accreditation Program (NVLAP) in the US and CCCS's Cryptographic Module Validation Program (CMVP) in Canada.

FIPS 140-2 is required under multiple compliance regimes, such as Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act of 2002 (FISMA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Access FIPS images on the public cloud

FIPS can be enabled on Ubuntu Pro cloud images, while Ubuntu Pro FIPS cloud images simplify the experience as they come preconfigured with FIPS 140 certified packages optimized for the cloud. You can quickly navigate on the marketplace FIPS-enabled images below.

Ubuntu Pro FIPS 16.04

Ubuntu Pro FIPS 18.04

Ubuntu Pro FIPS 20.04

In progress

FIPS certification and CIS compliance with Ubuntu

Learn about Ubuntu CIS and FIPS certified components to enable operating under compliance regimes like FedRAMP, HIPAA, PCI and ISO. Get all of your compliance questions answered in our upcoming webinar to ensure you and your team are, and remain, compliant.

Contact us

Certified packages under FIPS 140

The following list contains the FIPS 140 validated components that are available with Ubuntu Advantage and Ubuntu Pro. The validated modules are API and ABI compatible with the default Ubuntu packages. The validation testing for Ubuntu was performed by atsec Information Security, a NIST accredited laboratory.

Ubuntu 16.04 LTS
on x86-64, IBM Power8 and IBM Z
Ubuntu 18.04 LTS
on x86-64 and IBM Z
Ubuntu 20.04 LTS
on x86-64 and IBM Z*
Linux Kernel (GA) Crypto API #2962, #3724 #3647, #3664 (AWS),
#3683 (Azure), #3954 (GCP)
OpenSSH client #2907 #3633

Merged with OpenSSL

OpenSSH server #2906 #3632

Merged with OpenSSL

OpenSSL #2888, #3725 #3622, #3980 #3966
libgcrypt #3748 #3902
StrongSwan #2978 #3648 #4046

*The IBM Z packages are under validation.

Read more about FIPS Access the FIPS140 validated modules

Canonical patches vulnerabilities

Each FIPS 140 certificate is valid for 5 years, however vulnerabilities happen, and it is our intention to publish fixed packages quickly, irrespective of their certification status. We therefore provide two alternative options. An option to remain with the certified cryptographic packages (called the 'fips' option), and an option to use the certified packages but include security fixes (called the 'fips-updates' option) when available. Check our security pages on how to enable these options.

We recommend enabling the 'fips-updates' option that includes the security fixes. The packages from 'fips-updates' option are updated to include high and critical security fixes during the whole product lifecycle including the Extended Security Maintenance (ESM) phase.

Free for personal use

Canonical provides Ubuntu Advantage Essential subscriptions, which include FIPS, free of charge for individuals on up to 3 machines. For our community of Ubuntu members we will gladly increase that to 50 machines.

Get a free subscription

FIPS 140-3 and Ubuntu

In September 2021 NIST is phasing out FIPS 140-2. Certifications under FIPS 140-2 remain valid no longer than September 2026, and new products are expected to be certified under FIPS 140-3. FIPS 140-3 is a combined effort of NIST and ISO with the Security and Testing requirements for cryptographic modules being published as ISO/IEC 19790 and ISO/IEC 24759. Canonical is preparing Ubuntu for the new certification, and intends to provide FIPS 140-3 certified cryptographic packages on a future LTS release of Ubuntu.