Canonical
on 20 May 2020
FIPS 140-2 certification for Ubuntu 18.04 LTS
Canonical has received FIPS 140-2, Level 1 certification for cryptographic modules in Ubuntu 18.04 LTS, with FIPS-validated OpenSSL-1.1.1. modules included. This certification enables organisations to meet compliance requirements within the public sector, healthcare and finance industries when utilising Ubuntu 18.04 LTS within public and private cloud environments.
Canonical worked with U.S. Government and BSI accredited laboratory, atsec information security, for the 18.04 LTS FIPS certification. The publications related to FIPS standards are issued by the National Institute of Standards and Technology (NIST).
FIPS-certified and FIPS-compliant modules for Ubuntu 18.04 LTS and 16.04 LTS are available through an Ubuntu Advantage for Infrastructure subscription, alongside additional open source security and support services. To get started with an Ubuntu Advantage subscription, contact our team.
On public clouds, Ubuntu Pro for AWS and Ubuntu Pro for Azure include subscriptions to Canonical’s FIPS 140-2 repositories, alongside expanded security and hardening.
Why is FIPS 140-2 important?
Encryption is key to protecting sensitive data. In the world of encryption, there are several methodologies using different cryptographic algorithms to convert plain text into cipher text. Navigating multiple methodologies and algorithms creates a complex, labour-intensive process for teams evaluating the cryptographic services offered within software components.
The U.S. Government addresses this challenge by mandating the use of Federal Information Processing Standard Publication (FIPS) 140-2 certified software within all federal agencies and entities that work with these agencies. FIPS 140-2 defines the critical security parameters that must be used for encryption in the products sold into the U.S. public sector.
FIPS 140-2 is, therefore, required under multiple compliance regimes, such as Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act of 2002 (FISMA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
FIPS-certification ensures that software has been thoroughly reviewed and tested before being deployed and utilised within an agency or organisation requiring data encryption. Industries storing and processing sensitive data spans outside the public sector space, leading to FIPS-certified software being widely adopted within the payment card industry, healthcare and other regulated industries.
Why is OpenSSL-1.1.1 certification important?
The upstream OpenSSL project announced a strategy for its FIPS validation at the end of last year, ending support for its standard 1.0.2 series. The only upstream, validated FIPS module that is compatible with the 1.0.2 series also reached end of life in December 2019.
The current LTS version of the OpenSSL library upstream is 1.1.1, with no upstream FIPS-validated version currently available. For many users who require FIPS-validated OpenSSL, this creates a significant gap.
Canonical has achieved its own FIPS validation, however, by porting FIPS patches to the OpenSSL-1.1.1 version shipped by Ubuntu. By using Canonical’s validated OpenSSL-1.1.1, customers benefit from an actively-maintained code base which addresses CVEs as well as non-security related issues.
Will FIPS-validated modules receive security updates?
Customers have different needs depending on their industry. While FIPS 140-2 certified software is critical for use within federal agencies, there are customers who prefer an actively maintained FIPS software, meaning they would like to get security fixes.
When a FIPS-validated software is modified in any way (including patching), it loses its certification and will need to be re-certified. The recertification process can easily stretch to months depending on the changes, however, Canonical offers flexibility with both FIPS certified and FIPS compliant updates available.
Which Ubuntu releases and component versions are FIPS certified?
The table below outlines the certified Ubuntu releases and component versions.
Ubuntu 18.04 LTS
Component | Description | Version | CMVP Certificate |
---|---|---|---|
Linux kernel (generic) | The Linux kernel cryptographic library | 4.15.0 | 3647 |
OpenSSL | General purpose cryptographic library that includes TLS implementation | 1.1.1 | 3622 |
OpenSSH client | SSH server application for operating systems | 7.9p1 | 3633 |
OpenSSH server | SSH client application for operating systems | 7.9p1 | 3632 |
StrongSWAN | IPSec based VPN solution library | 5.6.2 | 3648 |
AWS Kernel | Kernel optimised for use in AWS clouds | 4.15 | 3664 |
Azure Kernel | Kernel optimised for use in Azure clouds | 4.15 | 3683 |
Libgcrypt | The GNUPG cryptographic general purpose library (provides fully certified full disk encryption) | 1.8.1 | 3748 |
Ubuntu 16.04 LTS
Component | Description | Version | CMVP Certificate |
---|---|---|---|
Linux kernel (generic) | The Linux kernel cryptographic library | 4.4.0.1002 | 2962 |
OpenSSL | General purpose cryptographic library that includes TLS implementation | 1.0.2g | 2888 |
OpenSSH client | SSH client application for operating systems | 7.2p2 | 2907 |
OpenSSH server | SSH server application for operating systems | 7.2p2 | 2906 |
StrongSWAN | IPSec based VPN solution library | 5.3.5 | 297 |
How can I get Ubuntu FIPS?
If you are already an Ubuntu Advantage customer, please refer to our FIPS documentation to learn more about accessing your FIPS-certified and FIPS-compliant modules.
For a list of all current security certifications Canonical has, see Ubuntu security certifications and hardening standards.
Both FIPS-certified and FIPS-compliant modules for Ubuntu 18.04 LTS and 16.04 LTS are offered under a comprehensive Ubuntu Advantage for Infrastructure package, starting at $75 per VM per year.
Additionally, you can get optimised Ubuntu images with FIPS modules and other critical security and compliance services by default for public cloud with Ubuntu Pro for AWS and Ubuntu Pro for Azure.