Your submission was sent successfully! Close

Jump to main content

FIPS 140-2 certification for Ubuntu 18.04 LTS

Canonical has received FIPS 140-2, Level 1 certification for cryptographic modules in Ubuntu 18.04 LTS, with FIPS-validated OpenSSL-1.1.1. modules included. This certification enables organisations to meet compliance requirements within the public sector, healthcare and finance industries when utilising Ubuntu 18.04 LTS within public and private cloud environments.

Canonical worked with U.S. Government and BSI accredited laboratory, atsec information security, for the 18.04 LTS FIPS certification. The publications related to FIPS standards are issued by the National Institute of Standards and Technology (NIST).

FIPS-certified and FIPS-compliant modules for Ubuntu 18.04 LTS and 16.04 LTS are available through an Ubuntu Advantage for Infrastructure subscription, alongside additional open source security and support services. To get started with an Ubuntu Advantage subscription, contact our team.

On public clouds, Ubuntu Pro for AWS​ and ​Ubuntu Pro for Azure​ include subscriptions to Canonical’s FIPS 140-2 repositories, alongside expanded security and hardening.

Why is FIPS 140-2 important? 

Encryption is key to protecting sensitive data. In the world of encryption, there are several methodologies using different cryptographic algorithms to convert plain text into cipher text. Navigating multiple methodologies and algorithms creates a complex, labour-intensive process for teams evaluating the cryptographic services offered within software components. 

The U.S. Government addresses this challenge by mandating the use of Federal Information Processing Standard Publication (FIPS) 140-2 certified software within all federal agencies and entities that work with these agencies. FIPS 140-2 defines the critical security parameters that must be used for encryption in the products sold into the U.S. public sector.

FIPS 140-2 is, therefore, required under multiple compliance regimes, such as Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act of 2002 (FISMA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

FIPS-certification ensures that software has been thoroughly reviewed and tested before being deployed and utilised within an agency or organisation requiring data encryption. Industries storing and processing sensitive data spans outside the public sector space, leading to FIPS-certified software being widely adopted within the payment card industry, healthcare and other regulated industries. 

Why is OpenSSL-1.1.1 certification important?

The upstream OpenSSL project announced a strategy for its FIPS validation at the end of last year, ending support for its standard 1.0.2 series. The only upstream, validated FIPS module that is compatible with the 1.0.2 series also reached end of life in December 2019. 

The current LTS version of the OpenSSL library upstream is 1.1.1, with no upstream FIPS-validated version currently available. For many users who require FIPS-validated OpenSSL, this creates a significant gap. 

Canonical has achieved its own FIPS validation, however, by porting FIPS patches to the OpenSSL-1.1.1 version shipped by Ubuntu. By using Canonical’s validated OpenSSL-1.1.1, customers benefit from an actively-maintained code base which addresses CVEs as well as non-security related issues.  

Will FIPS-validated modules receive security updates?

Customers have different needs depending on their industry. While FIPS 140-2 certified software is critical for use within federal agencies, there are customers who prefer an actively maintained FIPS software, meaning they would like to get security fixes. 

When a FIPS-validated software is modified in any way (including patching), it loses its certification and will need to be re-certified. The recertification process can easily stretch to months depending on the changes, however, Canonical offers flexibility with both FIPS certified and FIPS compliant updates available

Which Ubuntu releases and component versions are FIPS certified?

The table below outlines the certified Ubuntu releases and component versions.

Ubuntu 18.04 LTS

ComponentDescriptionVersionCMVP Certificate
Linux kernel (generic)The Linux kernel cryptographic library4.15.03647
OpenSSLGeneral purpose cryptographic library that includes TLS implementation1.1.13622
OpenSSH clientSSH server application for operating systems7.9p13633
OpenSSH serverSSH client application for operating systems7.9p13632
StrongSWANIPSec based VPN solution library 5.6.23648
AWS Kernel Kernel optimised for use in AWS clouds4.153664
Azure KernelKernel optimised for use in Azure clouds4.153683
LibgcryptThe GNUPG cryptographic general purpose library (provides fully certified full disk encryption)1.8.13748

Ubuntu 16.04 LTS

ComponentDescriptionVersionCMVP Certificate
Linux kernel (generic)The Linux kernel cryptographic library4.4.0.10022962
OpenSSLGeneral purpose cryptographic library that includes TLS implementation1.0.2g2888
OpenSSH clientSSH client application for operating systems7.2p22907
OpenSSH serverSSH server application for operating systems7.2p22906
StrongSWANIPSec based VPN solution library 5.3.5297

How can I get Ubuntu FIPS?

If you are already an Ubuntu Advantage customer, please refer to our FIPS documentation to learn more about accessing your FIPS-certified and FIPS-compliant modules.

For a list of all current security certifications Canonical has, see Ubuntu security certifications and hardening standards.

Both FIPS-certified and FIPS-compliant modules for Ubuntu 18.04 LTS and 16.04 LTS are offered under a comprehensive Ubuntu Advantage for Infrastructure package, starting at $75 per VM per year. 

Additionally, you can get optimised Ubuntu images with FIPS modules and other critical security and compliance services by default for public cloud with Ubuntu Pro for AWS and Ubuntu Pro for Azure.

Newsletter signup

Select topics you're
interested in

In submitting this form, I confirm that I have read and agree to Canonical's Privacy Notice and Privacy Policy.

Related posts

FIPS certified vs compliant: what’s safer?

Minimise risk by treating the FIPS standard as a baseline, and going above and beyond the baseline to mitigate risk by applying security patches.

Canonical at AWS Summit Washington 2022

Meet our public sector team from May 23-25 at Walter E. Washington Convention Center, Washington, DC Our collaboration wth AWS has started in 2012 making 2022...

Ubuntu Pro 20.04 FIPS is now available for AWS, Azure and GCP

The Ubuntu Pro FIPS profile is now available on AWS, Azure and Google Cloud