Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Hugo Huang
on 22 November 2021


In August 2016, the United States government announced a new federal source-code policy, which mandates that at least 20% of custom source code developed by or for any agency of the federal government must be released as open-source software (OSS). The memo of this policy also states that the Federal Government spends more than $6 billion each year on software through more than 42,000 transactions. Obviously, this is a huge business for all open-source developers. The question is “how can you get the business from the Federal Government?” The answer is FIPS.

Federal Information Processing Standards (FIPS) are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST). Certain federal-related applications are required to be FIPS compliant, and many non-government organizations also follow FIPS standards.  Ubuntu Pro provides you with cryptographic packages that are tested and attested by atsec Information Security, a NIST accredited laboratory. And Google automatically encrypts traffic between VMs that travels between Google data centers using FIPS 140-2 validated encryption. Your workloads can easily be FIPS compliant if you properly deploy your workloads on Ubuntu Pro in Google Cloud. Ubuntu 18.04 Pro offers you two FIPS options: FIPS and FIPS-updates. Let’s SSH into your Ubuntu Pro virtual machine. If you haven’t yet upgraded your Ubuntu LTS to Ubuntu Pro, please follow this tutorial. In less than One Minute, you will be able to get your Ubuntu Pro machine without losing any of your mission-critical workloads. Once you SSH into your Ubuntu Pro, input:

You will see:

SERVICEENTITLEDSTATUSDESCRIPTION
[…]
fipsyesdisabledNIST-certified core packages
fips-updatesyesdisabledNIST-certified core packages with priority security updates

FIPS option includes the certified cryptographic packages, while the FIPS-updates option uses the certified packages but includes security fixes when available. That said, If you prioritize security patching over strict compliance you go with fips-updates.

Let’s enable FIPS now:

At the time of writing, FIPS is only available on Ubuntu 18.04 Pro on GCP. We will need to wait longer for FIPS images for Ubuntu 16.04 Pro and Ubuntu 20.04 Pro.

Maintenance: Livepatch

SERVICEENTITLEDSTATUSDESCRIPTION
[…]
livepatchyesn/aCanonical Livepatch service

Livepatch eliminates the need for unplanned maintenance windows for high and critical severity kernel vulnerabilities by patching the Linux kernel while the system runs. This reduces fire drills while keeping uninterrupted service.

Let’s enable Livepatch in Ubuntu 20.04 Pro and let the machine safely go for 10 years:

Check it:

SERVICEENTITLEDSTATUSDESCRIPTION
cis yesdisabledCenter for Internet Security Audit Tools
esm-appsyesenabledUA Apps: Extended Security Maintenance (ESM)
esm-infrayesenabledUA Infra: Extended Security Maintenance (ESM)
fipsyesn/aNIST-certified core packages
fips-updatesyesn/aNIST-certified core packages with priority security updates
livepatchyesenabledCanonical Livepatch service

At the time of writing, Livepatch is only available on Ubuntu 20.04 Pro. Livepatch for Ubuntu 16.04 Pro and Ubuntu 18.04 Pro will be available soon.

A spell to rule them all

In this blog series, we navigate through the great features of Ubuntu Pro: CIS, ESM, FIPS, Livepatch. Now, if you just want them all at once, here us the single magic spell you need to remember:

Replace the following:

  • BOOT_DISK_NAME: the name of the boot disk to append the license to
  • ZONE: the zone containing the boot disk to append the license to
  • LICENSE_URI: the license URI for the version of Ubuntu Pro you are upgrading to. The following table shows the license URI for the supported versions of Ubuntu Pro:
Ubuntu Pro versionLicense URI
Ubuntu Pro 16.04 LTShttps://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-1604-lts
Ubuntu Pro 18.04 LTShttps://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-1804-lts
Ubuntu Pro 20.04 LTShttps://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-2004-lts

For comprehensive instruction, please refer to official Google Cloud documentation: Upgrade from Ubuntu to Ubuntu Pro.

Related posts


Henry Coggill
7 December 2023

Ubuntu 22.04 FIPS 140-3 modules available for preview

FIPS Article

Canonical has been working with our testing lab partner, atsec information security, to prepare the cryptographic modules in Ubuntu 22.04 LTS (Jammy Jellyfish) for certification with NIST under the new FIPS 140-3 standard. The modules passed all of atsec’s algorithm validation tests and are in the queue awaiting NIST’s approval. We can’t ...


Canonical
19 September 2023

라이브패치(Livepatch)에 새로운 13개월 슬라이딩 지원 기간이 있습니다. 여러분에게 어떤 의미가 있을까요?

Security Security

라이브패치는 시스템을 즉시 재부팅할 필요 없고 런타임에 중요하고 높은 보안 커널 공통 보안 취약성 및 노출(CVE)을 수정하는 유용한 툴입니다. 그러나 정기적인 유지 관리 기간 및 재부팅을 대체하는 용도로 사용해서는 안 됩니다. 좋은 기업 정책에는 시스템이 안정적이고 안전하게 유지되도록 라이브패치와 정기적인 재부팅이 모두 포함되어야 합니다. 그 이유는 펌웨어 또는 장치 드라이버 업데이트와 같은 일부 시스템 CVE는 ...


Rajan Patel
13 September 2023

Deploy fully configured VMs in minutes on Google Cloud, using gcloud CLI and cloud-init

Cloud and server Article

Make reusable deployment templates for Landscape and other applications ...