Enabling FIPS using Ubuntu Advantage installs a FIPS-certified kernel as well as a number of cryptographic packages and pins those packages to ensure the system remains FIPS-compliant.
FIPS can be disabled on the system using ubuntu-advantage-tools version 26.0 or later with the following commands:
sudo ua disable fips
sudo reboot
This will disable FIPS compliance on the machine by unsetting GRUB configuration which will deactivate “FIPS mode” for related cryptographic modules. It will not remove the FIPS kernel. On most systems, the non-FIPS packages will be a higher version and auto-updated next time you run an apt upgrade
.
In some systems, especially cloud images such as on AWS and Azure, the machine will continue to boot into the linux-aws-fips
or linux-azure-fips
kernel respectively because the kernel version is higher than the default linux-azure
or linux-aws
kernel in those images.
If there is an alternative kernel available on the system to boot with, you can remove the FIPS-specific kernel:
- Confirm that you system has a non-FIPS kernel, if on the cloud look for a cloud-optimized kernel
linux-aws
orlinux-azure
. - Remove the fips kernel on the machine and reboot
FIPS_KERNELS=`dpkg-query -W -f='${Package}\n'| egrep linux-.*-fips`
sudo apt-get remove $FIPS_KERNELS
sudo reboot