Enabling FIPS with the ua tool

Enabling FIPS 140

FIPS configuration can be enabled automatically via the Ubuntu Advantage Tool (also known as “UA tool” or “UA client”) on bare metal, virtual, and cloud environments. Version 27.0 or higher of the UA tool is required to use this method. If the UA tool is installed, the UA tool can provide its version.

$ ua version

If necessary, apt can be used to install the latest version.

$ sudo apt update
$ sudo apt install ubuntu-advantage-tools

Access to the FIPS repositories is controlled by a token associated with an Ubuntu Advantage subscription.

Attach the subscription

This step is not necessary in Ubuntu PRO images

  1. Login at ubuntu.com/advantage using the Ubuntu One account tied to your UA-I subscription.

  2. Under the “Your paid subscriptions” header, click on the down-arrow in the “machines” column for the row of your subscription. This may already be expanded.

  3. Find your token from within the provided attach command in the format of sudo ua attach <TOKEN>. Save this token to complete the process below.

  4. Attach the system to the Ubuntu Advantage service.
    sudo ua attach <TOKEN>

Enable FIPS

Including timely security updates

  1. Enable FIPS including security updates.
    sudo ua enable fips-updates
  2. Verify that the system is attached to UA and has FIPS enabled.
    sudo ua status
  3. Please proceed to the reboot section.

Strictly with the certified packages

  1. Enable FIPS.
    sudo ua enable fips
  2. Verify that the system is attached to UA and has FIPS enabled.
    sudo ua status
  3. Please proceed to the reboot section.

Reboot

The ua client will install the necessary packages for the FIPS mode, including the kernel and the bootloader. After this step you MUST reboot to put the system into FIPS mode. The reboot will boot into the FIPS-supported kernel and create the /proc/sys/crypto/fips_enabled entry which tells the FIPS certified modules to run in FIPS mode. If you do not reboot after installing and configuring the bootloader, FIPS mode is not yet enabled.

To verify that FIPS is enabled after the reboot check the /proc/sys/crypto/fips_enabled file and ensure it is set to 1. If it is set to 0, the FIPS modules will not run in FIPS mode. If the file is missing, the FIPS kernel is not installed, you can verify that FIPS has been properly enabled with the ua status command.

FIPS and livepatching

The Livepatch service is enabled by default while attaching the system to the Ubuntu Advantage service. Livepatch and FIPS are not compatible, so it will be disabled.

Enabling the strict FIPS mode

We recommend enabling the ‘fips-updates’ option that includes security fixes timely before the packages are re-certified. However we provide the option to install the validated packages that are only updated on re-validation.

After using the UA tool to attach your token, enable FIPS mode in the UA tool as shown below.

sudo ua enable fips