This page describes the tweaks required to the standard FIPS installation process when installing on clouds and containers.
Containers
Building your own container
The manual installation process will need to be used for manually-built Ubuntu FIPS systems in containers.
In containers, the FIPS validated kernel must be running in the host.
The remaining FIPS modules, openssh server, openssh client, openssl, and strongswan may be installed into the Container as necessary and will run in FIPS mode as long as the host has FIPS enabled.
Check this post for more information on building your own container.
Ubuntu Pro FIPS
It is not necessary to open a support ticket for the Ubuntu Pro FIPS images that are available on some public cloud providers, such as AWS and Azure.
Ubuntu Pro FIPS images have the FIPS packages installed and configured out-of-the-box.
Both Azure and AWS have Ubuntu Pro FIPS pre-built machine images.
AWS
The most recent AWS Ubuntu Xenial kernels will update the FIPS kernel. Thus the FIPS kernel will not automatically become the default upon installing and rebooting. Follow the above instructions in Latest Xenial Kernels.
NVME-backed instances can only boot using the AWS Ubuntu Xenial kernel. They require a special feature only found in this kernel. A FIPS kernel cannot replace nor be used in this type of instance.
The Bionic AWS kernel has a FIPS validation. Please see the main FIPS page for module specifics. Use the ubuntu-aws-fips
metapackage instead of ubuntu-fips
.
Note: Canonical ships Ubuntu Pro FIPS pre-built images on AWS; using these images avoids the need to do manual FIPS configuration.
Azure
The most recent Azure Ubuntu Xenial kernels will update the FIPS kernel. Thus the FIPS kernel will not automatically become the default upon installing and rebooting. Follow the above instructions in Latest Xenial Kernels.
The Azure Ubuntu Xenial kernel contains custom features as well as performance features that are not available in the FIPS kernel.
The Bionic Azure kernel has a FIPS validation. Please see the main FIPS page for module specifics. Use the ubuntu-azure-fips
metapackage instead of ubuntu-fips
.
Note: Canonical ships Ubuntu Pro FIPS pre-built images on Azure; using these images avoids the need to do manual FIPS configuration.
Google GCE
The most recent Google GCE Ubuntu Xenial kernel will update the FIPS kernel. Thus the FIPS kernel will not automatically become the default upon installing and rebooting. Follow the above instructions in Latest Xenial Kernels.
Local VMs
If the VM runs a kernel that updates the FIPS kernel, follow the above instructions in Latest Xenial Kernels.
Local LXD
In LXD containers, the FIPS kernel should not be installed in the Container, but only in the Hypervisor. As the kernel is shared from the host to the container, it will have the FIPS enabled kernel after it has been enabled in the host.
The remaining FIPS modules, openssh server, openssh client, openssl, and strongswan may be installed into the Container and run in FIPS mode.
Local Private Cloud
It is possible the cloud instance contains an Ubuntu Xenial kernel that will update the FIPS kernel. Thus the FIPS kernel will not automatically become the default upon installing and rebooting. Follow the above instructions in Latest Xenial Kernels.