FIPS in containers and VMs

This page describes the tweaks required to the standard FIPS installation process when installing on clouds and containers.

Containers

Building your own container

The manual installation process will need to be used for manually-built Ubuntu FIPS systems in containers.

In containers, the FIPS validated kernel must be running in the host.
The remaining FIPS modules, openssh server, openssh client, openssl, and strongswan may be installed into the Container as necessary and will run in FIPS mode as long as the host has FIPS enabled.

Check this post for more information on building your own container.

Notes on latest Xenial kernels

On Xenial, the FIPS 140-2 kernel has version 4.4.0-1002-fips. More recent Xenial kernels have versions that will update the FIPS kernel. For example, the desktop ISO has a kernel version 4.10. Thus, after installing the FIPS kernel and rebooting, the FIPS kernel will not automatically become the default kernel. First you need to boot into the FIPS kernel, you have two options:

After you have confirmed everything is working it’s recommended to remove the non-FIPS kernels and remove any Grub changes you made.

Note: These instructions are presented in greater detail on the main FIPS installation instructions page.

Desktops

The most recent Xenial desktop amd64 ISO, i.e. 16.04.3 release installs a kernel that will update the FIPS kernel. Thus the FIPS kernel will not automatically become the default upon installing and reboot. Follow the above instructions in Latest Xenial Kernels.

Please see the main FIPS page about FIPS certified packages.

Ubuntu Pro FIPS

It is not necessary to open a support ticket for the Ubuntu Pro FIPS images that are available on some public cloud providers, such as AWS and Azure.

Ubuntu Pro FIPS images have the FIPS packages installed and configured out-of-the-box.

Both Azure and AWS have Ubuntu Pro FIPS pre-built machine images.

AWS

The most recent AWS Ubuntu Xenial kernels will update the FIPS kernel. Thus the FIPS kernel will not automatically become the default upon installing and rebooting. Follow the above instructions in Latest Xenial Kernels.

NVME-backed instances can only boot using the AWS Ubuntu Xenial kernel. They require a special feature only found in this kernel. A FIPS kernel cannot replace nor be used in this type of instance.

The Bionic AWS kernel has a FIPS validation. Please see the main FIPS page for module specifics. Use the ubuntu-aws-fips metapackage instead of ubuntu-fips.

Note: Canonical ships Ubuntu Pro FIPS pre-built images on AWS; using these images avoids the need to do manual FIPS configuration.

Azure

The most recent Azure Ubuntu Xenial kernels will update the FIPS kernel. Thus the FIPS kernel will not automatically become the default upon installing and rebooting. Follow the above instructions in Latest Xenial Kernels.

The Azure Ubuntu Xenial kernel contains custom features as well as performance features that are not available in the FIPS kernel.

The Bionic Azure kernel has a FIPS validation. Please see the main FIPS page for module specifics. Use the ubuntu-azure-fips metapackage instead of ubuntu-fips.

Note: Canonical ships Ubuntu Pro FIPS pre-built images on Azure; using these images avoids the need to do manual FIPS configuration.

Google GCE

The most recent Google GCE Ubuntu Xenial kernel will update the FIPS kernel. Thus the FIPS kernel will not automatically become the default upon installing and rebooting. Follow the above instructions in Latest Xenial Kernels.

Local VMs

If the VM runs a kernel that updates the FIPS kernel, follow the above instructions in Latest Xenial Kernels.

Local LXD

In LXD containers, the FIPS kernel should not be installed in the Container, but only in the Hypervisor. As the kernel is shared from the host to the container, it will have the FIPS enabled kernel after it has been enabled in the host.

The remaining FIPS modules, openssh server, openssh client, openssl, and strongswan may be installed into the Container and run in FIPS mode.

Local Private Cloud

It is possible the cloud instance contains an Ubuntu Xenial kernel that will update the FIPS kernel. Thus the FIPS kernel will not automatically become the default upon installing and rebooting. Follow the above instructions in Latest Xenial Kernels.