Ubuntu Advantage: Disabling FIPS manually

Enabling FIPS using Ubuntu Advantage installs a FIPS-certified kernel as well as a number of cryptographic packages and pins those packages to ensure the system remains FIPS-compliant.

FIPS can be disabled on the system using ubuntu-advantage-tools version 26.0 or later with the following commands:

sudo ua disable fips
sudo reboot

This will disable FIPS compliance on the machine by unsetting GRUB configuration which will deactivate “FIPS mode” for related cryptographic modules. It will not remove the FIPS kernel. On most systems, the non-FIPS packages will be a higher version and auto-updated next time you run an apt upgrade.

In some systems, especially cloud images such as on AWS and Azure, the machine will continue to boot into the linux-aws-fips or linux-azure-fips kernel respectively because the kernel version is higher than the default linux-azure or linux-aws kernel in those images.

If there is an alternative kernel available on the system to boot with, you can remove the FIPS-specific kernel:

  • Confirm that you system has a non-FIPS kernel, if on the cloud look for a cloud-optimized kernel linux-aws or linux-azure.
  • Remove the fips kernel on the machine and reboot
FIPS_KERNELS=`dpkg-query -W -f='${Package}\n'| egrep linux-.*-fips`
sudo apt-get remove $FIPS_KERNELS
sudo reboot
1 Like

We also need an apt upgrade in here for the other crypto packages to upgrade to their non-fips versions correct?

I wonder if ppa-purge would help.