| Key | Value |
|---|---|
| Summary | How to use the Ubuntu Pro client to enable FIPS cryptographic modules on Ubuntu. |
| Categories | server, security, ua, pro |
| Difficulty | 2 |
| Author | Customer Success Team customersuccess@canonical.com |
Overview
Duration: 2:00
What is FIPS?
FIPS 140-2 is a US government computer security standard. It defines security requirements related to the design and implementation of cryptographic modules. It is a requirement for U.S. Federal agencies to use FIPS 140-2 validated cryptography to protect sensitive information. Canonical’s FIPS 140-2 Certified Modules are available to customers who have purchased qualifying Ubuntu Advantage products.
Anyone deploying systems and cloud services for Federal government agency use, whether directly or through contractors and vendors, is required to use FIPS 140-2 compliant systems. FIPS 140-2 has also been adopted outside of the public sector in industries where data security is heavily regulated, such as financial services, healthcare, legal and manufacturing.
FIPS crypto modules are available for Ubuntu 16.04 LTS, 18.04 LTS, and 20.04 LTS.
Understanding the Ubuntu Pro Client
The Ubuntu Pro Client is a tool designed to automate access to UA services like Extended Security Maintenance (ESM), CIS, FIPS, and more. The client is available for all Ubuntu LTS releases, however some services, such as FIPS, are not available for all Ubuntu LTS releases.
What you’ll learn
- How to check which version of the Ubuntu Pro Client is installed on your machine and how to update it if necessary
- How to attach the Ubuntu Pro Client to your Ubuntu Pro account using your Ubuntu Pro token
- How to enable FIPS modules on your Ubuntu machine
What you’ll need
- An active Ubuntu Pro subscription, or a free subscription (can be used on up to 5 machines)
- An Ubuntu machine running Ubuntu server or desktop 16.04 LTS, 18.04 LTS, or 20.04 LTS
Note that we provide the Ubuntu Pro FIPS images to ease access to FIPS, and reduce the necessary time to enable FIPS on a standard Pro image.
Checking the Ubuntu Pro Client
Duration: 4:00
In this step, we will check which version of the Ubuntu Pro Client we have installed, because we need at least version 27.0 to enable the FIPS modules. We will then update our Ubuntu Pro Client if needed.
To see which version of the Ubuntu Pro Client you have installed, run:
$ apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools:
Installed: 10ubuntu0.16.04.1
Candidate: 10ubuntu0.16.04.1
Version table:
*** 10ubuntu0.16.04.1 500
500 http://azure.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
100 /var/lib/dpkg/status
We need at least version 27.0 but we have 10ubuntu0.16.04.1, so we now need to upgrade our UA package (skip this step if you are already running at least 27.0):
$ sudo apt update
$ sudo apt install ubuntu-advantage-tools
Now we have the correct version running!
$ pro version
27.13.5~16.04.1
Retrieving your Ubuntu Pro Token from the Ubuntu Pro dashboard and attaching it to the Ubuntu Pro Client
Duration: 5:00
If you are enabling FIPS modules on an Ubuntu Pro instance, you can skip this step and go straight to step 4. For non-Pro images, your Ubuntu Pro token is used to associate your machines with your Ubuntu Pro subscription.
Let’s first check whether we have already attached our Ubuntu Pro token to the Ubuntu Pro Client by running pro status:
$ sudo pro status
SERVICE AVAILABLE DESCRIPTION
cis yes Center for Internet Security Audit Tools
esm-infra yes UA Infra: Extended Security Maintenance (ESM)
fips yes NIST-certified FIPS modules
fips-updates yes Uncertified security updates to FIPS modules
livepatch yes Canonical Livepatch service
This machine is not attached to an Ubuntu Pro subscription.
See https://ubuntu.com/advantage
We can see that this is not yet attached to an Ubuntu Pro subscription. Let’s fix that now.
Your UA token can be found on your Ubuntu Pro dashboard. To access your dashboard, you need an Ubuntu One account. If you still need to create one, ensure that you use the email address used to purchase your subscription.
The Ubuntu One account functions as a Single Sign On, so once logged in we can go straight to the Ubuntu Pro dashboard at ubuntu.com/pro. Then click the “Machines” column in the “Your Paid Subscriptions” table to reveal your token.
Now we’re ready to attach our Ubuntu Pro token to the Ubuntu Pro Client. Attaching the token will automatically enable the Canonical Livepatch service, which cannot be run in conjunction with FIPS, so we need to switch off the auto-enable feature:
$ sudo pro attach <your_pro_token> --no-auto-enable
Service esm-infra is recommended by default. Run: sudo pro enable esm-infra
Service livepatch is recommended by default. Run: sudo pro enable livepatch.
This machine is now attached to 'your account name'
SERVICE ENTITLED STATUS DESCRIPTION
cis yes disabled Center for Internet Security Audit Tools
esm-infra yes disabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified FIPS modules
fips-updates yes disabled Uncertified security updates to FIPS modules
livepatch yes disabled Canonical Livepatch service
Enabling FIPS crypto modules
Duration: 3:00
Now it is time to enable the FIPS modules on our Ubuntu instance. First, we want to run the following command to see the FIPS service and its status:
$ pro status --all
We should see an output like this:
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis yes disabled Center for Internet Security Audit Tools
esm-apps no — UA Apps: Extended Security Maintenance (ESM)
esm-infra yes disabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified FIPS modules
fips-updates yes disabled Uncertified security updates to FIPS modules
livepatch yes disabled Canonical Livepatch service
Enable services with: pro enable <service>
We always recommend including the latest vulnerability updates using the fips-updates option, so let’s enable FIPS including vulnerability fixes:
$ sudo pro enable fips-updates
One moment, checking your subscription first
Updating package lists
Installing FIPS Updates packages
FIPS Updates enabled
A reboot is required to complete install
We now need to reboot our system to put the system into FIPS mode. The reboot will boot into the FIPS kernel and create the /proc/sys/crypto/fips_enabled entry, which instructs the FIPS certified modules to run in FIPS mode.
Finally, let’s check that FIPS is enabled by checking the /proc/sys/crypto/fips_enabled file and ensure it is set to “1”. If it is set to “0”, the FIPS modules will not run in FIPS mode. If the file is missing, the FIPS kernel is not installed. If it is not set to “1” when you check then the FIPS kernel may not have loaded. In this case try rebooting and check it again.
Congratulations!
Duration: 0:00
Congratulations, you have successfully enabled FIPS on your Ubuntu instance!