FIPS
About FIPS compliant Minimus images
Overview
FIPS, short for the Federal Information Processing Standards, is a federal compliance framework. FIPS is mandatory for non-military federal government agencies, contractors, and vendors, and is often adopted voluntarily by private sector companies. It is also required by FedRAMP.
What is FIPS
FIPS compliance ensures that cryptographic security services in applications adhere to rigorous standards for security and integrity and that they are correctly implemented.
Minimus FIPS images are built to contain only FIPS-validated cryptographic modules. Cryptographic FIPS modules currently provided by Minimus:
- OpenSSL FIPS 3.5 Provider Module
- Jitter RNG Entropy Source module
Note that some cryptographic FIPS modules used by Minimus may include also non-approved algorithms to allow for running in non-approved modes for specific use-cases.
Userspace entropy source vs. kernel-dependent entropy
Cryptographic protection depends on the use of trusted algorithms and secure random bit generators whose output cannot be predicted. The source of this unpredictability is known as the entropy source.
Minimus FIPS containers rely on a userspace entropy source, as opposed to the more traditional kernel-dependent entropy.
A userspace entropy source allows developers to run FIPS-compliant workloads on any modern kernel, hardware, or instance type without being locked into FIPS-enabled environments. This allows FIPS workloads to run seamlessly on local developer machines, existing CI/CD pipelines, and widely available non-FIPS managed cloud services.
With kernel-dependent entropy, the more traditional entropy source, containers rely on the entropy source being provided by a certified kernel. This requires provisioning of dedicated hardware or VMs that have the host kernel configured in FIPS mode. In cloud-native environments, this limitation introduces significant operational complexity by tying workloads to a narrow set of FIPS-enabled kernels.
Thanks to this design, Minimus FIPS-compliant container images are fully self-contained and can run in any environment.
| Minimus FIPS images | Most FIPS options | |
|---|---|---|
| Entropy source | Userspace entropy | Kernel-dependent entropy |
| Host kernel requirement | None, any kernel | Certified kernel configured in FIPS mode |
| Cloud environment requirements | None, any cloud environment | Only certified FIPS-enabled environment |
Test for FIPS compatibility
Examine ciphers
First run the FIPS container so it is listening to a port for an SSL connection. To view the ciphers used by the container, run the following from the host:
The response should print the ciphers and their version. For example:
Test for FIPS compatibility
To test that the OpenSSL FIPS provider module is configured, you will need to run the container as root and override the entrypoint at runtime. For example, for the Minimus FIPS NGINX image, the run command looks like this:
The test results will print to the terminal for you to review. For example:
Further reading: About FIPS entropy requirements
FIPS compliance depends on an entropy source for secure key generation. Acceptable entropy sources and seeding behavior is detained in the following:
- NITS publication FIPS 140-3: Security Requirements for Cryptographic Modules
- NIST SP 800-90 Series
- SP 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators
Details DRBG types, seeding methods, and reseeding requirements. - SP 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation
Considered to be the most detailed source for acceptable entropy sources under FIPS requirements. - SP 800-90C: Recommendation for Random Bit Generator (RBG) Constructions
Discusses how to combine entropy sources and DRBGs in FIPS-compliant ways.
- SP 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators