Overview

FIPS, short for the Federal Information Processing Standards, is a federal compliance framework. FIPS is mandatory for non-military federal government agencies, contractors, and vendors, and is often adopted voluntarily by private sector companies. It is also required by FedRAMP.

What is FIPS

FIPS compliance ensures that cryptographic security services in applications adhere to rigorous standards for security and integrity and that they are correctly implemented. Minimus FIPS images are built to contain only FIPS-validated cryptographic modules. Cryptographic FIPS modules currently provided by Minimus:
  • Minimus Cryptographic Module (FIPS 140-3 Provider)

Minimus FIPS images are kernel independent

As a rule, FIPS requires an entropy source to provide cryptographic protection. The entropy source provides unpredictability using trusted algorithms and secure random bit generators whose output cannot be predicted. The FIPS entropy source can be kernel-independent if provided by a userspace entropy source, or it can be kernel-dependent and require specialized hardware with certified FIPS-enabled kernels. In certified FIPS hardware the host kernel is configured in FIPS mode. Minimus FIPS container images do not require specialized hardware because they rely on a userspace entropy source. Minimus FIPS-validated container images can run in any environment, including local developer machines, existing CI/CD pipelines, and standard managed cloud services. Minimus FIPS images do not suffer from the constraints of many other traditional FIPS images which rely on kernel-dependent entropy and require specialized hardware with certified FIPS-enabled kernels, helping to greatly lower operational costs.
Minimus FIPS imagesMost FIPS options
Entropy sourceUserspace entropyKernel-dependent entropy
Hardware requirementNone, any host kernelCertified host kernel configured in FIPS mode
Cloud environment requirementsNone, any cloud environmentOnly certified FIPS-enabled environment

FIPS packages

FIPS validated images have unique FIPS packages, to enforce OpenSSL. FIPS packages are listed in the SBOM:
  • minimus-cryptographic-module
  • openssl-fips-config (FIPS-relevant configuration files located in /etc/ssl/)
  • openssl-fips-test (a tool for validating that the FIPS provider is correctly configured)
openssl-fips-config has a runtime dependency on minimus-cryptographic-module, ensuring both packages are used together. OpenSSL is configured to use fips.so as the provider for all cryptographic operations.

Test for FIPS compatibility

Examine ciphers

First run the FIPS container so it is listening to a port for an SSL connection. To view the ciphers used by the container, run the following from the host: 
# update {port} with the port exposed by the image
nmap -sV --script ssl-enum-ciphers -p {port} localhost
The response should print the ciphers and their version. For example: 
PORT     STATE SERVICE  VERSION
9443/tcp open  ssl/http nginx 1.27.4
|_http-server-header: nginx/1.27.4
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CCM (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CCM (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A

Test for FIPS compatibility

To test that the OpenSSL FIPS provider module is configured, you will need to run the container as root and override the entrypoint at runtime. For example, for the Minimus FIPS NGINX image, the run command looks like this: 
docker run -it --rm \
--user root --entrypoint openssl-fips-test \
reg.mini.dev/nginx-fips
The test results will print to the terminal for you to review. For example: 
Checking OpenSSL lifecycle assurance.
*** Running check: FIPS module is available...
    HMAC : (KAT_Integrity) : Pass
    HMAC : (Module_Integrity) : Pass
    SHA2 : (KAT_Digest) : Pass
    ... 
    RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
    RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
    RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
    Running check: FIPS module is available... passed.
*** Running check: EVP_default_properties_is_fips_enabled returns true... passed.
*** Running check: verify unapproved cryptographic routines are not available by default (e.g. MD5)... passed.

Lifecycle assurance satisfied.

Further reading: About FIPS entropy requirements

FIPS compliance depends on an entropy source for secure key generation. Acceptable entropy sources and seeding behavior is detained in the following: