> ## Documentation Index > Fetch the complete documentation index at: https://docs.minimus.io/llms.txt > Use this file to discover all available pages before exploring further. # OpenSSL FIPS Entropy Provider > Understand why the OpenSSL FIPS validated module is hardware agnostic FIPS approved cryptography requires a strong entropy source to provide cryptographic protection using NIST-trusted algorithms. The entropy source is responsible for providing secure random bit generators whose output cannot be predicted and without it FIPS cryptography standards cannot be satisfied. ## What is a kernel independent FIPS module Generally, there are two approaches to providing a FIPS validated entropy source: The entropy source may depend on specialized hardware with a certified kernel configured in FIPS mode, or it may be kernel-independent, with no hardware dependencies. This is termed a **kernel-independent** FIPS entropy source. * Kernel-independent FIPS validated images can run on any standard hardware. A self-contained FIPS 140-3 validated cryptographic module eliminates cryptographic dependency on underlying OS kernel, hypervisor, and hardware. A kernel-independent FIPS module relies on a **userspace entropy source** so it does not need to run on a host with a certified FIPS-enabled kernel. * In contrast, kernel-dependent FIPS images must be run on specialized hardware approved by the NIST CMVP program with kernel-level FIPS mode enabled. In other words, the kernel must be configured in FIPS mode. This approach is highly dependent on the underlying operating system and other environment configurations. ## OpenSSL FIPS 140-3 module Minimus FIPS images that rely on OpenSSL come with an OpenSSL-compatible entropy provider that is kernel independent. These images have been certified by the NIST CMVP program and are approved to run on any hardware with confidence that they comply with FIPS security standards, regardless of the underlying OS kernel, hypervisor, and hardware. The OpenSSL FIPS validated module is used in many Minimus FIPS images including, C-based and Go-based images as well as Python, Node.js, PHP, and other language ecosystems. ## Is my app FIPS 140-3 compliant? Minimus FIPS validated images undergo testing and validation by an independent laboratory according to the CMVP. This validation ensures a certain level of security assurance and compliance with a set of NIST cryptographic standards. Importantly, this validation is independent of the underlying operating system, hypervisor, and hardware. The CMVP certificate specifies the operational environment in which the cryptographic module was tested and any external dependencies, such as a validated entropy source.  As a user of the FIPS validated image, you are responsible to ensure the FIPS-validated cryptographic module is used with the correct configuration that meets CMVP requirements and tested by an independent laboratory. Since all cryptographic operations occur within a FIPS 140-validated cryptographic module in the image and have no direct cryptographic dependency on the host OS, hypervisor, or hardware, this has been tested and validated by the cryptographic module developer under various operational environments captured in the associated CMVP certificate or asserted by the cryptographic module developer for the module bundled and configured properly in the image. When it comes to non-dev images, including applications, utilities, infra, etc., you can rely on the Minimus FIPS validated image to deliver compliance. The image is already pre-configured with the necessary protections to prevent non-FIPS approved algorithms and protocols. ## Do I need FIPS-certified hardware? No special hardware is required for Minimus FIPS images that rely on the OpenSSL FIPS module. This has the advantage of greatly lowering costs in cloud environments. These images can run in any environment, including local developer machines, existing CI/CD pipelines, and standard managed cloud services. | Requirements | Minimus OpenSSL FIPS module | | :----------------------------- | :-------------------------- | | Hardware requirements | None, any host kernel | | Cloud environment requirements | None, any cloud environment | | Entropy source | Userspace entropy | ## Requesting FIPS 140-3 assistance Particularly with Java FIPS images, compliance depends on the underlying OS, hypervisor, and hardware to also be correctly configured in FIPS mode. There is a risk that some lower layer in the stack or a malicious admin could alter the settings such that the image or application would not run in FIPS mode. Please get in touch with us directly if you would like to request guidance with FIPS related issues. [Contact us directly](https://support.minimus.io/support/home) ### References: FIPS 140-3 entropy requirements FIPS compliance depends on an entropy source for secure key generation. Acceptable entropy sources and seeding behavior is detailed in the following: * [NIST publication FIPS 140-3: Security Requirements for Cryptographic Modules](https://csrc.nist.gov/publications/detail/fips/140/3/final) * NIST SP 800-90 Series * SP 800-90A: [Recommendation for Random Number Generation Using Deterministic Random Bit Generators](https://csrc.nist.gov/pubs/sp/800/90/a/r1/final)\ Details DRBG types, seeding methods, and reseeding requirements. * SP 800-90B: [Recommendation for the Entropy Sources Used for Random Bit Generation](https://csrc.nist.gov/publications/detail/sp/800-90b/final)\ Considered to be the most detailed source for acceptable entropy sources under FIPS requirements. * SP 800-90C: [Recommendation for Random Bit Generator (RBG) Constructions](https://csrc.nist.gov/publications/detail/sp/800-90c/final)\ Discusses how to combine entropy sources and DRBGs in FIPS-compliant ways.