The foundation - Minimus FIPS modules
Minimus offers two key FIPS components:- fips.so – The FIPS-validated 140-3 module.
- cryptocomply-entropy.so – The entropy provider, ensuring high-quality randomness without relying on hardware or kernel-specific entropy sources. Since Minimus FIPS images include an entropy-provider, they are kernel-independent and portable across environments and do not require specialized hardware to run.
C-based images
C-based images include nginx, Redis, MySQL and more. To be FIPS-validated, they include theminimus-cryptographic-module . About this module:
- Includes Minimus FIPS components: fips.so, cryptocomply-entropy.so
- Versioned to track changes (currently on version 3.0.0)
- Marked as PROPRIETARY in the SBOM.
- Declares a dependency on
openssl-devsince the modules require OpenSSL libraries at runtime.
openssl-fips-config subpackage. This subpackage holds all FIPS-relevant configuration files, including:
openssl.cnf– the OpenSSL configuration tuned for FIPS mode.cryptocomply-entropy.cnf– to enable the Minimus entropy provider.fipsmodule.cnf– module configuration.
openssl-fips-config subpackage is tied directly to the minimus-cryptographic-module at runtime, ensuring that configuration and validated binaries are always deployed together.
Go-based Images
Go-based images include Datadog, Istio-Pilot, Grafana, Loki, Promtail, Prometheus and more. To be FIPS-validated, they must circumvent and block the native BoringCrypto module normally used by Go. Minimus Go-based images ensure that Go applications inherit the same validated cryptographic boundary by directing Go’s crypto to OpenSSL (the Minimus FIPS provider) instead of the native BoringCrypto. Minimus provides a dedicated toolchain that produces Go based apps in the following manner:-
Source & Versioning
Minimus builds
go-fipsfrom the community project atgolang-fips/go, cloning the matching Go release and applying the repo’s patches. The patches re-route Go’s standard-library crypto (e.g., crypto/tls, crypto/x509, crypto/aes, etc.) to use OpenSSL through CGO, replacing calls that would otherwise use the native BoringCrypto path. - Minimus applies an additional patch to force Go applications built with go-fips to always operate in FIPS mode. This ensures that cryptographic operations use the validated OpenSSL provider by default, regardless of whether the underlying host system is itself configured for FIPS.
How Minimus enforces FIPS at runtime in Go-based images
Theminimus-cryptographic-module together with the openssl-fips-config package ensure that the module always operates with the right FIPS configuration.
The openssl-fips-config package does the following:
- Activates the FIPS provider
fips.soand the entropy providercryptocomply-entropy.soby default. - Sets FIPS-only defaults (
default_properties = fips=yes) so applications cannot silently fall back to non-FIPS algorithms. - Restricts TLS key exchange to NIST-approved curves
secp256r1:secp384r1:secp521r1) and sources entropy viacryptocomply-entropy.soCRYPTOCOMPLY-ENTROPY-SEED-SRC) for kernel-independent, portable FIPS operation.
How to ship a FIPS-validated Go app with Minimus tooling
- Build with the Minimus image go-fips so your app’s crypto uses OpenSSL rather than BoringCrypto.
- Run on a Minimus FIPS-validated image (for example glibc-dynamic-fips). The runtime must include the
openssl-fips-configpackage and the Minimus entropy provider module.
openssl-fips-config and the Minimus entropy provider cryptocomply-entropy.so ensures that your Go app operates inside the CMVP-validated cryptographic boundary.