The foundation
The module uses two key FIPS components:- fips.so – The FIPS 140-3 validated module.
- cryptocomply-entropy.so – The entropy provider, ensuring high-quality randomness without relying on hardware or kernel-specific entropy sources.
C-based images
C-based images include nginx, Redis, MySQL and more. Theminimus-cryptographic-module provides the necessary components to make these images FIPS-validated. About this module:
- Includes Minimus FIPS components:
fips.so,cryptocomply-entropy.so - Versioned to track changes
- Marked as PROPRIETARY in the SBOM
- Declares a dependency on
openssl-devsince the modules require OpenSSL libraries at runtime
openssl-fips-config subpackage. This subpackage holds all FIPS-relevant configuration files, including:
openssl.cnf– the OpenSSL configuration tuned for FIPS mode.cryptocomply-entropy.cnf– to enable the Minimus entropy provider.fipsmodule.cnf– module configuration.
openssl-fips-config package has a runtime dependency on the minimus-cryptographic-module, ensuring both packages are used together. OpenSSL is configured to use fips.so as the provider for all cryptographic operations. This ensures that configuration and validated binaries are always deployed together.
Go-based images
Go-based images include Datadog, Istio-Pilot, Grafana, Loki, Promtail, Prometheus and more. To be FIPS-validated, they must circumvent and block the native BoringCrypto module normally used by Go. Minimus Go-based images ensure that Go applications inherit the same validated cryptographic boundary by directing Go’s crypto to OpenSSL (the Minimus FIPS provider) instead of the native BoringCrypto. Minimus provides a dedicated toolchain that produces Go based apps in the following manner:-
Source & Versioning
Minimus builds
go-fipsfrom the community project at microsoft/go toolchain starting with go version 1.25.x. (Version 1.24.x has reached its end-of-life, and was built from golang-fips/go project.) The images are built by cloning the matching Go release and applying the repo’s patches. The patches re-route Go’s standard-library crypto (e.g.,crypto/tls,crypto/x509,crypto/aes, etc.) to use OpenSSL through CGO, replacing calls that would otherwise use the native BoringCrypto path. - Minimus applies an additional patch to force Go applications built with go-fips to always operate in FIPS mode. This ensures that cryptographic operations use the validated OpenSSL provider by default, regardless of whether the underlying host system is itself configured for FIPS.
How Minimus enforces FIPS at runtime in Go-based images
Theminimus-cryptographic-module together with the openssl-fips-config package ensure that the module always operates with the right FIPS configuration.
The openssl-fips-config package does the following:
- Activates the FIPS provider
fips.soand the entropy providercryptocomply-entropy.soby default. - Sets FIPS-only defaults (
default_properties = fips=yes) so applications cannot silently fall back to non-FIPS algorithms. - Restricts TLS key exchange to NIST-approved curves
secp256r1:secp384r1:secp521r1) and sources entropy viacryptocomply-entropy.soCRYPTOCOMPLY-ENTROPY-SEED-SRC) for kernel-independent, portable FIPS operation.
How to ship a FIPS-validated Go app with Minimus tooling
- Build your Go code with the Minimus image go-fips so your app’s crypto uses a FIPS 140-3 validated OpenSSL module rather than the native BoringCrypto.
- Run the app on a Minimus FIPS-validated runtime image (for example glibc-dynamic-fips). The runtime must include the
openssl-fips-configpackage and the Minimus entropy provider module.
openssl-fips-config and the Minimus entropy provider cryptocomply-entropy.so ensures that your Go app operates inside the CMVP-validated cryptographic boundary.