Skip to main content
Minimus FIPS images are built from the ground up to ensure that all cryptographic operations use modules that are certified by the NIST Cryptographic Module Validation Program (CMVP). This article explains how Minimus builds FIPS-validated images with the OpenSSL FIPS 140-3 module and why you can trust these images to meet strict compliance requirements.

The foundation

The module uses two key FIPS components:
  • fips.so – The FIPS 140-3 validated module.
  • cryptocomply-entropy.so – The entropy provider, ensuring high-quality randomness without relying on hardware or kernel-specific entropy sources.
The modules were independently tested by certified labs and hold the NIST CMVP certificates certificate 5040 and entropy certificate #E241 providing the compliance baseline. Since these images include a kernel-independent entropy-provider, they are portable across environments and do not require specialized hardware to run. Learn more

C-based images

C-based images include nginx, Redis, MySQL and more. To be FIPS-validated, they include the minimus-cryptographic-module . About this module:
  • Includes Minimus FIPS components: fips.so, cryptocomply-entropy.so
  • Versioned to track changes (currently on version 3.0.0)
  • Marked as PROPRIETARY in the SBOM.
  • Declares a dependency on openssl-dev since the modules require OpenSSL libraries at runtime.
In addition, the image also includes the openssl-fips-config subpackage. This subpackage holds all FIPS-relevant configuration files, including:
  • openssl.cnf – the OpenSSL configuration tuned for FIPS mode.
  • cryptocomply-entropy.cnf – to enable the Minimus entropy provider.
  • fipsmodule.cnf – module configuration.
The openssl-fips-config package has a runtime dependency on the minimus-cryptographic-module, ensuring both packages are used together. OpenSSL is configured to use fips.so as the provider for all cryptographic operations. This ensures that configuration and validated binaries are always deployed together.

Go-based images

Go-based images include Datadog, Istio-Pilot, Grafana, Loki, Promtail, Prometheus and more. To be FIPS-validated, they must circumvent and block the native BoringCrypto module normally used by Go. Minimus Go-based images ensure that Go applications inherit the same validated cryptographic boundary by directing Go’s crypto to OpenSSL (the Minimus FIPS provider) instead of the native BoringCrypto. Minimus provides a dedicated toolchain that produces Go based apps in the following manner:
  • Source & Versioning Minimus builds go-fips from the community project at golang-fips/go, cloning the matching Go release and applying the repo’s patches. The patches re-route Go’s standard-library crypto (e.g., crypto/tls, crypto/x509, crypto/aes, etc.) to use OpenSSL through CGO, replacing calls that would otherwise use the native BoringCrypto path.
  • Minimus applies an additional patch to force Go applications built with go-fips to always operate in FIPS mode. This ensures that cryptographic operations use the validated OpenSSL provider by default, regardless of whether the underlying host system is itself configured for FIPS.

How Minimus enforces FIPS at runtime in Go-based images

The minimus-cryptographic-module together with the openssl-fips-config package ensure that the module always operates with the right FIPS configuration. The openssl-fips-config package does the following:
  • Activates the FIPS provider fips.so and the entropy provider cryptocomply-entropy.so by default.
  • Sets FIPS-only defaults (default_properties = fips=yes) so applications cannot silently fall back to non-FIPS algorithms.
  • Restricts TLS key exchange to NIST-approved curves secp256r1:secp384r1:secp521r1) and sources entropy via cryptocomply-entropy.so CRYPTOCOMPLY-ENTROPY-SEED-SRC) for kernel-independent, portable FIPS operation.

How to ship a FIPS-validated Go app with Minimus tooling

  1. Build with the Minimus image go-fips so your app’s crypto uses OpenSSL rather than BoringCrypto.
  2. Run on a Minimus FIPS-validated image (for example glibc-dynamic-fips). The runtime must include theopenssl-fips-config package and the Minimus entropy provider module.
Together, the combination of go-fips, openssl-fips-config and the Minimus entropy provider cryptocomply-entropy.so ensures that your Go app operates inside the CMVP-validated cryptographic boundary.