Enable FIPS 140-2 in ubuntu
FWIW, things have changed since this question was posted (exactly a year ago). Canonical has now announced FIPS is available for Ubuntu 16.04.
A couple blurbs from that announcement:
We are pleased to announce that officially certified FIPS 140-2 level 1 cryptographic packages are now available for Ubuntu 16.04 LTS for Ubuntu Advantage Advanced customers and as a separate, stand-alone product.
and
Users interested in FIPS 140-2 compliant modules on Ubuntu 16.04 can purchase Ubuntu Advantage at https://buy.ubuntu.com/ or by contacting the Canonical Sales Team.
For further information please visit https://www.ubuntu.com/security.
I also found a page on how to install. Of course, as mentioned, it's commercial only.
EDIT: CentOS, RHEL users has FIPS natively available
Related videos on Youtube
38 : 47
01 : 57
05 : 02
33 : 10
04 : 47
Midhun Jose
Updated on September 18, 2022Comments
-
Midhun Jose almost 2 years
I have Ubuntu 12.04.5 LTS server. Mainly I am running an SFTP server (OpenSSH_5.9), Vsftpd server (vsFTPd 2.3.5) and an IBM Message queue. My client want this server to be FIPS 140-2 certified, about which I have only a limited knowledge.
I have used a utility called modutil for enabling FIPS using below commands.
mkdir -p /root/.pki/nssdb certutil -N -d /root/.pki/nssdb modutil -fips true -dbdir /root/.pki/nssdbBut I don't think this will enable FIPS system wide. I think this will enable FIPS for that particular nssdb located at
/root/.pki/nssdb. I need at least my SSH & FTP server to be FIPS complaint. How can I achieve this? I know that Red Hat supports FIPS and here is their documentation about enabling FIPSDoes Ubuntu support something like this?
-
Midhun Jose about 7 yearsIt seems you are correct. From wikipedia comparison en.wikipedia.org/wiki/Comparison_of_SSH_servers , I think I need to go for another SSH server. Do you have any idea about VSFTPD? If I skip ssh, ftp and just need a simple FIPS complaint linux server, is redhat the only option?
-
Jakuje about 7 yearsI don't think it would work. The FIPS support is needed on whole OS level. If you go on with only part of it, the whole system will be not ever be FIPS compliant and the whole security will be defined by the security of the weakest point in the chain.
-
Jakuje about 7 yearsThere are also others vendors providing FIPS complain OS.
-
Divide almost 7 yearsIt says "To download the FIPS validated version of the module, please contact the Canonical representative for the repository path.", so I suppose that's why you can't google it.
-
Admin about 6 yearsPlease write article how to setup the FIPS 140-2 compliant in supported Ubuntu. Please use Virtual box so that you can share screenshot -
dpb about 6 yearsAdded install instructions. As mentioned, it's commercial only, so I don't have screenshots. BTW, I'd rather not copy-paste instructions here like usual, since I expect they will change, and are not really do-able without being a customer anyway.
-
Admin about 6 yearsThanks, i will share this answer to all FIPS 140-2 related Q/A. I have noticed many people do not know what it is even, lot of confusions out there.
-
Jakuje about 6 yearsIsn't the license of these open source package saying that once you release/sell something derived, you need to provide source code? Since the FIPS packages are not available to everyone, I did not see the source code either, which sounds fishy.
-
dpb about 6 yearsPeople who have access to the binaries also have access to the source; They are regular ubuntu source packages.
-
Doug over 5 yearsThe standard Ubuntu 16.04 is only FIPS-1 certified. You have to pay for FIPS-2.
