How to manage FIPS#
Note
The latest FedRAMP policy on the use of cryptographic modules relaxes some
of the past restrictions that prevented organizations from applying
critical security updates. Because of that, we don’t recommend enabling
fips anymore - please use fips-updates instead. Read more in
our blog post. Jammy Jellyfish (22.04) and later releases will not
have the legacy fips service available.
Note
Check the FIPS documentation to verify which Ubuntu releases have FIPS available.
Caution
Disabling FIPS is not recommended: only enable FIPS on machines intended expressly to be used for FIPS.
To use FIPS, one can either launch existing Ubuntu premium support images which already have the FIPS kernel and security pre-enabled on first boot at AWS Ubuntu Pro FIPS images, Azure Pro FIPS images, and GCP Pro FIPS images.
Alternatively, you can enable FIPS using the Ubuntu Pro Client, which will
install a FIPS-certified kernel and core security-related packages such as
openssh-server/client and libssl.
To enable FIPS, run:
$ sudo pro enable fips-updates
You should see output like the following, indicating that the FIPS packages have been installed:
Installing FIPS Updates packages
FIPS Updates enabled
A reboot is required to complete install.
Enabling FIPS should be performed during a system maintenance window since this operation makes changes to underlying SSL-related libraries and requires a reboot into the FIPS-certified kernel.
Caution
Once you enable FIPS, enabling some Pro services may not be possible. For a complete view of which services are incompatible with FIPS, refer to the services compatibility matrix
How to disable FIPS#
If you wish to disable FIPS, you can use the following command:
sudo pro disable fips-updates
Note that this command will only remove the APT sources, but not uninstall the packages installed with the service. Your system will still have the FIPS packages installed after FIPS is disabled.
To purge the service, removing the APT packages installed with it, potentially removing also the FIPS kernel, see how to disable and purge services.