Overview of FIPS-certified modules¶
All certified modules are available with Ubuntu Pro. The validated modules are API and ABI compatible with the default Ubuntu packages. atsec Information Security, a NIST-accredited laboratory, performed the validation testing for Ubuntu.
Certifications under FIPS 140-2 Level 1 will move to the historical list after September 2026 (although you can still purchase and use these products), and new products will be certified under FIPS 140-3 Level 1.
FIPS 140-3 Level 1¶
FIPS 140-3 Level 1 is a combined effort of NIST and ISO, with the Security and Testing requirements for cryptographic modules published as ISO/IEC 19790 and ISO/IEC 24759.
Ubuntu 22.04 LTS (Jammy Jellyfish)¶
The Ubuntu Security Standards team certified and tested the modules in this release on x86_64/AMD64, ARM64, and IBM Z architectures.
Cryptographic module |
Version |
Standard |
Status |
Certificate |
Sunset date |
|---|---|---|---|---|---|
Strongswan |
5.9.5 |
FIPS 140-3 |
Active |
2026-12-02 |
|
Kernel Crypto API |
5.15.0 |
FIPS 140-3 |
Active |
2026-11-20 |
|
GnuTLS |
3.7.3 |
FIPS 140-3 |
Active |
2026-10-27 |
|
OpenSSL |
3.0.2 |
FIPS 140-3 |
Active |
2026-09-10 |
|
Libgcrypt |
1.9.4 |
FIPS 140-3 |
Active |
2026-09-09 |
FIPS 140-2 Level 1¶
The Ubuntu Security Standards team assessed and certified modules in these releases for FIPS 140-2 Level 1.
Ubuntu 20.04 LTS (Focal Fossa)¶
The Ubuntu Security Standards team certified and tested the modules in this release on x86_64/AMD64 and IBM Z architectures.
Cryptographic module |
Version |
Standard |
Status |
Certificate |
Sunset date |
|---|---|---|---|---|---|
Kernel Crypto API |
5.4.0 |
FIPS 140-2 |
Active |
2026-09-21 |
|
AWS Kernel Crypto API |
5.4.0 |
FIPS 140-2 |
Active |
2026-05-18 |
|
GCP Kernel Crypto API |
5.4.0 |
FIPS 140-2 |
Active |
2026-05-18 |
|
Azure Kernel Crypto API |
5.4.0 |
FIPS 140-2 |
Active |
2026-05-18 |
|
OpenSSL |
1.1.1f |
FIPS 140-2 |
Active |
2026-09-21 |
|
Strongswan |
5.8.2 |
FIPS 140-2 |
Active |
2026-09-21 |
|
Libgcrypt |
1.8.5 |
FIPS 140-2 |
Active |
2026-04-19 |
Ubuntu 18.04 LTS (Bionic Beaver)¶
The Ubuntu Security Standards team certified and tested the modules in this release on x86_64/AMD64 and IBM Z architectures.
Cryptographic module |
Version |
Standard |
Status |
Certificate |
Sunset date |
|---|---|---|---|---|---|
Kernel Crypto API |
4.15.0 |
FIPS 140-2 |
Active |
2026-08-29 |
|
Google Kernel Crypto API |
4.15.0 |
FIPS 140-2 |
Active |
2025-04-23 |
|
AWS Kernel Crypto API |
4.15.0 |
FIPS 140-2 |
Active |
2025-04-23 |
|
IBM-GT Kernel Crypto API |
4.15.0 |
FIPS 140-2 |
Active |
2025-04-23 |
|
Azure Kernel Crypto API |
4.15.0 |
FIPS 140-2 |
Active |
2025-04-23 |
|
OpenSSL |
1.1.1 |
FIPS 140-2 |
Active |
2026-07-11 |
|
Libgcrypt |
1.8.1 |
FIPS 140-2 |
Active |
2025-11-23 |
|
Strongswan |
5.6.2 |
FIPS 140-2 |
Historical |
N/A |
|
OpenSSH client |
1:7.9p1 |
FIPS 140-2 |
Historical |
N/A |
|
OpenSSH server |
1:7.9p1 |
FIPS 140-2 |
Historical |
N/A |
Ubuntu 16.04 LTS (Xenial Xerus)¶
The Ubuntu Security Standards team certified and tested the modules in this release on x86_64/AMD64, IBM Z, and IBM Power8 architectures.
Cryptographic module |
Module version(s) |
Associated package(s) |
Status |
Certificate |
|
|---|---|---|---|---|---|
Kernel Crypto API |
4.4.0 |
FIPS 140-2 |
Active |
2025-10-06 |
|
OpenSSL |
1.0.2g |
FIPS 140-2 |
Active |
2025-10-08 |
|
Strongswan |
5.3.5 |
FIPS 140-2 |
Historical |
SP 800-56Arev3 transition |
|
OpenSSH client |
1:7.2p2 |
FIPS 140-2 |
Historical |
N/A |
|
OpenSSH server |
1:7.2p2 |
FIPS 140-2 |
Historical |
N/A |
Ubuntu Pro services for FIPS modules¶
We fix a number of software packages within the Ubuntu ecosystem as security vulnerabilities are discovered. However, the NIST certification process for FIPS applies to a specific binary version of the cryptographic module. This fixes these packages to the versions current at the time we submit the modules to NIST for review. This means that the FIPS-certified modules may contain security vulnerabilities.
To address this shortcoming, we provide updated versions of the FIPS modules patched to fix all relevant security vulnerabilities. We strongly recommend that you use the updated modules so that your systems remain fully secure.
As the certification process takes time, we also provide access to the modules awaiting NIST approval in the queue as a preview. At certain intervals, we will submit the latest patched modules for recertification, and these will then be available for preview. Our testing lab partner has already validated these modules, and we don’t anticipate making any further changes at this point.
There are several FIPS options listed in the Pro client, depending on whether NIST has reviewed the modules.
fips-updatesThis is the recommended service. These modules receive all the latest security updates, and the package versions will keep track with the default non-FIPS packages in Ubuntu.
fips-previewThis service contains the modules submitted to NIST for review but not yet certified. The latest FedRAMP guidelines, for instance, require you to install FIPS-certified modules but allow you to use pre-approved packages that are awaiting NIST certification.
fipsThis service provides the exact binary versions certified by NIST. These packages don’t include security updates and are likely to contain vulnerabilities.
For more information about Ubuntu Pro services, see Compatibility matrix for Ubuntu Pro services