Overview of FIPS-certified modules¶
All of the certified modules are available with Ubuntu Pro. The validated modules are API and ABI compatible with the default Ubuntu packages. The validation testing for Ubuntu was performed by atsec Information Security, a NIST accredited laboratory.
Certifications under FIPS 140-2 Level 1 will be moved to the historical list after September 2026 (although these products can still be purchased and used), and new products will be certified under FIPS 140-3 Level 1.
FIPS 140-3 Level 1¶
FIPS 140-3 Level 1 is a combined effort of NIST and ISO with the Security and Testing requirements for cryptographic modules being published as ISO/IEC 19790 and ISO/IEC 24759.
Ubuntu 22.04 LTS¶
The modules in this release were certified and tested on on x86_64/AMD6, ARM64 and IBM Z architectures.
Cryptographic module |
Version |
Standard |
Status |
Certificate |
Sunset date |
|---|---|---|---|---|---|
Strongswan |
5.9.5 |
FIPS 140-3 |
Active |
2026-12-02 |
|
Kernel Crypto API |
5.15.0 |
FIPS 140-3 |
Active |
2026-11-20 |
|
GnuTLS |
3.7.3 |
FIPS 140-3 |
Active |
2026-10-27 |
|
OpenSSL |
3.0.2 |
FIPS 140-3 |
Active |
2026-09-10 |
|
Libgcrypt |
1.9.4 |
FIPS 140-3 |
Active |
2026-09-09 |
FIPS 140-2 Level 1¶
Modules in these releases have been assessed and certified for FIPS 140-2 Level 1›.
Ubuntu 20.04 LTS¶
The modules in this release were certified and tested on on x86_64/AMD6 and IBM Z architectures.
Cryptographic module |
Version |
Standard |
Status |
Certificate |
Sunset date |
|---|---|---|---|---|---|
Kernel Crypto API |
5.4.0 |
FIPS 140-2 |
Active |
2026-09-21 |
|
AWS Kernel Crypto API |
5.4.0 |
FIPS 140-2 |
Active |
2026-05-18 |
|
GCP Kernel Crypto API |
5.4.0 |
FIPS 140-2 |
Active |
2026-05-18 |
|
Azure Kernel Crypto API |
5.4.0 |
FIPS 140-2 |
Active |
2026-05-18 |
|
OpenSSL |
1.1.1f |
FIPS 140-2 |
Active |
2026-09-21 |
|
Strongswan |
5.8.2 |
FIPS 140-2 |
Active |
2026-09-21 |
|
Libgcrypt |
1.8.5 |
FIPS 140-2 |
Active |
2026-04-19 |
Ubuntu 18.04 LTS¶
The modules in this release were certified and tested on on x86_64/AMD6 and IBM Z architectures.
Cryptographic module |
Version |
Standard |
Status |
Certificate |
Sunset date |
|---|---|---|---|---|---|
Kernel Crypto API |
4.15.0 |
FIPS 140-2 |
Active |
2026-08-29 |
|
Google Kernel Crypto API |
4.15.0 |
FIPS 140-2 |
Active |
2025-04-23 |
|
AWS Kernel Crypto API |
4.15.0 |
FIPS 140-2 |
Active |
2025-04-23 |
|
IBM-GT Kernel Crypto API |
4.15.0 |
FIPS 140-2 |
Active |
2025-04-23 |
|
Azure Kernel Crypto API |
4.15.0 |
FIPS 140-2 |
Active |
2025-04-23 |
|
OpenSSL |
1.1.1 |
FIPS 140-2 |
Active |
2026-07-11 |
|
Libgcrypt |
1.8.1 |
FIPS 140-2 |
Active |
2025-11-23 |
|
Strongswan |
5.6.2 |
FIPS 140-2 |
Historical |
N/A |
|
OpenSSH client |
1:7.9p1 |
FIPS 140-2 |
Historical |
N/A |
|
OpenSSH server |
1:7.9p1 |
FIPS 140-2 |
Historical |
N/A |
Ubuntu 16.04 LTS¶
The modules in this release were certified and tested on on x86_64/AMD6, IBM Z, and IBM Power8 architectures.
Cryptographic module |
Module version(s) |
Associated package(s) |
Status |
Certificate |
|
|---|---|---|---|---|---|
Kernel Crypto API |
4.4.0 |
FIPS 140-2 |
Active |
2025-10-06 |
|
OpenSSL |
1.0.2g |
FIPS 140-2 |
Active |
2025-10-08 |
|
Strongswan |
5.3.5 |
FIPS 140-2 |
Historical |
SP 800-56Arev3 transition |
|
OpenSSH client |
1:7.2p2 |
FIPS 140-2 |
Historical |
N/A |
|
OpenSSH server |
1:7.2p2 |
FIPS 140-2 |
Historical |
N/A |
Ubuntu Pro services for FIPS modules¶
Security vulnerabilities are discovered all the time and Canonical provides fixes for all the software packages within the Ubuntu ecosystem. However, the NIST certification process for FIPS applies to a specific binary version of the cryptographic module, which fixes these packages to the versions that were current at the time we submit the modules to NIST for review. This means that the FIPS certified modules may contain security vulnerabilities.
In order to address this obvious shortcoming, we provide updated versions of the FIPS modules that we patch to fix all relevant security vulnerabilities, and we strongly recommend that you use the updated modules so that your systems remain fully secure.
As the certification process takes some time, we also provide access to the modules that are awaiting NIST approval in the queue as a preview. At certain intervals we will submit the latest patched modules for recertification, and these will then be available for preview. These modules will have been validated by our testing lab partner and we do not anticipate making any further changes at this point.
There are several FIPS options listed in the Pro client, depending on whether the modules have been reviewed by NIST.
fips-updates
This is the recommended service. These modules receive all the latest security updates, and the package versions will keep track with the default non-FIPS packages in Ubuntu.
fips-preview
This service contains the modules that have been submitted to NIST for review but haven’t been certified yet. The latest FedRAMP guidelines, for instance, require you to install FIPS-certified modules but does allow you to use pre-approved packages that are awaiting NIST certification.
fips
This service provides the exact binary versions that NIST has certified. These packages do not include the security updates and are likely to contain vulnerabilities.
For more information about Ubuntu Pro services, see Compatibility matrix for Ubuntu Pro services