FIPS on

Understanding FIPS

Thu, 16 Oct 2025 08:00:00 +0000

What is FIPS?

Federal Information Processing Standards (FIPS) are publicly announced standards developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the U.S. Secretary of Commerce.

Chainguard FIPS Containers

Thu, 08 Feb 2024 15:56:52 -0700

What is FIPS?

Federal Information Processing Standards (FIPS) are standards developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA). FIPS compliance ensures that cryptographic security services within applications meet strict security and integrity standards, and are implemented and configured correctly.

Getting Started with FIPS Containers

Thu, 16 Oct 2025 08:00:00 +0000

Prerequisites

Before starting, you’ll need:

Chainguard FIPS TLS Connectivity Requirements

Sat, 15 Nov 2025 08:49:31 +0000

This document provides an overview of FIPS TLS connectivity requirements for using Chainguard FIPS products. These FIPS products have higher minimum TLS requirements, which complicates connecting them to insecure EOL non-FIPS systems, as well as FIPS systems with lapsed (historical) certification.

Chainguard strives to ensure the broadest connectivity possible for its FIPS products. However, many obsolete systems are still widely used and may not be able to connect with Chainguard FIPS products.

Overview of Chainguard EKS Add-ons

Fri, 10 Apr 2026 00:00:00 +0000

Chainguard EKS add-ons are hardened, minimal container images for the foundational software components that power Amazon Elastic Kubernetes Service (EKS) clusters. Available through AWS Marketplace, they serve as FIPS-validated drop-in replacements for AWS default add-ons, providing zero known CVEs and FIPS 140-3 validated cryptography without requiring custom image builds or manifest overrides.

What are EKS add-ons?

Amazon EKS add-ons are software components that provide supporting operational capabilities to Kubernetes applications — things like networking drivers, storage integrations, and observability agents that allow the cluster to interact with underlying AWS resources, but aren’t specific to any application running on it.

FIPS and Non-Approved Algorithms

Tue, 28 Oct 2025 08:00:00 +0000

Overview

FIPS cryptographic modules implement cryptographically strong protection of data at rest and in transit. NIST’s position on this is very clear (source):

Verify that Chainguard FIPS Containers are Configured to Use FIPS Modules

Sun, 23 Nov 2025 08:04:00 +0000

Chainguard offers hundreds of FIPS container image variants covering language runtimes (Go, Java, Python, Node.js, .NET, PHP, C/C++), databases, web servers, and Kubernetes components. These images use NIST-validated cryptographic modules including the OpenSSL FIPS provider, Bouncy Castle FIPS, and BoringCrypto. Refer to Chainguard’s FIPS Commitment for a full list of the modules used in Chainguard FIPS Images, as well as their respective CMVP certificates and SBOM indicators.

This guide outlines how to verify that Chainguard’s FIPS images are properly configured to use these FIPS modules.

Kernel-Independent FIPS Architecture

Thu, 16 Oct 2025 08:00:00 +0000

Overview

Chainguard FIPS Containers use a userspace entropy source instead of relying on the host kernel to provide validated randomness. This kernel-independent design allows FIPS containers to run on any recent Linux kernel, eliminating the traditional requirement for kernels configured in FIPS mode.

Chainguard FIPS Container FAQs

Fri, 10 Jan 2025 15:56:52 -0700

Answers to your questions about Chainguard FIPS container images.

Is there a way to enable or disable the FIPS mode in a FIPS image?

All Chainguard FIPS Containers are configured in approved-only mode as noted in our FIPS commitment.