Go to Chainguard.dev
Send feedback Contact
Working with Chainguard Images

FIPS-enabled Chainguard Images

A conceptual overview of Chainguard's FIPS-enabled Images.
IMAGES PRODUCT CONCEPTUAL

One of the primary requirements of federal compliance frameworks — including FedRAMP — is to use FIPS-validated cryptography. Chainguard offers FIPS-enabled versions of a number of its Images. This article provides a high-level overview of what FIPS is and what to expect from Chainguard’s FIPS-enabled Images.

Federal Information Processing Standards (FIPS) are publicly announced standards developed by the National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. FIPS compliance ensures that cryptographic security services within applications meet strict security and integrity standards, and are implemented and configured correctly.

‍Chainguard warranties the following with respect to Chainguard container images:

Chainguard’s FIPS Images available to be delivered in compliance with FIPS specifications are listed here (each a “Chainguard FIPS Image”). Images will be made available in compliance with FIPS specifications provided a customer’s applicable order form designates the purchase of Chainguard FIPS images.

The Chainguard FIPS images contain FIPS-validated software cryptographic modules. Entropy must be provided as specified in its cryptographic policy. The cryptographic module may provide non-approved algorithms, which will result in operating in FIPS non-approved mode. The cryptographic FIPS modules currently provided are:

‍- OpenSSL FIPS Provider (CMVP #4282)

  • Bouncy Castle FIPS Java API (CMVP #4743, CMVP #4616)
  • Chainguard CPU Time Jitter RNG Entropy Source (Entropy Certificate #E191)

These may be updated occasionally; for further information, contact fips-contact@chainguard.dev.

Additional guidance is available for specific images, like these:

You can find more at: https://images.chainguard.dev/?category=fips.

All of Chainguard’s FIPS Images have STIGs.

‍Chainguard will take commercially reasonable efforts to ensure applications utilize FIPS-validated cryptographic modules for any cryptographic operations, provided that the parties acknowledge and agree that certain behaviors or functionalities within such applications, which are beyond the direct control of Chainguard, may not fully adhere to FIPS requirements. In the event there are common vulnerabilities and exposures identified, the Chainguard SLA will apply.

‍If Customer requests an image not currently available as a Chainguard FIPS Image, Chainguard will use commercially reasonable efforts to determine if such request is feasible. For further information, contact fips-contact@chainguard.dev.

Learn more

We encourage you to check our list of FIPS Images in the Chainguard Images Directory. After navigating to the directory, you can either click the FIPS tag in the left-hand sidebar menu to filter out any non-FIPS Images, or use the search function to find every Image with “fips” in its name. Additionally, we encourage you to check out the documentation for the OpenSSL FIPS module and the Bouncy Castle FIPS Crypto package to better understand how they work.

Chainguard’s FIPS Images are not included in our free tier of Developer Images. If you’d like access to one or more of our FIPS-ready Images, please contact us.

Last updated: 2024-02-08 15:56

Using the Tag History API Prev   STIGs for Chainguard Images   Next