Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Enabling FIPS with the pro tool

FIPS configuration can be enabled automatically via the Ubuntu Advantage tool after attaching your subscription. To install the tool type the following commands.

sudo apt update
sudo apt install ubuntu-advantage-tools

Attach the subscription


NOTE: This step is not necessary in Ubuntu PRO images.


The FIPS packages are available on Ubuntu Pro or with an Ubuntu Advantage subscription. To attach your subscription follow the steps on the official Ubuntu guide.

Enable FIPS


NOTE: Switching the system to contain the FIPS certified packages cannot be easily undone. We recommend to use a testing system for experimentation before trying on production.


We recommend enabling the ‘fips-updates’ option that includes security fixes timely before the packages are re-certified. However we provide the option to install the validated packages that are only updated on re-validation.

Including timely security updates

  1. Enable FIPS including security updates.
    sudo pro enable fips-updates
  2. Verify that the system is attached to pro and has FIPS enabled.
    sudo pro status
  3. Please proceed to the reboot section.

Strictly with the certified packages

  1. Enable FIPS.
    sudo pro enable fips
  2. Verify that the system is attached to pro and has FIPS enabled.
    sudo pro status
  3. Please proceed to the reboot section.

Reboot

The pro client will install the necessary packages for the FIPS mode, including the kernel and the bootloader. After this step you MUST reboot to put the system into FIPS mode. The reboot will boot into the FIPS-supported kernel and create the /proc/sys/crypto/fips_enabled entry which tells the FIPS certified modules to run in FIPS mode. If you do not reboot after installing and configuring the bootloader, FIPS mode is not yet enabled.

To verify that FIPS is enabled after the reboot check the /proc/sys/crypto/fips_enabled file and ensure it is set to 1. If it is set to 0, the FIPS modules will not run in FIPS mode. If the file is missing, the FIPS kernel is not installed, you can verify that FIPS has been properly enabled with the pro status command.

FIPS and livepatching

The Livepatch service is enabled by default while attaching the system to the Ubuntu Advantage service. Livepatch and the fips stream are not compatible, so it will be disabled. Livepatch is available on the fips-updates stream.

This page was last modified 1 year, 4 months ago. Help improve this document in the forum.