Home > Docker Achieves FIPS 140-2 Validation

Docker Achieves FIPS 140-2 Validation

Staff - October 31, 2019 - |

We are excited to share that we have achieved formal FIPS 140-2 validation (Certificate #3304) from the National Institute of Standards and Technology (NIST) for our Docker Enterprise Edition Crypto Library.

With this validation and industry-recognized seal of approval for cryptographic modules, we are able to further deliver on the fundamental confidentiality, integrity and availability objectives of information security and provide our commercial customers with a validated and secure platform for their applications. As required by the Federal Information Security Management Act (FISMA) and other regulatory technology frameworks like HIPAA and PCI, FIPS 140-2 is an important validation mechanism for protecting the sensitivity and privacy of information in mission-critical systems.

Docker Engine – Enterprise version 18.03 and above includes this now-validated crypto module. This module has been validated at FIPS 140-2 Level 1. The formal Docker Enterprise Edition Crypto Library’s Security Policy calls out the specific security functions in Docker Engine – Enterprise supported by this module and includes the following:

  • ID hashes
  • Swarm Mode distributed state store and Raft log (securely stores Docker Secrets and Docker Configs)
  • Swarm Mode overlay networks (control plane only)
  • Swarm Mode mutual TLS implementation
  • Docker daemon socket TLS binding

Activating the FIPS mode of operation in Docker Engine – Enterprise is as easy as enabling FIPS Mode on the underlying host operating system and restarting the Engine (if it’s already running). Docker Engine – Enterprise’s FIPS mode can also be explicitly activated by prepending the DOCKER_FIPS=1 environment variable to your commands. Furthermore, FIPS mode can be enabled in the next Docker Enterprise release, thus providing a secure foundation for the management and registry services in addition to the application cluster.

Behind the scenes, Docker Engine – Enterprise leverages a proprietary switching library to swap the crypto module used for functions when FIPS mode is enabled, as shown by the figure below.

We are continuing to work to incorporate this FIPS 140-2 validated module into the remainder of the Docker Enterprise container platform so stay tuned for updates.

More Resources

Subscribe to Mirantis Newsletter

Get blogs and other content delivered straight to your inbox.

LIVE WEBINAR
Istio in the Enterprise: Security and Scale Out Challenges for Microservices in Kubernetes

Wednesday, August 4 at 9:00 PDT
SAVE SEAT
LIVE WEBINAR
How to Deploy a Production Grade Cluster, and Share Access to your Team

Thursday, August 5 at 6:00am PDT
SAVE SEAT
LIVE WEBINAR
Do We Need to Change How We Define the Data Center?

Thursday, August 12 at 9:00am PDT
SAVE SEAT
LIVE WEBINAR
Defining a Kubernetes that just works, anywhere

Wednesday, August 18 at 8:00am PDT
SAVE SEAT
Mirantis Webstore
Purchase Kubernetes support
SHOP NOW
WHITEPAPER
The Definitive Guide to Container Platforms
READ IT NOW

Subscribe to Mirantis Newsletter

Get blogs and other content delivered straight to your inbox.

LIVE WEBINAR
Istio in the Enterprise: Security and Scale Out Challenges for Microservices in Kubernetes

Wednesday, August 4 at 9:00 PDT
SAVE SEAT
LIVE WEBINAR
How to Deploy a Production Grade Cluster, and Share Access to your Team

Thursday, August 5 at 6:00am PDT
SAVE SEAT
LIVE WEBINAR
Do We Need to Change How We Define the Data Center?

Thursday, August 12 at 9:00am PDT
SAVE SEAT
LIVE WEBINAR
Defining a Kubernetes that just works, anywhere

Wednesday, August 18 at 8:00am PDT
SAVE SEAT
Mirantis Webstore
Purchase Kubernetes support
SHOP NOW
WHITEPAPER
The Definitive Guide to Container Platforms
READ IT NOW