Docker Achieves FIPS 140-2 Validation


Oct 31 2018

Fips 2
 

We are excited to share that we have achieved formal FIPS 140-2 validation (Certificate #3304) from the National Institute of Standards and Technology (NIST) for our Docker Enterprise Edition Crypto Library. With this validation and industry-recognized seal of approval for cryptographic modules, we are able to further deliver on the fundamental confidentiality, integrity and availability objectives of information security and provide our commercial customers with a validated and secure platform for their applications. As required by the Federal Information Security Management Act (FISMA) and other regulatory technology frameworks like HIPAA and PCI, FIPS 140-2 is an important validation mechanism for protecting the sensitivity and privacy of information in mission-critical systems.

As we highlighted in a previous blog post, Docker Engine – Enterprise version 18.03 and above includes this now-validated crypto module. This module has been validated at FIPS 140-2 Level 1. The formal Docker Enterprise Edition Crypto Library’s Security Policy calls out the specific security functions in Docker Engine – Enterprise supported by this module and includes the following:

  • ID hashes
  • Swarm Mode distributed state store and Raft log (securely stores Docker Secrets and Docker Configs)
  • Swarm Mode overlay networks (control plane only)
  • Swarm Mode mutual TLS implementation
  • Docker daemon socket TLS binding

Activating the FIPS mode of operation in Docker Engine – Enterprise is as easy as enabling FIPS Mode on the underlying host operating system and restarting the Engine (if it’s already running). Docker Engine – Enterprise’s FIPS mode can also be explicitly activated by prepending the DOCKER_FIPS=1 environment variable to your commands. Furthermore, FIPS mode can be enabled in the next Docker Enterprise release, thus providing a secure foundation for the management and registry services in addition to the application cluster.

Behind the scenes, Docker Engine – Enterprise leverages a proprietary switching library to swap the crypto module used for functions when FIPS mode is enabled, as shown by the figure below.

148919ec c7f5 40d8 b657 a8decdeb6240 1

We are continuing to work to incorporate this FIPS 140-2 validated module into the remainder of the Docker Enterprise container platform so stay tuned for updates.

More Resources

Feedback

0 thoughts on "Docker Achieves FIPS 140-2 Validation"

DockerCon 2022

With over 50 sessions for developers by developers, watch the latest developer news, trends, and announcements from DockerCon 2022. From the keynote to product demos to technical breakout sessions, hacks, and tips & tricks, there’s something for everyone.

Watch Now