We are excited to share that we have achieved formal FIPS 140-2 validation (Certificate #3304) from the National Institute of Standards and Technology (NIST) for our Docker Enterprise Edition Crypto Library. With this validation and industry-recognized seal of approval for cryptographic modules, we are able to further deliver on the fundamental confidentiality, integrity and availability objectives of information security and provide our commercial customers with a validated and secure platform for their applications. As required by the Federal Information Security Management Act (FISMA) and other regulatory technology frameworks like HIPAA and PCI, FIPS 140-2 is an important validation mechanism for protecting the sensitivity and privacy of information in mission-critical systems.
As we highlighted in a previous blog post, Docker Engine – Enterprise version 18.03 and above includes this now-validated crypto module. This module has been validated at FIPS 140-2 Level 1. The formal Docker Enterprise Edition Crypto Library’s Security Policy calls out the specific security functions in Docker Engine – Enterprise supported by this module and includes the following:
- ID hashes
- Swarm Mode distributed state store and Raft log (securely stores Docker Secrets and Docker Configs)
- Swarm Mode overlay networks (control plane only)
- Swarm Mode mutual TLS implementation
- Docker daemon socket TLS binding
Activating the FIPS mode of operation in Docker Engine – Enterprise is as easy as enabling FIPS Mode on the underlying host operating system and restarting the Engine (if it’s already running). Docker Engine – Enterprise’s FIPS mode can also be explicitly activated by prepending the DOCKER_FIPS=1 environment variable to your commands. Furthermore, FIPS mode can be enabled in the next Docker Enterprise release, thus providing a secure foundation for the management and registry services in addition to the application cluster.
Behind the scenes, Docker Engine – Enterprise leverages a proprietary switching library to swap the crypto module used for functions when FIPS mode is enabled, as shown by the figure below.
We are continuing to work to incorporate this FIPS 140-2 validated module into the remainder of the Docker Enterprise container platform so stay tuned for updates.