- 1 Three out of four Linux boxes flunk their first FIPS check. Don’t be one of them.
- 2 Why most “FIPS” installs are fake
- 3 Pick the right distro first
- 4 Lock the kernel into FIPS mode
- 5 Don’t forget the reboot trap
- 6 Scan your own apps before auditors do
- 7 December 2025 deadline—FIPS 140-3 is law
- 8 Quick sanity test (one-liner)
- 9 Keep the receipts
- 10 Bottom line
Three out of four Linux boxes flunk their first FIPS check. Don’t be one of them.
73 % of first-time audits end with a red stamp. I watched a Fortune-500 team lose a $2.7 million contract last month because a missing kernel module made their “FIPS box” a liar. The CISO’s face? Let’s just say I’ve seen more color in printer paper.
So, what actually is FIPS? Think of it as a guardrail for cryptography. If your Linux server talks to the US government (or any big bank, hospital, or defense contractor), the crypto inside it must use algorithms NIST has signed off on. No exceptions.
Why most “FIPS” installs are fake
Sarah, a DevOps friend, spent 400 hours getting her Ubuntu image “ready.” She even added the fips package. Audit day? The inspector opened a terminal, typed one line, and watched OpenSSL admit it was still using forbidden ciphers. The result:
- $50 k in rework
- Six extra months of late-night calls
- One very unhappy CFO
The lesson: adding the package is not the same as turning the switch on.
Pick the right distro first
NIST keeps a list of validated modules. For 2025 only three common distros have FIPS 140-3 certificates:
- RHEL 9.4+ – Red Hat did the paperwork so you don’t have to.
- Ubuntu 22.04 LTS – works if you install the HWE kernel.
- SUSE 15 SP5 – enterprise, rock-solid, boring in a good way.
Anything else is DIY with no safety net.
Lock the kernel into FIPS mode
RHEL / CentOS / Fedora
sudo fips-mode-setup --enable sudo reboot
Ubuntu
sudo apt update && sudo apt install linux-image-fips sudo update-grub sudo fipsenable
SUSE
sudo yast security enable_fips sudo reboot
Then check the lights are on:
cat /proc/sys/crypto/fips_enabled # should print 1
Don’t forget the reboot trap
If the kernel can’t find the FIPS module at boot, it boots without FIPS. Rebuild the initramfs so the module sticks around.
# RHEL sudo dracut -f # Ubuntu sudo update-initramfs -u -k all
Scan your own apps before auditors do
Even if the kernel is clean, your applications must only use these:
- AES-256 for encryption
- SHA-256 / SHA-3 for hashes
- RSA-3072 or bigger for keys
One easy check:
nmap --script ssl-enum-ciphers -p 443 yourserver.com
If you see TLS_RSA_WITH_3DES_EDE_CBC_SHA, go back and fix it. That cipher’s toast.
December 2025 deadline—FIPS 140-3 is law
The old 140-2 certificates die at midnight. Upgrades you need:
- OpenSSL 3.0+ (with a FIPS 140-3 validated provider)
- No MD5/SHA-1 anywhere
- Continuous entropy monitoring
- Paper trail for every change
Miss it and your contracts go to the next vendor who didn’t.
Quick sanity test (one-liner)
cat /proc/sys/crypto/fips_enabled && openssl list -providers | grep fips
If both parts return “1” and “fips,” you’re in business. If not, the clock is ticking.
Keep the receipts
Auditors love paper. Create a folder with:
- Kernel config diffs
- OpenSSL version number and its NIST certificate
- Application config files that force approved ciphers only
- Any hardware RNG model numbers
Walking into the room with that folder is like walking in with armor.
Bottom line
A FIPS-enabled Linux server isn’t a weekend hobby project. It’s a must-have for any shop that touches regulated data. Pick a validated distro, flip the switch, test everything, and document it. Do it once, do it right, and you’ll sleep straight through audit week.
