By Álvaro Neira and Gonzalo Gómez
What is Dynamic FIPS Feature?
Hardened Bitnami Secure Images (BSI) are delivered with comprehensive FIPS preparation, including OpenSSL FIPS and compatible runtime configurations. While this ensures high security, we realized that a hard default could inadvertently restrict users who don't require FIPS compliance. This might impact the experience of using Bitnami Secure Images due to friction with FIPS for products that do not require it.
To address this, our Dynamic FIPS Feature was developed, empowering users to easily configure FIPS mode levels directly within their containers and Helm charts, optimizing for their specific security posture.
The net result is that customers can use the same hardened container images (based on PhotonOS) for both FIPS and non-FIPS applications. Instead of requiring two separate container images, customers enjoy the consistent user experience, low CVE count, and triage capabilities like VEX statements provided by BSI’s hardened images across all use cases.
What is FIPS?
FIPS (Federal Information Processing Standard) is a U.S. government standard for cryptographic modules used to protect sensitive unclassified information. It ensures that cryptographic algorithms and their implementations meet strict security requirements validated by NIST.
FIPS is more than just a certification; it's a critical requirement for organizations like the U.S. Government, military, and companies partnering with public agencies. Products operating with FIPS adhere to stringent security standards, ensuring cryptographic processes and data communication are handled with the highest level of integrity and protection
Technologies
BSI has introduced the Dynamic FIPS Feature, providing users with a straightforward method to customize FIPS mode levels across our hardened containers and Helm charts. Debian or UBI based images do not provide FIPS outcomes currently and this change only applies to BSI’s hardened Photon images.
Our containers are built with multiple runtimes, but our primary FIPS-related modifications focus on OpenSSL, Java, and Golang.
OpenSSL
Our Bitnami Secure Images (BSI) leverage PhotonOS and come with OpenSSL FIPS restricted mode pre-configured. OpenSSL is a critical component, fundamental to various runtimes like Python and Node.js, and widely used in scripting for tasks such as certificate generation. However, FIPS standards restrict certain cryptographic protocols, which can lead to compatibility challenges for users.
Currently, our OpenSSL components are certified with FIPS 140-2 and are in progress to be certified with FIPS 140-3.
To address this, we've made configuration simple: users can easily enable or disable this restricted mode via the OPENSSL_FIPS environment variable, setting it to yes or no. This ensures users can quickly adapt their containers to meet specific operational requirements.
Java
For Java applications within Bitnami Secure Images (BSI), we leverage Bouncy Castle to provide FIPS compliance. Bouncy Castle can be configured to adhere strictly to FIPS-approved protocols. We manage this through the java.security file, where we've pre-generated various security configuration levels, each located in a distinct path.
Currently, our Bouncy Castle module is certified with FIPS 140-3.
Users can easily activate these different security profiles by setting the JAVA_TOOL_OPTIONS environment variable:
-
Restricted: The path is with the value /opt/bitnami/java/conf/security/java.security.restricted, then you need to export the environment variable JAVA_TOOL_OPTIONS with the value --module-path=/opt/bitnami/bc-fips/ -Djava.security.properties==/opt/bitnami/java/conf/security/java.security.restricted
-
Relaxed: The path is with the value /opt/bitnami/java/conf/security/java.security.relaxed, then you need to export the environment variable JAVA_TOOL_OPTIONS with the value -Djava.security.properties==/opt/bitnami/java/conf/security/java.security.relaxed.
-
Off: The path is with the value /opt/bitnami/java/conf/security/java.security.original, then you need to export the environment variable JAVA_TOOL_OPTIONS with the value -Djava.security.properties==/opt/bitnami/java/conf/security/java.security.original.
Golang
Many of our applications utilize Golang, and some in our catalog are FIPS compliant. This feature gives customers the control to run them with or without FIPS, matching their specific requirements.
Currently, our Golang FIPS modules are being certified with 140-3.
Users can easily fine-tune the FIPS mode level through the GODEBUG environment variable:
-
Restricted: Setting up the variable GODEBUG to fips140=only.
-
Relaxed: Setting up the variable GODEBUG to fips140=on (same as Boringcrypto).
-
Off: Unsetting the GODEBUG environment variable, or setting it to fips140=off.
Helm Charts
To ease the customization of these features, we have added new parameters to our PhotonOS based Helm Charts. With these new commercial-only features, customers can define the FIPS configuration via the values YAML definition file, or from the command line, as shown below:
helm install --set <component>.fips.<technology>=<value>
As described above, the possible values are restricted, relaxed, and off. The chart templates will configure the underlying containers with the provided settings. In case there isn’t any specific value for one of these parameters, the global.defaultFips value will take effect. By default, this parameter is set to restricted in all of our Helm charts.
Customers are always our priority
At Bitnami, we continuously evolve our Secure Images (BSI) to better serve our users. This new Dynamic FIPS feature is a direct result of that commitment. It empowers you to activate or deactivate FIPS support as needed, eliminating the complexity and cost of maintaining separate, redundant product instances for different compliance requirements, as is the case with other competitors’ solutions.
Now, you can deploy precisely the products you require, with full control over FIPS integration, making BSI assets more flexible and tailored to your operational needs.
Contact us today to learn more about Bitnami Secure Images.