Checking the UA client
In this step, we will check which version of the UA client we have installed, because we need at least version 27.0 to enable the FIPS modules. We will then update our UA client if needed.
To see which version of the UA client you have installed, run:
$ apt-cache policy ubuntu-advantage-tools
ubuntu-advantage-tools: Installed: 10ubuntu0.16.04.1 Candidate: 10ubuntu0.16.04.1 Version table: *** 10ubuntu0.16.04.1 500 500 http://azure.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status
We need at least version 27.0 but we have
10ubuntu0.16.04.1, so we now need to upgrade our UA package (skip this step if you are already running at least 27.0):
$ sudo apt update
$ sudo apt install ubuntu-advantage-tools
Now we have the correct version running!
$ ua version 27.1~16.04.1
Retrieving your UA token from the Ubuntu Advantage dashboard and attaching it to the UA client
If you are enabling FIPS modules on an Ubuntu Pro instance, you can skip this step and go straight to step 4. For non-Pro images, your UA token is used to associate your machines with your Ubuntu Advantage subscription.
Let’s first check whether we have already attached our UA token to the UA client by running
$ sudo ua status
SERVICE AVAILABLE DESCRIPTION cis yes Center for Internet Security Audit Tools esm-infra yes UA Infra: Extended Security Maintenance (ESM) fips yes NIST-certified FIPS modules fips-updates yes Uncertified security updates to FIPS modules livepatch yes Canonical Livepatch service This machine is not attached to a UA subscription. See https://ubuntu.com/advantage
We can see that this is not yet attached to a UA subscription. Let’s fix that now.
Your UA token can be found on your Ubuntu Advantage dashboard. To access your dashboard, you need an Ubuntu One account. If you still need to create one, ensure that you use the email address used to purchase your subscription.
The Ubuntu One account functions as a Single Sign On, so once logged in we can go straight to the Ubuntu Advantage dashboard at ubuntu.com/advantage. Then click the “Machines” column in the “Your Paid Subscriptions” table to reveal your token.
Now we’re ready to attach our UA token to the UA client. Attaching the token will automatically enable the Canonical Livepatch service, which cannot be run in conjunction with FIPS, so we need to switch off the auto-enable feature:
$ sudo ua attach <your_ua_token> --no-auto-enable
Service esm-infra is recommended by default. Run: sudo ua enable esm-infra Service livepatch is recommended by default. Run: sudo ua enable livepatch. This machine is now attached to 'your account name' SERVICE ENTITLED STATUS DESCRIPTION cis yes disabled Center for Internet Security Audit Tools esm-infra yes disabled UA Infra: Extended Security Maintenance (ESM) fips yes disabled NIST-certified FIPS modules fips-updates yes disabled Uncertified security updates to FIPS modules livepatch yes disabled Canonical Livepatch service
Enabling FIPS crypto modules
Now it is time to enable the FIPS modules on our Ubuntu instance. First, we want to run the following command to see the FIPS service and its status:
$ ua status --all
We should see an output like this:
SERVICE ENTITLED STATUS DESCRIPTION cc-eal yes n/a Common Criteria EAL2 Provisioning Packages cis yes disabled Center for Internet Security Audit Tools esm-apps no — UA Apps: Extended Security Maintenance (ESM) esm-infra yes disabled UA Infra: Extended Security Maintenance (ESM) fips yes disabled NIST-certified FIPS modules fips-updates yes disabled Uncertified security updates to FIPS modules livepatch yes disabled Canonical Livepatch service Enable services with: ua enable <service>
We always recommend including the latest vulnerability updates using the
fips-updates option, so let’s enable FIPS including vulnerability fixes:
$ sudo ua enable fips-updates
One moment, checking your subscription first Updating package lists Installing FIPS Updates packages FIPS Updates enabled A reboot is required to complete install
We now need to reboot our system to put the system into FIPS mode. The reboot will boot into the FIPS kernel and create the
/proc/sys/crypto/fips_enabled entry, which instructs the FIPS certified modules to run in FIPS mode.
Finally, let’s check that FIPS is enabled by checking the
file and ensure it is set to “1”. If it is set to “0”, the FIPS modules
will not run in FIPS mode. If the file is missing, the FIPS kernel is
not installed. If it is not set to “1” when you check then the FIPS
kernel may not have loaded. In this case try rebooting and check it
Congratulations, you have successfully enabled FIPS on your Ubuntu instance!