AlmaLinux OS is FIPS 140-3 validated
AlmaLinux OS 9.2 carries FIPS 140-3 validated cryptographic modules on the NIST CMVP Active list, including the first FIPS 140-3 kernel certificate for an EL9 distribution. You can enable FIPS mode and meet a recognized cryptographic standard, free for non-commercial use.
Обзор
FIPS 140-3 is widely treated as the gold standard for cryptographic security, recognized and required well beyond the United States. AlmaLinux OS 9.2 meets it: its kernel and OpenSSL cryptographic modules are independently validated by the NIST Cryptographic Module Validation Program and listed as Active.
That makes AlmaLinux the first EL9 distribution with a FIPS 140-3 validated kernel, and the validated packages are free for non-commercial use. Here is what FIPS is, why it matters, and how to turn it on.
The validation was sponsored by TuxCare, the enterprise support division of CloudLinux and a founding AlmaLinux platinum sponsor. TuxCare covered the considerable cost and engineering effort, and makes the validated packages available to the community for non-commercial use.
How we got here
| Date | Milestone |
|---|---|
| December 2022 | The AlmaLinux OS 9 kernel and OpenSSL modules are added to NIST's Implementation Under Test list. |
| June 2023 | CAVP certificates received, confirming the cryptographic algorithms are implemented correctly. |
| September 2023 | ESV entropy certificates received. AlmaLinux is the first software implementation to earn a FIPS 140-3 ESV certificate using SHA3-256 as a conditioner. |
| October 2024 | The AlmaLinux OS 9.2 kernel is FIPS 140-3 validated on the NIST CMVP Active list (certificate #4750), the first FIPS 140-3 kernel certificate for an EL9 distribution. |
| October 2024 | The OpenSSL FIPS provider is added to the Active list (certificate #4823). |
Read the full story in the original FIPS validation announcement and the 9.2 validation update.
What is FIPS?
FIPS (Federal Information Processing Standards) are cryptographic standards published by the United States government. FIPS 140-3 is the current version, and it defines the security requirements a cryptographic module must meet.
A module earns validation only after an accredited laboratory tests it and the NIST Cryptographic Module Validation Program certifies the result. AlmaLinux OS 9.2 was the first software implementation to receive a FIPS 140-3 ESV certificate using SHA3-256 as a conditioner.
Validation and compliance are not the same thing. A module earns validation by passing independent lab testing and joining the Active list. A system is compliant only when it runs a validated module in FIPS mode within its certified operational environment, and routine changes to the validated cryptography, such as an ordinary patch or kernel update, can move it outside that boundary. Keeping a system compliant over time therefore depends on updates that preserve the validated modules. Those packages are free for non-commercial use; ongoing FIPS-compliant patching and commercial use are offered through TuxCare's Enterprise Support. See TuxCare's FIPS page.
Why it matters
FIPS 140-3 is recognized and respected worldwide. The European Union's NIS 2 Directive, for example, calls for up-to-date encryption built on established standards.
For government, finance, healthcare, and anyone handling sensitive data, running on validated cryptography is often a requirement rather than a nice to have. FIPS validation gives those organizations independent assurance about the cryptography underneath their systems.
Validated cryptography is also a prerequisite for the DISA Security Technical Implementation Guide (STIG). AlmaLinux OS 9 is one of the few RHEL family distributions with a published DISA STIG, which gives regulated and United States Department of Defense environments an official hardening baseline. See the AlmaLinux OS 9 STIG on the NIST National Checklist Program and TuxCare's FIPS and STIG overview.
Enable FIPS mode for free
Anyone running AlmaLinux OS 9.2 can enable FIPS mode and meet the standard at no cost, for non-commercial use. Install the community packages from the TuxCare repository, turn on FIPS mode, and reboot:
dnf -y install https://repo.tuxcare.com/fips/tuxcare-fips-release-latest-9.noarch.rpm
dnf -y install openssl-3.0.7-20.el9_2.tuxcare.1 kernel-5.14.0-284.11.1.el9_2.tuxcare.5
fips-mode-setup --enable
rebootOnce the system comes back up it is running validated cryptography. For a full walkthrough, including how to verify it, see the FIPS validation update blog post.
Important: AlmaLinux OS 9.2 support status
AlmaLinux OS 9.2 is no longer supported by the AlmaLinux OS Foundation, which means we are not publishing updates for it. It went out of Foundation support when AlmaLinux OS 9.3 was released. For details on release support, see the AlmaLinux release notes.
If you need ongoing supported coverage, including for FIPS, see our support options.
Validation work continues on newer AlmaLinux releases. FIPS 140-3 certification for AlmaLinux 9.6 is now in progress, with its cryptographic modules on NIST's Modules in Process list. For details, see TuxCare's FIPS page and the 9.6 validation update.
Want to know more?
Questions about FIPS on AlmaLinux OS? Come talk with the people who do this work. We are happy to help.
