Federal-Grade, Cryptographically Validated Cloud Infrastructure
Build a secure and compliant IaaS environment for regulated environments and management of sensitive data with Apache CloudStack to meet federal government standards.
The FIPS-validated version of Apache CloudStack is a ShapeBlue-maintained distribution designed for highly regulated environments. It enforces NIST CMVP-validated cryptographic modules and algorithms across the stack—covering TLS, SSH, key management, and internal services.
Ideal for government, defense, finance, healthcare, and critical infrastructure, this release provides secure-by-design private cloud deployments, eliminating weak ciphers, enforcing trusted algorithms, and reducing audit and regulatory risk.
Mandatory use of FIPS-validated cryptography for federal information systems and CUI handling.
Regulations: FISMA, FedRAMP, NIST SP 800-53, NIST SP 800-171
Required for systems processing Controlled Unclassified Information (CUI) in the defense supply chain.
Regulations: DFARS 252.204-7012, CMMC (derived from NIST SP 800-171)
Often mandated for high-assurance encryption in regulated operational environments.
Regulations: NERC CIP, DOE guidance, federal critical infrastructure programs
Frequently required by institutional policy even when not explicitly mandated by PCI DSS
Regulations: PCI DSS, FFIEC guidance, federal banking oversight
Requires FIPS-validated encryption for data in transit and at rest.
Regulations: CJIS Security Policy
Component
Security implementation
UI / API / CLI
Database Connection
Enforces TLS 1.2 with CMVP-validated cipher suites
Management Server
CPVM / SSVM / VR
SystemVM Templates
Built with BCFIPS; all crypto operations routed via FIPS 140-approved modules; hardened TLS and keystore config
SystemVMs boot with kernel FIPS mode, OpenSSL in FIPS mode; hardened services (SSH, HAProxy)
Delivered with validated cryptographic settings and hardened base images
KVM Kernel Module
KVM Agent
Instance Volume Encryption
Host-based SSH
FIPS kernel mode enabled at boot
Communicates with Management Server via TLS 1.2 using CMVP-validated cryptographic providers
AES-256 via LUKS using FIPS-validated module
Restricted to FIPS-approved ciphers, MACs, and host key types
VNC Console Proxy
Keystore & Truststore
Password Hashing
TLS 1.2 enforced; keystore with BCFIPS-backed truststore
Encrypted stores using CMVP-validated libraries
FIPS-compliant hash algorithms (e.g., PBKDF2, SHA-2 family)
Component / Security Implementation
UI / API / CLI
Enforces TLS 1.2/1.3 with CMVP-validated cipher suites
Database Connection
Management Server
Built with BCFIPS; all crypto operations routed via FIPS 140-approved modules; hardened TLS and keystore config
CPVM / SSVM / VR
SystemVMs boot with kernel FIPS mode, OpenSSL in FIPS mode; hardened services (SSH, HAProxy)
SystemVM Templates
Delivered with validated cryptographic settings and hardened base images
KVM Kernel Module
FIPS kernel mode enabled at boot
KVM Agent
Communicates with Management Server via TLS 1.2/1.3 using CMVP-validated cryptographic providers
Instance Volume Encryption
AES-256 via LUKS using FIPS-validated module
Host-based SSH
Restricted to FIPS-approved ciphers, MACs, and host key types
VNC Console Proxy
TLS 1.2/1.3 enforced; keystore with BCFIPS-backed truststore
Keystore & Truststore
Encrypted stores using CMVP-validated libraries
Password Hashing
FIPS-compliant hash algorithms (e.g., PBKDF2, SHA-2 family)
Business Driver
Impact / Value
Regulatory Compliance
Enables deployment in FIPS-mandated environments (Gov, Defense, Healthcare, Finance).
Security Maturity
Removes legacy crypto (MD5, SHA-1, RC4) → reduces data breach surface.
Audit Readiness
Simplifies compliance reporting with validated module IDs (Bouncy Castle #4943 / OpenSSL #4985).
Operational Integrity
Enforces consistent crypto behaviour across hosts, VMs, APIs, and databases.
Customer Confidence
Demonstrates alignment with NIST, ISO 27001, and FedRAMP expectations.
Business Driver / Impact & Value
Regulatory Compliance
Enables deployment in FIPS-mandated environments (Gov, Defense, Healthcare, Finance).
Security Maturity
Removes legacy crypto (MD5, SHA-1, RC4) → reduces data breach surface.
Audit Readiness
Simplifies compliance reporting with validated module IDs (Bouncy Castle #4943 / OpenSSL #4985).
Operational Integrity
Enforces consistent crypto behavior across hosts, VMs, APIs, and databases.
Customer Confidence
Demonstrates alignment with NIST, ISO 27001, and FedRAMP expectations.
The FIPS-validated version of Apache CloudStack is a ShapeBlue’s maintained distribution of Apache CloudStack that enforces only NIST CMVP-validated cryptographic modules and algorithms across the stack. TLS, SSH, key management, and internal services adhere to FIPS 140-2/140-3 requirements – ideal for government, defence, finance, healthcare, and critical infrastructure.
This version of Apache CloudStack is available exclusively to ShapeBlue customers because it requires ongoing specialised maintenance, security updates, and compliance monitoring to ensure continuous adherence to FIPS standards. ShapeBlue provides a high level of support and assurance necessary for organisations with strict regulatory or contractual obligations. This approach ensures that the platform remains secure, compliant, and fully supported in sensitive and highly regulated environments.
The diagrams below illustrate a typical Apache CloudStack deployment architecture and how the same infrastructure can operate within a FIPS-compliant cryptographic scope. While the overall topology remains the same, the FIPS-compliant model enforces strict cryptographic controls across management servers, database communications, system virtual machines, hosts, and all UI and API access points, ensuring that only FIPS-approved algorithms and validated modules are used.
Speak with our team to discuss your requirements and how ShapeBlue can help design and deliver a compliant Apache CloudStack deployment tailored to your organisation.
Standard
CloudStack
FIPS-Compliant CloudStack
Business Benefit
Generic Java & OpenSSL libraries
FIPS-validated modules (Bouncy Castle FIPS, OpenSSL FIPS)
Meets federal crypto validation.
MD5, SHA-1, RC4 supported
AES, SHA-2/3, RSA, ECDSA only
Eliminates weak ciphers.
PBKDF2-SHA1 / SAML2 / plaintext options
PBKDF2-SHA256, TLS only
Stronger credential protection.
TLS 1.0–1.2 allowed
TLS 1.2 only, restricted ciphers
Enforced secure channels.
Non-FIPS Debian
FIPS-kernel Debian 12.11
End-to-end crypto integrity.
No FIPS control
MySQL ssl_fips_mode=STRICT
Data-in-transit + at-rest secured.
Self-managed
Via ShapeBlue consultancy only
Maintains validation integrity.
| Area | Standard CloudStack | FIPS-Compliant CloudStack | Business Benefit |
|---|---|---|---|
| Crypto Modules | Generic Java & OpenSSL libraries | FIPS-validated modules (Bouncy Castle FIPS, OpenSSL FIPS) | Meets federal crypto validation. |
| Encryption Standards | MD5, SHA-1, RC4 supported | AES, SHA-2/3, RSA, ECDSA only | Eliminates weak ciphers. |
| Authentication | PBKDF2-SHA1 / SAML2 / plaintext options | PBKDF2-SHA256, TLS only | Stronger credential protection. |
| Protocols | TLS 1.0–1.2 allowed | TLS 1.2 only, restricted ciphers | Enforced secure channels. |
| System VM Templates | Non-FIPS Debian | FIPS-kernel Debian 12.11 | End-to-end crypto integrity. |
| Database | No FIPS control | MySQL ssl_fips_mode=STRICT | Data-in-transit + at-rest secured. |
| Upgrade Path | Self-managed | Via ShapeBlue consultancy only | Maintains validation integrity. |
Exclusive use of FIPS 140-approved modules and algorithms across control and data paths.
TLS 1.2 only; SSH limited to FIPS-approved ciphers/MACs and key types.
Console Proxy, Secondary Storage, and Virtual Router run with kernel FIPS mode and OpenSSL in FIPS mode.
CloudStack engineering leaders with deployment automation, validation, and continuous updates.
FIPS 140-2
FIPS 140-3
Comments
Approved
Approved
Prefer GCM/CTR in practice.
Approved
Approved
PKCS#1 v1.5 acceptable; OAEP recommended where applicable.
Approved
Approved
PFS with NIST curves.
Approved
Approved
Minimum modulus size enforced.
Approved
Approved
SHA-1/MD5 not permitted for secure functions.
Approved
Approved
Approved MACs.
Approved
Approved
Minimum version.
Approved
Approved
No RC4/3DES in FIPS mode.
Approved
Approved
SHA-2 only.
Approved
Approved
DSA disallowed.
| Algorithm / Technique | FIPS 140-2 | FIPS 140-3 | Comments |
|---|---|---|---|
| AES (GCM, CTR, CBC) | Approved | Approved | Prefer GCM/CTR in practice. |
| RSA (≥ 2048-bit) | Approved | Approved | PKCS#1 v1.5 acceptable; OAEP recommended where applicable. |
| ECDHE (P-256/384/521) | Approved | Approved | PFS with NIST curves. |
| DHE (≥ 2048-bit) | Approved | Approved | Minimum modulus size enforced. |
| SHA-2 (256/384/512) | Approved | Approved | SHA-1/MD5 not permitted for secure functions. |
| HMAC-SHA-2 | Approved | Approved | Approved MACs. |
| TLSv1.2 | Approved | Approved | Minimum version. |
| SSH (AES-CTR) | Approved | Approved | No RC4/3DES in FIPS mode. |
| SSH MACs (HMAC-SHA-2) | Approved | Approved | SHA-2 only. |
| SSH Keys (ECDSA NIST, RSA-SHA-2) | Approved | Approved | DSA disallowed. |
FIPS 140 certifies cryptographic modules, not complete products. CloudStack FIPS uses CMVP-validated modules and enforces their use platform-wide.
FIPS (Federal Information Processing Standards) is a set of security standards defined by NIST that governs how cryptographic modules must be implemented and validated. Achieving FIPS compliance means using only CMVP-validated cryptographic modules and approved algorithms across the environment.
FIPS validation applies to individual cryptographic modules that have been tested and approved through the NIST Cryptographic Module Validation Program (CMVP). FIPS compliance refers to how those validated modules and approved algorithms are used within a system. A platform itself is not “FIPS validated,” but it can be operated in a FIPS-compliant manner when all cryptographic functions rely on validated modules and approved configurations across the stack.
FIPS 140-3 is the current cryptographic module validation standard published by NIST, replacing FIPS 140-2. While many existing modules were originally validated under FIPS 140-2, newer validations follow the FIPS 140-3 standard. Both may still be encountered in regulated environments depending on the module validation lifecycle.
No. FIPS certification applies to cryptographic modules, not to full platforms. CloudStack itself is not “FIPS certified,” but it can be configured to operate in a FIPS-compliant manner when all cryptographic operations use validated modules consistently across the stack.
No. CloudStack currently runs in FIPS 140-3 mode using TLS 1.2, following NIST SP 800-52 Revision 2. TLS 1.3 may come later, once the underlying components (OpenSSL FIPS module, Java libraries, etc.) are validated and integrated, but it isn’t supported in the current release.
ShapeBlue packages and runbooks ensure updates preserve FIPS mode and conformance.
The ShapeBlue distribution replaces non-approved algorithms and libraries with FIPS-approved equivalents and enforces validated cryptography across the control plane, System VMs, host agents, and APIs.
This includes:
Hardened TLS configurations
FIPS-mode System VMs
Validated crypto providers (e.g., BCFIPS)
Restricted SSH cipher suites
AES-256 volume encryption via LUKS
FIPS enforcement is common in environments handling sensitive or regulated data, including:
Government and federal contractors
Defense and national security
Financial services
Healthcare
Critical infrastructure operators
In many cases, FIPS becomes a contractual requirement for cloud providers serving these sectors.
Out of the box, CloudStack includes strong security features, but it does not enforce full-stack FIPS cryptographic policies by default. Achieving consistent compliance across all components typically requires significant hardening and validation work.
No. The framework focuses on cryptographic enforcement and hardened configurations. It does not modify orchestration behaviour or introduce unsupported forks, preserving compatibility with upstream CloudStack releases.
The maintained FIPS-aligned distribution is provided to ShapeBlue customers because it requires ongoing security maintenance, updates, and compliance monitoring to ensure continuous adherence.
Typical enforcement includes:
TLS 1.2+ with approved cipher suites
AES-256 for disk encryption
SHA-2 family hashing
PBKDF2 password hashing
FIPS-approved SSH algorithms
(Exact controls depend on deployment scope.)
No. FIPS addresses cryptographic assurance only. Organisations usually also need:
Access controls
Continuous monitoring
Audit logging
Governance processes
FIPS is necessary in many regulated environments but is only one part of a broader compliance posture.
CloudStack FIPS currently targets KVM on the following Linux distributions:
Red Hat Enterprise Linux (RHEL) 8 and 9 (x86_64)
Oracle Linux 8 and 9 (x86_64)
Ubuntu Pro (LTS) with FIPS packages enabled (x86_64)
FIPS require the OS to boot with FIPS mode enabled and to use CMVP-validated OpenSSL packages. Ubuntu requires Ubuntu Pro to enable the FIPS-certified package set.
The Management Server and KVM Hosts are supported on the same distributions. SystemVMs are delivered hardened for FIPS; no separate OS selection is required for them.
Organisations typically begin with a compliance assessment and architecture review to determine scope, gaps, and required controls before deploying a FIPS-aligned CloudStack environment.
Learn how to move from VMware to CloudStack in weeks, using a methodology already proven in production environments.