Run Apache CloudStack with end-to-end, FIPS 140-validated cryptography.
Build a secure and compliant IaaS environment for reguilated environments and management of sensitive data with Apache CloudStack to meet federal government standards. The FIPS-compliant CloudStack version replaces non-approved algorithms and libraries with FIPS-approved algorithms and libraries, so that the software uses encryption and security methods that meet FIPS standards.
The FIPS-validated version of Apache CloudStack is a ShapeBlue’s maintained distribution of Apache CloudStack that enforces only NIST CMVP-validated cryptographic modules and algorithms across the stack. TLS, SSH, key management, and internal services adhere to FIPS 140-2/140-3 requirements – ideal for government, defense, finance, healthcare, and critical infrastructure.
This version of Apache CloudStack is available exclusively to ShapeBlue customers because it requires ongoing specialized maintenance, security updates, and compliance monitoring to ensure continuous adherence to FIPS standards. ShapeBlue provides high level of support and assurance necessary for organizations with strict regulatory or contractual obligations. This approach ensures that the platform remains secure, compliant, and fully supported in sensitive and highly regulated environments.
Component
Security implementation
UI / API / CLI
Database Connection
Management Server
CPVM / SSVM / VR
SystemVM Templates
Built with BCFIPS; all crypto operations routed via FIPS 140-approved modules; hardened TLS and keystore config
SystemVMs boot with kernel FIPS mode, OpenSSL in FIPS mode; hardened services (SSH, HAProxy)
Delivered with validated cryptographic settings and hardened base images
KVM Kernel Module
KVM Agent
Instance Volume Encryption
Host-based SSH
FIPS kernel mode enabled at boot
Communicates with Management Server via TLS 1.2/1.3 using CMVP-validated cryptographic providers
AES-256 via LUKS using FIPS-validated module
Restricted to FIPS-approved ciphers, MACs, and host key types
VNC Console Proxy
Keystore & Truststore
Password Hashing
TLS 1.2/1.3 enforced; keystore with BCFIPS-backed truststore
Encrypted stores using CMVP-validated libraries
FIPS-compliant hash algorithms (e.g., PBKDF2, SHA-2 family)
Component / Security Implementation
UI / API / CLI
Enforces TLS 1.2/1.3 with CMVP-validated cipher suites
Database Connection
Management Server
Built with BCFIPS; all crypto operations routed via FIPS 140-approved modules; hardened TLS and keystore config
CPVM / SSVM / VR
SystemVMs boot with kernel FIPS mode, OpenSSL in FIPS mode; hardened services (SSH, HAProxy)
SystemVM Templates
Delivered with validated cryptographic settings and hardened base images
KVM Kernel Module
FIPS kernel mode enabled at boot
KVM Agent
Communicates with Management Server via TLS 1.2/1.3 using CMVP-validated cryptographic providers
Instance Volume Encryption
AES-256 via LUKS using FIPS-validated module
Host-based SSH
Restricted to FIPS-approved ciphers, MACs, and host key types
VNC Console Proxy
TLS 1.2/1.3 enforced; keystore with BCFIPS-backed truststore
Keystore & Truststore
Encrypted stores using CMVP-validated libraries
Password Hashing
FIPS-compliant hash algorithms (e.g., PBKDF2, SHA-2 family)
| Algorithm / Technique | FIPS 140-2 | FIPS 140-3 | Comments |
|---|---|---|---|
| AES (GCM, CTR, CBC) | Approved | Approved | Prefer GCM/CTR in practice. |
| RSA (≥ 2048-bit) | Approved | Approved | PKCS#1 v1.5 acceptable; OAEP recommended where applicable. |
| ECDHE (P-256/384/521) | Approved | Approved | PFS with NIST curves. |
| DHE (≥ 2048-bit) | Approved | Approved | Minimum modulus size enforced. |
| SHA-2 (256/384/512) | Approved | Approved | SHA-1/MD5 not permitted for secure functions. |
| HMAC-SHA-2 | Approved | Approved | Approved MACs. |
| TLSv1.2 | Approved | Approved | Minimum version. |
| SSH (AES-CTR) | Approved | Approved | No RC4/3DES in FIPS mode. |
| SSH MACs (HMAC-SHA-2) | Approved | Approved | SHA-2 only. |
| SSH Keys (ECDSA NIST, RSA-SHA-2) | Approved | Approved | DSA disallowed. |
Exclusive use of FIPS 140-approved modules and algorithms across control and data paths.
TLS 1.2/1.3 only; SSH limited to FIPS-approved ciphers/MACs and key types.
Console Proxy, Secondary Storage, and Virtual Router run with kernel FIPS mode and OpenSSL in FIPS mode.
CloudStack engineering leaders with deployment automation, validation, and continuous updates.
FIPS 140 certifies cryptographic modules, not complete products. CloudStack FIPS uses CMVP-validated modules and enforces their use platform-wide.
FIPS stands for Federal Information Processing Standards.
These are public standards developed by the United States federal government, specifically by the National Institute of Standards and Technology (NIST), to ensure that all federal agencies and contractors use consistent, secure, and interoperable information systems.
They are primarily used to ensure security, interoperability, and consistency in IT systems — especially for cryptographic modules, data processing, and system categorization.
FIPS 140 stands for Federal Information Processing Standard 140 – “Security Requirements for Cryptographic Modules”. It defines how cryptographic hardware and software must be designed and implemented to be secure enough for U.S. government use.
In the case of software modules, these are typically libraries or components that perform cryptographic operations like encryption, decryption, hashing, key generation, or secure communications.
The Current version of FIPS 140 standard is FIPS 140-3, which is published on March 22, 2019. You can find more details at https://csrc.nist.gov/pubs/fips/140-3/final
No. FIPS 140 certifies crypto modules. CloudStack FIPS uses CMVP-validated modules and enforces their exclusive use.
Yes, when the underlying module supports it (FIPS 140-3). TLS 1.2 remains the baseline per SP 800-52r2.
Current scope targets KVM (Oracle 8 and 9) (Ubuntu Pro) (RHel 8 and 9) with hardened SystemVMs. Contact us for roadmap/scope extensions.
ShapeBlue packages and runbooks ensure updates preserve FIPS mode and conformance.
No. FIPS addresses crypto modules. Certifications require whole-system controls and audits. CloudStack FIPS accelerates the crypto portion
CloudStack FIPS currently targets KVM on the following Linux distributions:
FIPS require the OS to boot with FIPS mode enabled and to use CMVP-validated OpenSSL packages. Ubuntu requires Ubuntu Pro to enable the FIPS-certified package set.
The Management Server and KVM Hosts are supported on the same distributions. SystemVMs are delivered hardened for FIPS; no separate OS selection is required for them.
Watch back this webinar to learn how to design high-performance infrastructure powered by open-source technology and GPUs.