Federal-Grade, Cryptographically Validated Cloud Infrastructure
Build a secure and compliant IaaS environment for regulated environments and management of sensitive data with Apache CloudStack to meet federal government standards.
The FIPS-validated version of Apache CloudStack is a ShapeBlue-maintained distribution designed for highly regulated environments. It enforces NIST CMVP-validated cryptographic modules and algorithms across the stack—covering TLS, SSH, key management, and internal services.
Ideal for government, defense, finance, healthcare, and critical infrastructure, this release provides secure-by-design private cloud deployments, eliminating weak ciphers, enforcing trusted algorithms, and reducing audit and regulatory risk.
Mandatory use of FIPS-validated cryptography for federal information systems and CUI handling.
Regulations: FISMA, FedRAMP, NIST SP 800-53, NIST SP 800-171
Required for systems processing Controlled Unclassified Information (CUI) in the defense supply chain.
Regulations: DFARS 252.204-7012, CMMC (derived from NIST SP 800-171)
Often mandated for high-assurance encryption in regulated operational environments.
Regulations: NERC CIP, DOE guidance, federal critical infrastructure programs
Frequently required by institutional policy even when not explicitly mandated by PCI DSS
Regulations: PCI DSS, FFIEC guidance, federal banking oversight
Requires FIPS-validated encryption for data in transit and at rest.
Regulations: CJIS Security Policy
Component
Security implementation
UI / API / CLI
Database Connection
Enforces TLS 1.2 with CMVP-validated cipher suites
Management Server
CPVM / SSVM / VR
SystemVM Templates
Built with BCFIPS; all crypto operations routed via FIPS 140-approved modules; hardened TLS and keystore config
SystemVMs boot with kernel FIPS mode, OpenSSL in FIPS mode; hardened services (SSH, HAProxy)
Delivered with validated cryptographic settings and hardened base images
KVM Kernel Module
KVM Agent
Instance Volume Encryption
Host-based SSH
FIPS kernel mode enabled at boot
Communicates with Management Server via TLS 1.2 using CMVP-validated cryptographic providers
AES-256 via LUKS using FIPS-validated module
Restricted to FIPS-approved ciphers, MACs, and host key types
VNC Console Proxy
Keystore & Truststore
Password Hashing
TLS 1.2 enforced; keystore with BCFIPS-backed truststore
Encrypted stores using CMVP-validated libraries
FIPS-compliant hash algorithms (e.g., PBKDF2, SHA-2 family)
Component / Security Implementation
UI / API / CLI
Enforces TLS 1.2/1.3 with CMVP-validated cipher suites
Database Connection
Management Server
Built with BCFIPS; all crypto operations routed via FIPS 140-approved modules; hardened TLS and keystore config
CPVM / SSVM / VR
SystemVMs boot with kernel FIPS mode, OpenSSL in FIPS mode; hardened services (SSH, HAProxy)
SystemVM Templates
Delivered with validated cryptographic settings and hardened base images
KVM Kernel Module
FIPS kernel mode enabled at boot
KVM Agent
Communicates with Management Server via TLS 1.2/1.3 using CMVP-validated cryptographic providers
Instance Volume Encryption
AES-256 via LUKS using FIPS-validated module
Host-based SSH
Restricted to FIPS-approved ciphers, MACs, and host key types
VNC Console Proxy
TLS 1.2/1.3 enforced; keystore with BCFIPS-backed truststore
Keystore & Truststore
Encrypted stores using CMVP-validated libraries
Password Hashing
FIPS-compliant hash algorithms (e.g., PBKDF2, SHA-2 family)
Business Driver
Impact / Value
Regulatory Compliance
Enables deployment in FIPS-mandated environments (Gov, Defense, Healthcare, Finance).
Security Maturity
Removes legacy crypto (MD5, SHA-1, RC4) → reduces data breach surface.
Audit Readiness
Simplifies compliance reporting with validated module IDs (Bouncy Castle #4943 / OpenSSL #4985).
Operational Integrity
Enforces consistent crypto behaviour across hosts, VMs, APIs, and databases.
Customer Confidence
Demonstrates alignment with NIST, ISO 27001, and FedRAMP expectations.
Business Driver / Impact & Value
Regulatory Compliance
Enables deployment in FIPS-mandated environments (Gov, Defense, Healthcare, Finance).
Security Maturity
Removes legacy crypto (MD5, SHA-1, RC4) → reduces data breach surface.
Audit Readiness
Simplifies compliance reporting with validated module IDs (Bouncy Castle #4943 / OpenSSL #4985).
Operational Integrity
Enforces consistent crypto behavior across hosts, VMs, APIs, and databases.
Customer Confidence
Demonstrates alignment with NIST, ISO 27001, and FedRAMP expectations.
The FIPS-validated version of Apache CloudStack is a ShapeBlue’s maintained distribution of Apache CloudStack that enforces only NIST CMVP-validated cryptographic modules and algorithms across the stack. TLS, SSH, key management, and internal services adhere to FIPS 140-2/140-3 requirements – ideal for government, defence, finance, healthcare, and critical infrastructure.
This version of Apache CloudStack is available exclusively to ShapeBlue customers because it requires ongoing specialised maintenance, security updates, and compliance monitoring to ensure continuous adherence to FIPS standards. ShapeBlue provides a high level of support and assurance necessary for organisations with strict regulatory or contractual obligations. This approach ensures that the platform remains secure, compliant, and fully supported in sensitive and highly regulated environments.
Speak with our team to discuss your requirements and how ShapeBlue can help design and deliver a compliant Apache CloudStack deployment tailored to your organisation.
Standard
CloudStack
FIPS-Compliant CloudStack
Business Benefit
Generic Java & OpenSSL libraries
FIPS-validated modules (Bouncy Castle FIPS, OpenSSL FIPS)
Meets federal crypto validation.
MD5, SHA-1, RC4 supported
AES, SHA-2/3, RSA, ECDSA only
Eliminates weak ciphers.
PBKDF2-SHA1 / SAML2 / plaintext options
PBKDF2-SHA256, TLS only
Stronger credential protection.
TLS 1.0–1.2 allowed
TLS 1.2 only, restricted ciphers
Enforced secure channels.
Non-FIPS Debian
FIPS-kernel Debian 12.11
End-to-end crypto integrity.
No FIPS control
MySQL ssl_fips_mode=STRICT
Data-in-transit + at-rest secured.
Self-managed
Via ShapeBlue consultancy only
Maintains validation integrity.
| Area | Standard CloudStack | FIPS-Compliant CloudStack | Business Benefit |
|---|---|---|---|
| Crypto Modules | Generic Java & OpenSSL libraries | FIPS-validated modules (Bouncy Castle FIPS, OpenSSL FIPS) | Meets federal crypto validation. |
| Encryption Standards | MD5, SHA-1, RC4 supported | AES, SHA-2/3, RSA, ECDSA only | Eliminates weak ciphers. |
| Authentication | PBKDF2-SHA1 / SAML2 / plaintext options | PBKDF2-SHA256, TLS only | Stronger credential protection. |
| Protocols | TLS 1.0–1.2 allowed | TLS 1.2 only, restricted ciphers | Enforced secure channels. |
| System VM Templates | Non-FIPS Debian | FIPS-kernel Debian 12.11 | End-to-end crypto integrity. |
| Database | No FIPS control | MySQL ssl_fips_mode=STRICT | Data-in-transit + at-rest secured. |
| Upgrade Path | Self-managed | Via ShapeBlue consultancy only | Maintains validation integrity. |
FIPS 140-2
FIPS 140-3
Comments
Approved
Approved
Prefer GCM/CTR in practice.
Approved
Approved
PKCS#1 v1.5 acceptable; OAEP recommended where applicable.
Approved
Approved
PFS with NIST curves.
Approved
Approved
Minimum modulus size enforced.
Approved
Approved
SHA-1/MD5 not permitted for secure functions.
Approved
Approved
Approved MACs.
Approved
Approved
Minimum version.
Approved
Approved
No RC4/3DES in FIPS mode.
Approved
Approved
SHA-2 only.
Approved
Approved
DSA disallowed.
| Algorithm / Technique | FIPS 140-2 | FIPS 140-3 | Comments |
|---|---|---|---|
| AES (GCM, CTR, CBC) | Approved | Approved | Prefer GCM/CTR in practice. |
| RSA (≥ 2048-bit) | Approved | Approved | PKCS#1 v1.5 acceptable; OAEP recommended where applicable. |
| ECDHE (P-256/384/521) | Approved | Approved | PFS with NIST curves. |
| DHE (≥ 2048-bit) | Approved | Approved | Minimum modulus size enforced. |
| SHA-2 (256/384/512) | Approved | Approved | SHA-1/MD5 not permitted for secure functions. |
| HMAC-SHA-2 | Approved | Approved | Approved MACs. |
| TLSv1.2 | Approved | Approved | Minimum version. |
| SSH (AES-CTR) | Approved | Approved | No RC4/3DES in FIPS mode. |
| SSH MACs (HMAC-SHA-2) | Approved | Approved | SHA-2 only. |
| SSH Keys (ECDSA NIST, RSA-SHA-2) | Approved | Approved | DSA disallowed. |
Exclusive use of FIPS 140-approved modules and algorithms across control and data paths.
TLS 1.2 only; SSH limited to FIPS-approved ciphers/MACs and key types.
Console Proxy, Secondary Storage, and Virtual Router run with kernel FIPS mode and OpenSSL in FIPS mode.
CloudStack engineering leaders with deployment automation, validation, and continuous updates.
FIPS 140 certifies cryptographic modules, not complete products. CloudStack FIPS uses CMVP-validated modules and enforces their use platform-wide.
FIPS stands for Federal Information Processing Standards.
These are public standards developed by the United States federal government, specifically by the National Institute of Standards and Technology (NIST), to ensure that all federal agencies and contractors use consistent, secure, and interoperable information systems.
They are primarily used to ensure security, interoperability, and consistency in IT systems — especially for cryptographic modules, data processing, and system categorization.
FIPS 140 stands for Federal Information Processing Standard 140 – “Security Requirements for Cryptographic Modules”. It defines how cryptographic hardware and software must be designed and implemented to be secure enough for U.S. government use.
In the case of software modules, these are typically libraries or components that perform cryptographic operations like encryption, decryption, hashing, key generation, or secure communications.
The Current version of FIPS 140 standard is FIPS 140-3, which is published on March 22, 2019. You can find more details at https://csrc.nist.gov/pubs/fips/140-3/final
No. FIPS 140 certifies crypto modules. CloudStack FIPS uses CMVP-validated modules and enforces their exclusive use.
No. CloudStack currently runs in FIPS 140-3 mode using TLS 1.2, following NIST SP 800-52 Revision 2.
TLS 1.3 may come later, once the underlying components (OpenSSL FIPS module, Java libraries, etc.) are validated and integrated, but it isn’t supported in the current release.
Current scope targets KVM (Oracle 8 and 9) (Ubuntu Pro) (RHel 8 and 9) with hardened SystemVMs. Contact us for roadmap/scope extensions.
ShapeBlue packages and runbooks ensure updates preserve FIPS mode and conformance.
No. FIPS addresses crypto modules. Certifications require whole-system controls and audits. CloudStack FIPS accelerates the crypto portion
CloudStack FIPS currently targets KVM on the following Linux distributions:
FIPS require the OS to boot with FIPS mode enabled and to use CMVP-validated OpenSSL packages. Ubuntu requires Ubuntu Pro to enable the FIPS-certified package set.
The Management Server and KVM Hosts are supported on the same distributions. SystemVMs are delivered hardened for FIPS; no separate OS selection is required for them.
Learn how to move from VMware to CloudStack in weeks, using a methodology already proven in production environments.