Root provides FIPS 140-3 validated base images for workloads running in regulated environments - FedRAMP, DoD, financial services, and healthcare. These images use wolfSSL FIPS v5.8.2 (CMVP Certificate #4718) as the cryptographic provider.
Available FIPS Images
| Image | Runtime | Base OS |
|---|
ubuntu-fips-go | Go v1.25 | Ubuntu 22.04 |
ubuntu-fips-java | OpenJDK 17 | Ubuntu 22.04 |
cr.root.io/ubuntu-fips-go:v1.0.0-ubuntu-22.04
cr.root.io/ubuntu-fips-java:v1.0.0-ubuntu-22.04
Cryptographic Profile
Approved Algorithms
| Algorithm | Use Case |
|---|
| AES-128/256 (GCM, CBC) | Symmetric encryption |
| SHA-256, SHA-384, SHA-512 | Hashing |
| RSA-2048/3072/4096 | Asymmetric key exchange and signing |
| ECDSA (P-256, P-384) | Elliptic curve signing |
| HMAC-SHA-256/384/512 | Message authentication |
Blocked Algorithms
SHA-1 and MD5 are blocked at the library level. This is stricter than the base FIPS 140-3 standard, which permits SHA-1 in some legacy contexts. Applications that depend on SHA-1 (older TLS configurations, legacy JWT signing, some Git operations) will fail at runtime.
Blocking SHA-1 is technically outside the FIPS 140-3 approved operating mode. If your compliance requirement demands strict adherence to the approved algorithm list without additional restrictions, contact Root to discuss a build variant without the SHA-1 block.
Supply Chain Artifacts
Every FIPS image ships with a full set of supply chain attestations:
| Artifact | Format | Description |
|---|
| SBOM | SPDX | Full package inventory of OS packages, wolfSSL, and runtime |
| VEX | OpenVEX | Vulnerability exploitability statements for known CVEs |
| Provenance | SLSA | Build provenance attestation linking the image to its source |
| Signature | cosign (keyless) | Sigstore signature for the image manifest |
Verifying the Image Signature
cosign verify cr.root.io/ubuntu-fips-go:v1.0.0-ubuntu-22.04 \
--certificate-identity-regexp="https://github.com/rootio-avr/" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"
Downloading the SBOM
# Via Root API
curl -H "Authorization: Bearer $ROOT_TOKEN" \
"https://api.root.io/v1/images/tags/{rrtID}/sbom" | jq '.url' | xargs curl -o fips-sbom.spdx.json
STIG Compatibility
FIPS images include an OpenSCAP baseline scan against the STIG profile for Ubuntu 22.04. The scan output is available as an artifact alongside the SBOM. This covers the OS-level hardening requirements separate from the cryptographic module certification.
Using FIPS Images
Switch the base image in your Dockerfile:
# Before
FROM ubuntu:22.04
# After - FIPS validated
FROM cr.root.io/ubuntu-fips-go:v1.0.0-ubuntu-22.04
echo "$ROOT_TOKEN" | docker login cr.root.io --username rootio --password-stdin
docker pull cr.root.io/ubuntu-fips-go:v1.0.0-ubuntu-22.04
Attestation Verification Workflow
A reference GitHub Actions workflow for verifying all attestations before deployment:
- name: Verify FIPS image attestations
run: |
IMAGE="cr.root.io/ubuntu-fips-go:v1.0.0-ubuntu-22.04"
# Verify cosign signature
cosign verify "$IMAGE" \
--certificate-identity-regexp="https://github.com/rootio-avr/" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"
# Download and inspect SBOM
cosign download attestation "$IMAGE" | \
jq '.payload | @base64d | fromjson | .predicate' > sbom.spdx.json
# Verify SLSA provenance
cosign verify-attestation "$IMAGE" \
--type slsaprovenance \
--certificate-identity-regexp="https://github.com/rootio-avr/" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"
