> ## Documentation Index > Fetch the complete documentation index at: https://docs.root.io/llms.txt > Use this file to discover all available pages before exploring further. # FIPS Images > FIPS 140-3 validated container images for regulated environments, with wolfSSL and supply chain attestations. Root provides FIPS 140-3 validated base images for workloads running in regulated environments - FedRAMP, DoD, financial services, and healthcare. These images use wolfSSL FIPS v5.8.2 (CMVP Certificate [#4718](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4718)) as the cryptographic provider. ## Cryptographic Profile ### Approved Algorithms | Algorithm | Use Case | | ------------------------- | ----------------------------------- | | AES-128/256 (GCM, CBC) | Symmetric encryption | | SHA-256, SHA-384, SHA-512 | Hashing | | RSA-2048/3072/4096 | Asymmetric key exchange and signing | | ECDSA (P-256, P-384) | Elliptic curve signing | | HMAC-SHA-256/384/512 | Message authentication | ### Blocked Algorithms SHA-1 and MD5 are blocked at the library level. This is stricter than the base FIPS 140-3 standard, which permits SHA-1 in some legacy contexts. Applications that depend on SHA-1 (older TLS configurations, legacy JWT signing, some Git operations) will fail at runtime. Blocking SHA-1 is technically outside the FIPS 140-3 approved operating mode. If your compliance requirement demands strict adherence to the approved algorithm list without additional restrictions, contact Root to discuss a build variant without the SHA-1 block. ## Supply Chain Artifacts Every FIPS image ships with a full set of supply chain attestations: | Artifact | Format | Description | | ---------- | ------- | ------------------------------------------------------------ | | SBOM | SPDX | Full package inventory of OS packages, wolfSSL, and runtime | | VEX | OpenVEX | Vulnerability exploitability statements for known CVEs | | Provenance | SLSA | Build provenance attestation linking the image to its source | ### Downloading the SBOM ```bash theme={null} # Via Root API curl -H "Authorization: Bearer $ROOT_TOKEN" \ "https://api.root.io/v1/images/tags/{rrtID}/sbom" | jq '.url' | xargs curl -o fips-sbom.spdx.json ``` ## STIG Compatibility FIPS images include an OpenSCAP baseline scan against the STIG profile for Ubuntu 22.04. The scan output is available as an artifact alongside the SBOM. This covers the OS-level hardening requirements separate from the cryptographic module certification. ## Using FIPS Images Switch the base image in your Dockerfile: ```dockerfile theme={null} # Before FROM ubuntu:22.04 # After - FIPS validated FROM cr.root.io/ubuntu-fips-go:v1.0.0-ubuntu-22.04 ``` Pull the image after authenticating: ```bash theme={null} echo "$ROOT_TOKEN" | docker login cr.root.io --username rootio --password-stdin docker pull cr.root.io/ubuntu-fips-go:v1.0.0-ubuntu-22.04 ``` ## Attestation Verification Workflow A reference GitHub Actions workflow for verifying all attestations before deployment: ```yaml theme={null} - name: Verify FIPS image attestations run: | IMAGE="cr.root.io/ubuntu-fips-go:v1.0.0-ubuntu-22.04" # Download and inspect SBOM cosign download attestation "$IMAGE" | \ jq '.payload | @base64d | fromjson | .predicate' > sbom.spdx.json # Verify SLSA provenance cosign verify-attestation "$IMAGE" \ --type slsaprovenance \ --certificate-identity-regexp="https://github.com/rootio-avr/" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" ``` The full reference workflow (including VEX verification and OpenSCAP report download) is available at [github.com/rootio-avr/fips-attestations](https://github.com/rootio-avr/fips-attestations).