On Tuesday, AlmaLinux announced that it has obtained FIPS 140-3 security certification for its Linux distro which is primarily used in data centers by enterprises.
On Tuesday the eponymous foundation behind the Red Hat Enterprise Linux compatible distribution AlmaLinux announced that the distro’s latest and greatest, AlmaLinux 9.2, now has FIPS 140-3 certification, which means it has passed the Federal Information Processing Standard’s latest benchmark for validating the effectiveness of cryptographic hardware.
Basically, this means that the operating system is certified secure. According to the financial security company Entrust, “If a product has a FIPS 140-3 certificate you know that it has been tested and formally validated by the U.S. and Canadian Governments.”
Although gaining this certification has been a goal of AlmaLinux since its beginning about three years ago, when the foundation made the decision in July to no longer necessarily be a line-by-line copy of RHEL (which already has FIPS certification) there became added pressure to obtain certification sooner rather than later.
In fact, when I spoke with the foundation’s board chair, benny Vasquez, in late July, she told me, “When we talk to the people that are using Alma, the things that they listed as the most important things were make sure my my applications still run and make sure that if I need to, I can pass any government requirements. So, we’ll have FIPS compliance lined up sometime very soon, and we’ll continue to be as close to RHEL as possible so that all of the applications will work.”
Indeed, FIPS certification is essential for operating systems such as AlmaLinux that are usually deployed in data centers by enterprise users that are often in highly regulated businesses.
“FIPS compliance is a critical certification for users of AlmaLinux OS across industries,” Vasquez explained in a statement issued yesterday. “The validation of security and consistency that comes along with FIPS certification for AlmaLinux provides proof for the entire AlmaLinux community that free doesn’t preclude enterprise-ready. FIPS certification means that AlmaLinux stands as a uniquely robust Linux option with a powerful mix of compliance, cost-effectiveness, and flexibility.”
Yasutoshi Magara, chairman and chief business transformation officer at Cybertrust Japan, a newly minted platinum sponsor of the foundation that will be adopting AlmaLinux as the new base for Miracle Linux, a popular Japan-based RHEL clone, pointed out in a statement that FIPS certification is also important to users operating outside the United States and Canada.
“The adoption of FIPS is not confined to the United States,” he said. “It will inevitably have a significant impact across the industrial sector in Japan, especially its critical infrastructure. Not only does this FIPS certification announcement from the AlmaLinux OS Foundation provide a further boost of confidence for the entire existing community, but it also positions AlmaLinux as a dependable, enduring, and highly appealing option for prospective users — and that’s a powerful posture that Cybertrust Japan welcomes and supports.”
According to yesterday’s press release, AlmaLinux’s FIPS certification was due to the efforts of CloudLinux, a Platinum sponsor and the company that initially spurred the creation of AlmaLinux in the wake of Red Hat’s announcement that it was removing CentOS as a downstream clone of RHEL.
More information about AlmaLinux’s FIPS certification is available in a blog posted by AlmaLinux yesterday by Simon John, a security standard architect at CloudLinux.