rust-fips

packaged by Chainguard

Chainguard Container for rust-fips

Minimal Rust image for building Rust applications with Chainguard FIPS Provider for OpenSSL.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/rust-fips:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

The Chainguard rust-fips image contains the tools needed to build Rust code with Chainguard FIPS Provider for OpenSSL, including the following:

• openssl-dev (OpenSSL development headers)
• openssl-config-fipshardened (Chainguard FIPS Provider for OpenSSL)
• rustls-openssl-client demo application
• rustc
• cargo
• cargo-auditable wrapper
• cargo-deny
• rustdoc
• rustlldb
• rust-audit-info

This image also includes a shell for compatibility with most cargo package installations.

This image is not intended to be used as a runtime image, only as a build tool.

It's recommended that you use a Chainguard FIPS image (for example, glibc-openssl-fips) as the runtime image when building with the rust-fips image.

FIPS Notes

The majority of Rust crates do not use validated cryptography, including crates that declare a FIPS feature. For even the most popular crates, Rust Cryptography traits and default implementations have not completed CMVP validation and do not have FIPS certificates. When Rustls uses aws-lc, it defaults to a non-FIPS build. If the FIPS feature is enabled, it instead uses a build of aws-lc that is not yet FIPS-validated (as of this writing, the module is still in the validation process).

However, it is possible to use OpenSSL bindings from Rust to enable OpenSSL cryptography at runtime in order to achieve FIPS compliance. Note that you must also have libcrypto configured to use a FIPS validated provider at runtime (such as the Chainguard FIPS provider for OpenSSL) to achieve FIPS compliance.

Chainguard's rust-fips image provides tools and guidance on how to create or port existing applications that use rustls to use the OpenSSL FIPS provider. This image also provides guidance on how to achieve hardened FIPS configuration, using IETF-recommended ciphers and key exchange that are compliant with the latest FIPS 140-3 and CNSA 1.0 standards, to achieve parity with all other Chainguard FIPS Images.

This image provides a demo project rustls-openssl-client, which contains a sample deny.toml configuration for Cargo Deny to ban known popular cryptographic crates that are not validated implementations. Adopting deny.toml in your codebases and using cargo deny check helps to prevent non-validated crates from being added to the build as either direct or transitive dependencies.

The rustls client config is shown to activate the OpenSSL provider by default, as well as ensure that only strong and validated cryptography is used in line with the latest FIPS 140-3 and CNSA 1.0 standards. This is an improvement over the stock rustls-openssl crate, as it uses non-approved cryptography and prefers non-CNSA ciphers and groups, even when built using the FIPS feature. This demo project is also precompiled and available as a simple HTTPS get client binary /usr/bin/rustls-openssl-client.

Resulting binaries will be dynamically linked against OpenSSL, and the FIPS validation will depend on the runtime environment validation. For example, deploying binaries on top of the glibc-openssl-fips image will use CMVP & ESV validation as provided by that image. The same binary can also be deployed onto the glibc-openssl image to operate without FIPS cryptography, if so desired.

Do not attempt to statically link binaries. Doing so will lead to runtime crashes and an inability to activate the FIPS provider — achieving no FIPS compliance at runtime. Only dynamically linked binaries are supported.

To verify that FIPS provider is activated, follow the OpenSSL verification steps from Chainguard Academy.

Rust Version

The following command will automatically pull the image to your local system and execute the command rustc --version:

docker run --rm cgr.dev/chainguard/rust --version

This will return output similar to the following:

rustc 1.67.1 (d5a82bbd2 2023-02-07) (built from a source tarball)

Cargo Auditable

By default, /usr/local/bin/cargo contains a wrapper to always call cargo auditable which generates and embeds build time crate information in the compiled binaries. This enables the inspection of compiled Rust binaries with rust-audit-info, which is also included in this image. Many security scanners also know how to parse this information for the purpose of detecting security vulnerabilities. For more information refer to the Cargo Auditable GitHub project.

Building without audit information is possible by invoking /usr/bin/cargo directly. However, doing so will evade scanner support in the resulting binaries.

Cargo Deny

This image also includes the Cargo Deny plugin by default. This is a useful tool to monitor dependencies and features, enforce license compliance, and deduplicate crates.

Application Setup for End Users

For runtime, you can use a multi-stage Dockerfile or similar technique to run your compiled binaries on an even more slimmed down image.

Chainguard recommends using the glibc-openssl-fips, or any other Chainguard FIPS Image, as the runtime image. The following sample Dockerfile shows how to get a basic build up and running on glibc-openssl-fips:

FROM cgr.dev/ORGANIZATION/rust-fips AS build
COPY --from=cgr.dev/ORGANIZATION/rust-fips /usr/src/rustls-openssl-client /work
WORKDIR /work
RUN cargo deny check
RUN cargo build --release

FROM cgr.dev/ORGANIZATION/glibc-openssl-fips
COPY --from=build --chown=nonroot:nonroot /work/target/release/rustls-openssl-client /usr/local/bin/rustls-openssl-client
CMD ["/usr/local/bin/rustls-openssl-client"]

Using this sample Dockerfile, you could build an image with a command like the following. This example names the image rustls-openssl-client-fips.

docker build --no-cache -t rustls-openssl-client-fips .

Once the image is built, you can run it like so:

$ docker run -t rustls-openssl-client-fips
HTTP/1.1 307 Temporary Redirect
content-type: text/html; charset=utf-8
location: https://www.chainguard.dev/containers
Content-Length: 73
date: Tue, 14 Apr 2026 22:34:50 GMT
server: Google Frontend
traceparent: 00-017d7bb0e4a3669cb9033c135d96cdfb-2af194e59f0f62ef-00
x-cloud-trace-context: 017d7bb0e4a3669cb9033c135d96cdfb/3094418132917248751
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000
Connection: close

<a href="https://www.chainguard.dev/containers">Temporary Redirect</a>.

You can also replace the first argument with alternatives to test connectivity with any other TLS hosts.

What are Chainguard Containers?

Chainguard's free tier of Starter container images are built with Wolfi, our minimal Linux undistro.

All other Chainguard Containers are built with Chainguard OS, Chainguard's minimal Linux operating system designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a development, or -dev, variant.

In all other cases, including Chainguard Containers tagged as :latest or with a specific version number, the container images include only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager.

Although the -dev container image variants have similar security features as their more minimal versions, they include additional software that is typically not necessary in production environments. We recommend using multi-stage builds to copy artifacts from the -dev variant into a more minimal production image.

Need additional packages?

To improve security, Chainguard Containers include only essential dependencies. Need more packages? Chainguard customers can use Custom Assembly to add packages, either through the Console, chainctl, or API.

To use Custom Assembly in the Chainguard Console: navigate to the image you'd like to customize in your Organization's list of images, and click on the Customize image button at the top of the page.

Learn More

Refer to our Chainguard Containers documentation on Chainguard Academy. Chainguard also offers VMs and Libraries — contact us for access.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.