TL;DR: Chainguard container images containing Envoy FIPS will use BoringCrypto 20240407 (CMVP #5104) on or before February 17th, 2026
| Announcement date | Planned Change date |
| Jan 23, 2026 | Feb 17, 2026 |
We are pleased to announce that Chainguard FIPS container images containing Envoy FIPS (envoy-fips, envoy-iamguarded-fips, cilium-agent-fips, cilium-envoy-fips, istio-proxy-fips) will upgrade to the recently certified BoringCrypto 20240407 (CMVP #5104) on or before February 17th, 2026. Because the latest version of the Envoy upstream project requires this version of BoringCrypto, some images may upgrade earlier; for example, the cilium-envoy-fips 1.18.6 image will upgrade on January 23, 2026.
The latest information on all current and upcoming FIPS validated cryptography modules can always be found in Chainguard’s FIPS commitment page, and the full timeline for all FIPS module transitions can be found in this Knowledge Base article.
This communication includes the following topics:
What is changing?
Chainguard FIPS container images containing Envoy FIPS (envoy-fips, envoy-iamguarded-fips, cilium-agent-fips, cilium-envoy-fips, istio-proxy-fips) will transition from the BoringCrypto 2023042800 (CMVP #4953) to the BoringCrypto 20240407 (CMVP #5104) on or before February 17th, 2026.
Some images may upgrade more quickly. In particular, cilium-envoy-fips 1.18.6 will be upgraded on January 23, 2026, as the upstream point release has raised the BoringCrypto requirements.
Why is Chainguard making this change?
Chainguard is committed to ensuring that Chainguard FIPS container images remain aligned with industry standards and evolving regulatory requirements. We regularly upgrade FIPS validated cryptography modules in our images to ensure our catalog contains the most up-to-date versions of each module.
What do I need to do?
Customers will see no technical impact from this upgrade, and it is unlikely to affect the security and privacy posture of the system. However, changing CMVP certificate numbers may require additional compliance reviews for some customers. Chainguard recommends consulting with your auditor and sponsor to understand if this upgrade will require any action on your part.
You can monitor for this change by inspecting or scanning the image’s SBOM. When this upgrade occurs, the NIST-CMVP-5104 package will appear in the image’s SBOM.
To receive notifications for this and future FIPS module transitions, we recommend clicking “follow” on the "CMVP Certification Upgrades with FIPS 140-3" knowledge base article containing the timeline for all FIPS module transitions.
Need help or have questions?
We're here to help - talk with your account team or visit our support portal at support.chainguard.dev.
- Chainguard Team
Comments
0 comments
Article is closed for comments.