Modular kernel cryptography on Amazon Linux

Learn how Amazon Linux introduces modular cryptography to simplify FIPS 140-3 certification and accelerate security updates. Ideal for

15 jul 2026 • 5 min read • Q2BSTUDIO Team

FIPS 140-3: Fewer Recertifications, More Security

For years, companies operating in regulated environments have faced a technical and operational crossroads: keeping their systems up to date with the latest security patches without breaking FIPS (Federal Information Processing Standard) certification. Each new version of the Linux kernel involved a recertification process that could take anywhere from 12 to 18 months, leaving entire organizations exposed to vulnerabilities while they waited for validation. This bottleneck, in addition to being costly, slowed down innovation and forced a choice between regulatory compliance and agility. Today, Amazon Linux 2023 introduces a paradigm shift with modular kernel cryptography, a solution that separates cryptographic components into a standalone, once-certifiable module that can be reused across multiple kernel versions. This advancement not only transforms the way low-level security is managed, but opens up new possibilities for cloud architectures, custom applications, and enterprise cybersecurity strategies.

Amazon's proposal is ingenious but simple in concept: If instead of embedding all cryptographic code within the kernel binary, we isolate it into a module that defines its own cryptographic boundary under FIPS 140-3, then any changes to the kernel that don't affect that module don't require a full recertification. This means that security updates, bug fixes, or performance improvements can be released without waiting months or years. The module loads at system boot, connects to stable kernel interfaces, and delivers the same performance as an integrated deployment. From a developer or administrator's point of view, the experience is transparent: there is no need to recompile the kernel or modify configurations; the module is automatically activated on Amazon Linux versions 6.18 and above 2023.

What does this mean in practice for a company that develops custom software or manages cloud infrastructures? Imagine a bank that uses validated cryptographic algorithms to protect transactions. Until now, every time you needed to apply a critical kernel patch, you had to calculate the risk of operating without certification for more than a year. With the new approach, you can update the kernel with confidence that the certified cryptographic module remains intact. This speeds up deployment cycles and reduces exposure to known vulnerabilities. At Q2BSTUDIO, we understand that agility in custom application development is key to staying competitive, and solutions like this allow our customers to integrate regulatory compliance without sacrificing speed.

From a more technical perspective, modularization is not trivial. Amazon has redesigned the kernel build process to separate FIPS-relevant cryptographic source files and link them independently. In addition, it has implemented a boot-time loading mechanism that connects the module's functions with those of the main kernel through a stable interface. This approach ensures that the module can be validated once by NIST (National Institute of Standards and Technology) under the CMVP program, and that validation carries over to future kernel versions as long as the module does not change. If changes arise in the kernel's internal cryptographic APIs, the interface layer can absorb them without modifying the certified module, minimizing the need for recertification.

For enterprises working with AWS and Azure cloud services, this advancement has a direct impact on operating system image management and compliance with frameworks such as FedRAMP or PCI DSS. For example, an organization using EC2 instances with Amazon Linux 2023 can benefit from faster security patches while maintaining its compliance posture. Our cloud services team at Q2BSTUDIO helps companies design architectures that take advantage of these capabilities, ensuring that the infrastructure is not only secure, but also efficient and easy to manage.

Beyond kernel cryptography, the trend toward modularization aligns with other technological currents such as artificial intelligence and AI agents. How are they related? AI models, especially those deployed in regulated environments (healthcare, finance, government), require assurances that data and communications are protected by validated algorithms. The ability to update the kernel without losing certification allows enterprise AI systems to receive critical security patches without disrupting inference or training pipelines. In addition, AI agents operating in real-time need a reliable execution environment; Modular cryptography eliminates a source of uncertainty in the software supply chain.

Another area where this innovation makes a difference is in perimeter and endpoint cybersecurity. Pentesting tools and security solutions often rely on kernel integrity to perform their functions. With a standalone and validated cryptographic module, security teams can be confident that encryption mechanisms are not affected by system updates. This simplifies auditing and certification of security products. At Q2BSTUDIO, we offer cybersecurity and pentesting services that evaluate the robustness of cryptographic implementations; Kernel modularization makes it easier for our analyses to focus on the validated module, reducing the scope of testing and speeding up certifications.

We must not forget the role of business intelligence and tools such as Power BI in this ecosystem. Although they may not seem connected at first glance, business intelligence platforms often access sensitive data through encrypted connections. If the underlying kernel is not up to date for fear of losing FIPS certification, those connections could become vulnerable. With modular cryptography, data teams can keep their dashboards and reports secure, while system administrators apply regular patches. Our business intelligence services in Q2BSTUDIO integrate these security considerations into data extraction, transformation, and visualization processes, ensuring that decision-making is based on protected and up-to-date information.

Of course, FIPS 140-3 validation of the modular module is currently in process and is expected to conclude in 2027 according to NIST timelines. In the meantime, Amazon recommends that customers who require immediate certification continue to use the AL2023 6.1 kernel, which maintains active validation until 2029. However, the module is already available in kernel 6.18 and above, and companies can begin evaluating it in test environments. This is crucial for those developing custom applications that will need to be ready when certification is complete. Advance planning prevents delays in adopting new versions.

Modular kernel cryptography represents a cultural shift in critical infrastructure management. Stop being an obstacle to becoming a facilitator. Businesses no longer have to choose between security and compliance; they can have both. And in a world where threats are rapidly evolving and regulators are demanding ever higher standards, this flexibility is invaluable. At Q2BSTUDIO, as a software and technology development company, we closely follow these evolutions to offer our customers solutions that not only meet today's requirements, but anticipate those of the future. Whether implementing AI agents, migrating to AWS and Azure cloud services, or designing robust cybersecurity systems, modular kernel cryptography is a strategic ally worth exploring today.

A BREAK?

Play for a moment before you go

OUR SERVICES

How we can help you

Artificial intelligence

AI agents, chatbots, and intelligent assistants that automate tasks and serve your customers 24/7 to improve the efficiency of your business.

More info

Software Development

Web, mobile, and desktop applications, intranets, e-commerce, SaaS, and management platforms designed for your company's specific needs.

More info

Cloud services

Migration, infrastructure, managed hosting, high availability, and security on Microsoft Azure and Amazon Web Services to help your business scale without limits.

More info

Cybersecurity and pentesting

Security audits, penetration testing and protection of applications, data and infrastructure on-premise and cloud, with ethical hacking and regulatory compliance.

More info

Business Intelligence

Dashboards and data analysis with Power BI: we integrate your sources, design dashboards and KPIs and turn your data into decisions.

More info

Process automation

We automate repetitive tasks and connect your applications with n8n, Power Automate, Make, and RPA, eliminating manual work and increasing productivity.

More info

Training for Companies

We train your teams in technology with criteria: web development, databases, Git, best practices and security, automation with n8n, artificial intelligence for companies and creation of AI solutions with Azure AI Foundry.

More info

Code Auditing

We audit the code that you, your team or an AI create: we tell you what is good and what to improve, we secure it and make it ready for production, web or app.

More info

AI Image Generation

We create for you the images that your business needs with artificial intelligence: product, networks, advertising, illustration and avatars. You tell us what you want and we deliver it ready to use.

More info

AI Video Generation

We create videos with artificial intelligence for you: promotional, networking, virtual presenters, dubbing and animations. You tell us the idea and we will deliver it assembled and ready to publish.

More info

AI Conversational Avatars

We create conversational avatars with AI – digital humans with a face and voice – that serve your customers and teams with the knowledge of your company, on your website, interactive monitors, WhatsApp or Teams.

More info

Online Marketing and AI

Google Ads, Meta Ads, LinkedIn Ads and AI Engine Positioning (GEO/AEO): we attract customers and make your brand appear where they search for you, also on ChatGPT, Gemini and Perplexity.

More info

Do you have a project in mind?

Tell us your vision and we'll turn it into a software solution. Whatever the scope, we make your idea real.