Skip to main content
FIPS and airgapped LangSmith deployments require a conversation with your LangChain account executive before rollout. Reach out to scope licensing, supported configurations, and upgrade paths before you change your installation.
As of v15, every LangChain-authored LangSmith image has a -fips counterpart that runs in FIPS 140 mode. Use these images when your self-hosted deployment needs FIPS compliance, for example in federal agencies, defense contractors, and regulated industries.

How the images are built

The -fips variants are built on top of Chainguard FIPS container images, which ship NIST-validated cryptographic modules (OpenSSL FIPS provider, Bouncy Castle FIPS, or BoringCrypto depending on the base). For the list of modules and their CMVP certificates, refer to Chainguard’s FIPS commitment. Every LangChain-authored image has a -fips counterpart published at the same tag as the non-FIPS version:
Non-FIPS imageFIPS image
langchain/langsmith-ace-backendlangchain/langsmith-ace-backend-fips
langchain/langsmith-backendlangchain/langsmith-backend-fips
langchain/langsmith-frontendlangchain/langsmith-frontend-fips
langchain/langsmith-go-backendlangchain/langsmith-go-backend-fips
langchain/langsmith-playgroundlangchain/langsmith-playground-fips
langchain/hosted-langserve-backendlangchain/hosted-langserve-backend-fips
langchain/langgraph-operatorlangchain/langgraph-operator-fips
PostgreSQL, Redis, and ClickHouse are not published as FIPS variants by LangChain. If your deployment requires FIPS for these components, bring your own FIPS-mode service and connect via external Postgres, external Redis, or external ClickHouse.

Use FIPS images

Update values.yaml in your LangSmith Helm installation to point each LangChain image repository at its -fips counterpart, keeping your existing tag. Replace 0.15.0 with the LangSmith version you want to deploy: 
images:
  aceBackendImage:
    repository: "langchain/langsmith-ace-backend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  backendImage:
    repository: "langchain/langsmith-backend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  frontendImage:
    repository: "langchain/langsmith-frontend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  hostBackendImage:
    repository: "langchain/hosted-langserve-backend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  operatorImage:
    repository: "langchain/langgraph-operator-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  platformBackendImage:
    repository: "langchain/langsmith-go-backend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  playgroundImage:
    repository: "langchain/langsmith-playground-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
Apply the change and upgrade following the Upgrading LangSmith guide.

Verify FIPS mode

Chainguard ships the openssl-fips-test tool inside every FIPS image. Running it against a pod prints the FIPS self-tests, the active FIPS provider version, and a link to the applicable CMVP certificate. Check a running pod: 
kubectl exec <pod-name> -- openssl-fips-test
Expected output (abridged): 
Checking OpenSSL lifecycle assurance.
	✓ Self-test KAT_Integrity HMAC ... passed.
	✓ Self-test Module_Integrity HMAC ... passed.
	...
	✓ 29 out of 29 self-tests passed.
	✓ Check FIPS cryptographic module is available... passed.
	✓ Check FIPS approved only mode (EVP_default_properties_is_fips_enabled)... passed.
Public OpenSSL API (libssl.so & libcrypto.so):
	name:      OpenSSL 3.6.0 1 Oct 2025
	version:   3.6.0
FIPS cryptographic module provider details (fips.so):
	name:      OpenSSL FIPS Provider
	version:   3.1.2
Locate applicable CMVP certificate(s) at: CMVP #4985
You can also verify an image outside Kubernetes: 
docker run --rm --entrypoint openssl-fips-test langchain/langsmith-go-backend-fips:0.15.0
For more detail on interpreting the output, see Chainguard’s FIPS verification guide.

Mirror for airgapped deployments

The -fips naming convention applies identically when mirroring images to a private registry. Follow the image mirroring guide and substitute each repository with its -fips counterpart. Airgapped rollouts, with or without FIPS, require scoping with your LangChain account executive before you begin.
Connect these docs to Claude, VSCode, and more via MCP for real-time answers.
Edit this page on GitHub or file an issue.