> ## Documentation Index
> Fetch the complete documentation index at: https://docs.langchain.com/llms.txt
> Use this file to discover all available pages before exploring further.

# FIPS-compliant images

> Run self-hosted LangSmith installation on FIPS 140 compliant container images

<Note>
  FIPS and airgapped LangSmith deployments require a conversation with your LangChain account executive before rollout. Reach out to scope licensing, supported configurations, and upgrade paths before you change your installation.
</Note>

As of v15, every LangChain-authored LangSmith image has a `-fips` counterpart that runs in FIPS 140 mode. Use these images when your self-hosted deployment needs FIPS compliance, for example in federal agencies, defense contractors, and regulated industries.

## How the images are built

The `-fips` variants are built on top of [Chainguard FIPS container images](https://edu.chainguard.dev/chainguard/fips/fips-images/), which ship NIST-validated cryptographic modules (OpenSSL FIPS provider, Bouncy Castle FIPS, or BoringCrypto depending on the base). For the list of modules and their CMVP certificates, refer to [Chainguard's FIPS commitment](https://edu.chainguard.dev/chainguard/fips/fips-images/).

Every LangChain-authored image has a `-fips` counterpart published at the same tag as the non-FIPS version:

| Non-FIPS image                       | FIPS image                                |
| ------------------------------------ | ----------------------------------------- |
| `langchain/langsmith-ace-backend`    | `langchain/langsmith-ace-backend-fips`    |
| `langchain/langsmith-backend`        | `langchain/langsmith-backend-fips`        |
| `langchain/langsmith-frontend`       | `langchain/langsmith-frontend-fips`       |
| `langchain/langsmith-go-backend`     | `langchain/langsmith-go-backend-fips`     |
| `langchain/langsmith-playground`     | `langchain/langsmith-playground-fips`     |
| `langchain/hosted-langserve-backend` | `langchain/hosted-langserve-backend-fips` |
| `langchain/langgraph-operator`       | `langchain/langgraph-operator-fips`       |

PostgreSQL, Redis, and ClickHouse are not published as FIPS variants by LangChain. If your deployment requires FIPS for these components, bring your own FIPS-mode service and connect via [external Postgres](/langsmith/self-host-external-postgres), [external Redis](/langsmith/self-host-external-redis), or [external ClickHouse](/langsmith/self-host-external-clickhouse).

## Use FIPS images

Update `values.yaml` in your LangSmith Helm installation to point each LangChain image repository at its `-fips` counterpart, keeping your existing tag. Replace `0.15.0` with the [LangSmith version](/langsmith/self-hosted-changelog) you want to deploy:

```yaml theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
images:
  aceBackendImage:
    repository: "langchain/langsmith-ace-backend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  backendImage:
    repository: "langchain/langsmith-backend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  frontendImage:
    repository: "langchain/langsmith-frontend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  hostBackendImage:
    repository: "langchain/hosted-langserve-backend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  operatorImage:
    repository: "langchain/langgraph-operator-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  platformBackendImage:
    repository: "langchain/langsmith-go-backend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  playgroundImage:
    repository: "langchain/langsmith-playground-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
```

Apply the change and upgrade following the [Upgrading LangSmith](/langsmith/self-host-upgrades) guide.

## Verify FIPS mode

Chainguard ships the `openssl-fips-test` tool inside every FIPS image. Running it against a pod prints the FIPS self-tests, the active FIPS provider version, and a link to the applicable CMVP certificate.

Check a running pod:

```bash theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
kubectl exec <pod-name> -- openssl-fips-test
```

Expected output (abridged):

```text theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
Checking OpenSSL lifecycle assurance.
	✓ Self-test KAT_Integrity HMAC ... passed.
	✓ Self-test Module_Integrity HMAC ... passed.
	...
	✓ 29 out of 29 self-tests passed.
	✓ Check FIPS cryptographic module is available... passed.
	✓ Check FIPS approved only mode (EVP_default_properties_is_fips_enabled)... passed.
Public OpenSSL API (libssl.so & libcrypto.so):
	name:      OpenSSL 3.6.0 1 Oct 2025
	version:   3.6.0
FIPS cryptographic module provider details (fips.so):
	name:      OpenSSL FIPS Provider
	version:   3.1.2
Locate applicable CMVP certificate(s) at: CMVP #4985
```

You can also verify an image outside Kubernetes:

```bash theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
docker run --rm --entrypoint openssl-fips-test langchain/langsmith-go-backend-fips:0.15.0
```

For more detail on interpreting the output, see [Chainguard's FIPS verification guide](https://edu.chainguard.dev/chainguard/fips/verify-fips/).

## Mirror for airgapped deployments

The `-fips` naming convention applies identically when mirroring images to a private registry. Follow the [image mirroring guide](/langsmith/self-host-mirroring-images) and substitute each repository with its `-fips` counterpart. Airgapped rollouts, with or without FIPS, require scoping with your LangChain account executive before you begin.

***

<div className="source-links">
  <Callout icon="terminal-2">
    [Connect these docs](/use-these-docs) to Claude, VSCode, and more via MCP for real-time answers.
  </Callout>

  <Callout icon="edit">
    [Edit this page on GitHub](https://github.com/langchain-ai/docs/edit/main/src/langsmith/self-host-fips.mdx) or [file an issue](https://github.com/langchain-ai/docs/issues/new/choose).
  </Callout>
</div>