> ## Documentation Index
> Fetch the complete documentation index at: https://docs.langchain.com/llms.txt
> Use this file to discover all available pages before exploring further.

# FIPS-compliant images

> Run self-hosted LangSmith installation on FIPS 140 compliant container images

<Note>
  FIPS and airgapped LangSmith deployments require a conversation with your LangChain account executive before rollout. Reach out to scope licensing, supported configurations, and upgrade paths before you change your installation.
</Note>

As of v15, every LangChain-authored LangSmith image has a `-fips` counterpart that runs in FIPS 140 mode. Use these images when your self-hosted deployment needs FIPS compliance, for example in federal agencies, defense contractors, and regulated industries.

## How the images are built

The `-fips` variants are built on top of [Chainguard FIPS container images](https://edu.chainguard.dev/chainguard/fips/fips-images/), which ship NIST-validated cryptographic modules (OpenSSL FIPS provider, Bouncy Castle FIPS, or BoringCrypto depending on the base). For the list of modules and their CMVP certificates, refer to [Chainguard's FIPS commitment](https://edu.chainguard.dev/chainguard/fips/fips-images/).

Every LangChain-authored image has a `-fips` counterpart published at the same tag as the non-FIPS version:

| Non-FIPS image                           | FIPS image                                    |
| ---------------------------------------- | --------------------------------------------- |
| `langchain/langsmith-ace-backend`        | `langchain/langsmith-ace-backend-fips`        |
| `langchain/langsmith-backend`            | `langchain/langsmith-backend-fips`            |
| `langchain/langsmith-frontend`           | `langchain/langsmith-frontend-fips`           |
| `langchain/langsmith-go-backend`         | `langchain/langsmith-go-backend-fips`         |
| `langchain/langsmith-playground`         | `langchain/langsmith-playground-fips`         |
| `langchain/hosted-langserve-backend`     | `langchain/hosted-langserve-backend-fips`     |
| `langchain/langgraph-operator`           | `langchain/langgraph-operator-fips`           |
| `langchain/agent-builder-tool-server`    | `langchain/agent-builder-tool-server-fips`    |
| `langchain/agent-builder-trigger-server` | `langchain/agent-builder-trigger-server-fips` |

PostgreSQL, Redis, and ClickHouse are not published as FIPS variants by LangChain. If your deployment requires FIPS for these components, bring your own FIPS-mode service and connect via [external Postgres](/langsmith/self-host-external-postgres), [external Redis](/langsmith/self-host-external-redis), or [external ClickHouse](/langsmith/self-host-external-clickhouse).

### ACE backend FIPS boundary note

`langsmith-ace-backend-fips` is built on the same Chainguard FIPS base as all other `-fips` images, but its code-execution runtimes (Deno and Pyodide/WebAssembly) bundle their own cryptographic libraries and do not dynamically link the system FIPS-validated OpenSSL, so the execution runtime itself falls technically outside the FIPS 140 module boundary.

We consider this acceptable for regulated environments: FIPS governs the platform's cryptographic operations on sensitive data, and ACE performs none. It injects no secrets into user code, persists no data and performs no data-at-rest cryptography, and its execution subprocesses have no network access. ACE is an in-cluster HTTP service called by the LangSmith backend; when TLS is terminated upstream by a FIPS-validated mesh or ingress, ACE performs no in-scope cryptographic operations.

## Use FIPS images

Update `values.yaml` in your LangSmith Helm installation to point each LangChain image repository at its `-fips` counterpart, keeping your existing tag. Replace `0.15.0` with the [LangSmith version](/langsmith/self-hosted-changelog) you want to deploy:

```yaml theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
images:
  aceBackendImage:
    repository: "langchain/langsmith-ace-backend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  backendImage:
    repository: "langchain/langsmith-backend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  frontendImage:
    repository: "langchain/langsmith-frontend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  hostBackendImage:
    repository: "langchain/hosted-langserve-backend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  operatorImage:
    repository: "langchain/langgraph-operator-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  platformBackendImage:
    repository: "langchain/langsmith-go-backend-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
  playgroundImage:
    repository: "langchain/langsmith-playground-fips"
    pullPolicy: IfNotPresent
    tag: "0.15.0"
```

Apply the change and upgrade following the [Upgrading LangSmith](/langsmith/self-host-upgrades) guide.

## Verify FIPS mode

Chainguard ships the `openssl-fips-test` tool inside every FIPS image. Running it against a pod prints the FIPS self-tests, the active FIPS provider version, and a link to the applicable CMVP certificate.

Check a running pod:

```bash theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
kubectl exec <pod-name> -- openssl-fips-test
```

Expected output (abridged):

```text theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
Checking OpenSSL lifecycle assurance.
	✓ Self-test KAT_Integrity HMAC ... passed.
	✓ Self-test Module_Integrity HMAC ... passed.
	...
	✓ 29 out of 29 self-tests passed.
	✓ Check FIPS cryptographic module is available... passed.
	✓ Check FIPS approved only mode (EVP_default_properties_is_fips_enabled)... passed.
Public OpenSSL API (libssl.so & libcrypto.so):
	name:      OpenSSL 3.6.0 1 Oct 2025
	version:   3.6.0
FIPS cryptographic module provider details (fips.so):
	name:      OpenSSL FIPS Provider
	version:   3.1.2
Locate applicable CMVP certificate(s) at: CMVP #4985
```

You can also verify an image outside Kubernetes:

```bash theme={"theme":{"light":"catppuccin-latte","dark":"catppuccin-mocha"}}
docker run --rm --entrypoint openssl-fips-test langchain/langsmith-go-backend-fips:0.15.0
```

For more detail on interpreting the output, see [Chainguard's FIPS verification guide](https://edu.chainguard.dev/chainguard/fips/verify-fips/).

## Mirror for airgapped deployments

The `-fips` naming convention applies identically when mirroring images to a private registry. Follow the [image mirroring guide](/langsmith/self-host-mirroring-images) and substitute each repository with its `-fips` counterpart. Airgapped rollouts, with or without FIPS, require scoping with your LangChain account executive before you begin.

***

<div className="source-links">
  <Callout icon="terminal-2">
    [Connect these docs](/use-these-docs) to Claude, VSCode, and more via MCP for real-time answers.
  </Callout>

  <Callout icon="edit">
    [Edit this page on GitHub](https://github.com/langchain-ai/docs/edit/main/src/langsmith/self-host-fips.mdx) or [file an issue](https://github.com/langchain-ai/docs/issues/new/choose).
  </Callout>
</div>
