Skip to main content

FIPS 140-2

fips-140-2 validated logo

Federal Information Processing Standards (FIPS) Publication 140-2 specifies security requirements for cryptographic modules. There is a lot of confusion when it comes to terminology - FIPS compliant vs. FIPS validated - and there is a significant difference between the two. We'll try to clarify some of that and explain how it applies to Virtru.

FIPS Compliant

Cryptographic modules are typically described as FIPS compliant when they utilize FIPS compliant encryption algorithms, such as AES-256 or RSA-2048.

FIPS Validated

In order for a cryptographic module to be FIPS validated, it must undergo an independent examination by a National Institute of Standards and Technology (NIST) accredited lab. The examination validates that the module is implemented in accordance with FIPS 140-2 requirements. Validated modules are issued certificates, which can be viewed on the Cryptographic Modules Validation Program (CMVP) website.


The Federal government mandates that all encryption is performed by FIPS validated cryptographic modules. This requirement is also typically required by State and Local governments, government contractors, and government services providers. Compliance programs such as FedRAMP, CMMC, CJIS, NIST SP 800-171, among others, specifically demand FIPS validation.

FIPS 140-2 at Virtru


Virtru has developed an encryption module specifically designed for the browser in order to enhance our client-side encryption support of FIPS 140-2. The module was validated by the Cryptographic Module Validation Program (CMVP) on February 21, 2023 under certificate #4440. This module is integrated into many of our encryption clients (refer to the table under Client-side below for more details).


As a part of our FedRAMP authorization program, Virtru leverages FIPS 140-2 validated modules behind the scenes to encrypt data-in-transit and data-at-rest in the Virtru Data Protection Platform.


All of Virtru’s encryption algorithms comply with FIPS 140-2 (AES-256), however, not all Virtru clients leverage FIPS validated encryption modules. Of those that do leverage FIPS validated modules, not all clients are enabled in FIPS mode by default.

In some clients, we use 3rd-party encryption libraries that have been certified by, or for, companies such as Google, Microsoft, and Apple (more details below). Virtru has not been required to go through a validation directly in those instances.

Please review the chart below to understand which clients support FIPS by default. If you need to ensure FIPS 140-2 compliance across Virtru clients in use, please contact support. Clients not on this list do not leverage FIPS validated modules.

ClientModule NameCMVP CertificateNotes
Google Chrome Browser Plugin - GmailVirtruCrypto#4440FIPS mode is not enabled by default. Please contact support to enable FIPS mode.
Microsoft Outlook (Microsoft 365 Add-In)VirtruCrypto#4440FIPS mode is not enabled by default. Please contact support to enable FIPS mode.
Microsoft Outlook (Desktop Plug-In)WindowsVaries by Windows versionThe Outlook Desktop Plugin leverages the encryption module of the underlying Windows operating system. Customers should ensure that Windows is configured in FIPS mode to ensure that Virtru leverages the FIPS validated Windows encryption module. For more information on configuring different Windows versions in FIPS mode refer to:

Note that this does not apply to the Outlook Add-in for Desktop, Mobile, Web (Office 365).
iOScorecryptoVaries by iOS versionBeginning with iOS 13, iOS devices will leverage the underlying encryption module provided by Apple. Apple takes all corecrypto modules through FIPS 140-2/140-3 validation. For more information, refer to Apple’s iOS Certification Guide.
Virtru Data Protection Gateway (On-premises)Bouncy Castle#3154Please contact your Customer Success Manager to request FIPS mode configuration.

The Virtru-hosted Gateway does not currently support a FIPS configuration.
Virtru Private Key StoreN/AN/AThe Virtru Private Key Store does not directly provide a FIPS validated encryption module; however, you can integrate with a FIPS validated Hardware Security Module (HSM) of your choice. For example, AWS CloudHSM.
Virtru Secure ShareVirtruCrypto#4440FIPS mode is not enabled by default. Please contact support to enable FIPS mode.
Virtru Secure ReaderVirtruCrypto#4440FIPS mode is not enabled by default. Please contact support to enable FIPS mode.