postgres-hardened-fips
Postgres-Hardened-FIPS Overview
Secure your stack with a hardened Postgres-Hardened-FIPS image freshly-built by Minimus. Minimus images always include the most up-to-date package version for all packages and dependencies.
Use this Postgres image to set up a database server to store and retrieve data securely whenever an extensible, object-relational database is needed. Deploy Postgres with TLS enabled using our guide.
About Minimus Hardened Images
Minimus Hardened images provide secure by default configurations that comply with CIS Benchmarks. The CIS Benchmark for PostgreSQL 17 is a consensus-based security hardening guide that is aligned with industry standards and defines recommended configuration settings, access controls, and operational practices to reduce the attack surface. Review the compliance report to see the special audit report.
Notes:
- The image’s default configuration file enforces many CIS PostgreSQL hardening controls. Exercise caution when overriding this file, as custom configurations may inadvertently weaken or negate CIS compliance.
- Full CIS benchmark compliance requires additional post-deployment runtime validations that are out of scope for Minimus.
FIPS 140-3 Certification
This image is FIPS-validated to ensure its cryptographic operations meet the Federal Information Processing Standards (FIPS) required for secure government and regulated environments. Its core cryptographic modules are validated under the NIST Cryptographic Module Validation Program (CMVP) and comply with the FIPS 140-3 standard.
To verify that the FIPS 140-3 provider is configured and active, follow the instructions in the FIPS compliance tab.
Try It Out
Take the Minimus Postgres image for a test run. The following command will set the superuser password to Minimus! but you can set any password you want:
docker run --rm -d --name my-minimus-postgres \
-e POSTGRES_PASSWORD=Minimus! \
reg.mini.dev/postgres-hardened-fipsThe environment variable POSTGRES_PASSWORD is required, as it sets the password. Note that this test container will not persist the data so as soon as the container stops, the data will be lost.
Ready to mount a persistent data volume?
In your host's project directory, mount a new data directory to the default data directory in the container /var/lib/postgresql/data. To do this run the following command:
docker run -d --name my-minimus-postgres \
-e POSTGRES_PASSWORD=Minimus! \
-v $(pwd)/data:/var/lib/postgresql/data \
reg.mini.dev/postgres-hardened-fipsNote: the data directory will consequently be owned by UID 10001.
Postgres will now automatically store its data in the target directory on your host so it won't be lost when you restart the container.
Open an interactive shell in your running container.
docker exec -it my-minimus-postgres shSwitch from the root user to the postgres user and access the shell:
su postgres
psqlReady to interact with your Postgres database?
For our example, we will pass a command to create a database:
CREATE DATABASE minimus_test;Next, we will list all databases:
\lPostgres will print database metadata. For example:
postgres=# \l
List of databases
Name | Owner | Encoding | Locale Provider | Collate | Ctype | Locale | ICU Rules | Access privileges
--------------+----------+----------+-----------------+-------------+-------------+--------+-----------+-----------------------
minimus_test | postgres | UTF8 | libc | en_US.UTF-8 | en_US.UTF-8 | | |
postgres | postgres | UTF8 | libc | en_US.UTF-8 | en_US.UTF-8 | | |
template0 | postgres | UTF8 | libc | en_US.UTF-8 | en_US.UTF-8 | | | =c/postgres +
| | | | | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | libc | en_US.UTF-8 | en_US.UTF-8 | | | =c/postgres +
| | | | | | | | postgres=CTc/postgres
(4 rows)Next, connect to the database you just created:
\c minimus_testOnce connected, create a table:
CREATE TABLE users (
id SERIAL PRIMARY KEY,
name VARCHAR(100),
email VARCHAR(100)
);Insert rows to create new users:
INSERT INTO users (name, email) VALUES ('John Doe', 'john@example.com');
INSERT INTO users (name, email) VALUES ('Jane Smith', 'jane@example.com');Review the users just created:
SELECT * FROM users;You should see a table such as:
minimus_test=# select * from users;
id | name | email
----+------------+------------------
1 | John Doe | john@example.com
2 | Jane Smith | jane@example.com
(2 rows)Technical Considerations
The Postgres-Hardened-FIPS image provided by Minimus is a slim, security-hardened alternative to the public image from Docker Hub. The images are largely interchangeable, with a few differences as noted below.
Postgres-Hardened-FIPS built by Minimus:
- The Postgres process runs as nonroot as user 10001 (postgres). However, the entrypoint script runs as root for permissions to set up the environment, hence the compliance report shows that the image runs as root.
- The image does not have a default volume. The public image defaults to
/var/lib/postgresql/data. - The default working directory is
/home/postgres. The public image working directory defaults to the root directory. - Drill down on the version specification tab to see the default user, listening ports, entrypoint, volumes, environment variables, etc.
The Payoff
A hardened, minimal image that will remain more secure for the long run and accrue vulnerabilities at a slower rate.
- See the risk reduction dashboard for a detailed CVE comparison over the past 30 days.
- Review the compliance report to see the default hardening and security configurations for the image.