◆ Minimal by design
No shell, no package manager, nothing extra — just the runtime and your application. The attack surface collapses to almost nothing.
The hardened, FIPS-enabled image supply chain we build and sign ourselves — so trust never leaves the building.
Every image ships with
What it is
Provenium is IndirectTek's in-house image capability: minimal, hardened, cryptographically-signed container images with a complete bill of materials and FIPS-mode cryptography built directly in. We don't rent our supply chain — we build it, sign it, and stand behind it.
No shell, no package manager, nothing extra — just the runtime and your application. The attack surface collapses to almost nothing.
Approved-only cryptography operates inside the image, in FIPS mode. Not a checkbox on a datasheet — it runs.
A cryptographic signature and a full software bill of materials travel with every image, verifiable by anyone, offline.
Continuously rebuilt and scanned; the scan report and severity scope ship alongside every image, so the claim carries its own evidence.
The entire set moves into a disconnected environment with signatures and provenance intact. Built for the enclave.
The capability itself is ours — not a subscription, not a vendor gate. New images ship on our schedule, not someone else’s.
The architecture
A closed loop we run end to end — vetted components become hardened, verifiable images, then flow to wherever they're deployed, on-prem or air-gapped.
Runtime
Minimal application base
Runtime · FIPS
FIPS mode built in
Build
Toolchain for building
Static
Compiled binaries
Data services
Verified & hardened
Elixium
Built on Provenium, top to bottom
Cloud & on-prem
SaaS and self-hosted
Air-gapped / gov
FIPS mode, no internet
Your environment
Wherever trust matters
Proof, not claims
$ verify FIPS module FIPS provider status: active ✓ # FIPS cryptography, live inside the image $ crypto check — FIPS enforced SHA-256 · SHA-512 · HMAC ....... APPROVED ✓ AES-256-GCM · RSA-2048 ......... APPROVED ✓ MD5 (legacy, non-approved) ..... BLOCKED ✗ $ Elixium — FIPS enforced GET /health → 200 application healthy ✓ boots + serves in FIPS mode — zero breakage $ continuous verification ✓ passing every build proves the module active before it ships
Why it matters
Compliance fit
FIPS cryptography
Approved-only cryptography operating in FIPS mode inside the image — the control implemented where the work happens.
Software bill of materials
A complete, signed SBOM on every image gives supply-chain requirements a machine-verifiable answer, every build.
Least functionality
No shell, no package manager — minimal by construction, not by after-the-fact policy.
Validated upgrade path
A clear path to a formally certified cryptographic module the moment a contract requires the certificate.
Control references indicate where Provenium artifacts provide implementing evidence. Assessment and authorization decisions rest with your assessor and authorizing official.
Swipe to see all credentials.