IndirectTek logo
Built in-house · Signed · FIPS-enabled

Provenium

The hardened, FIPS-enabled image supply chain we build and sign ourselves — so trust never leaves the building.

DistrolessCryptographically signedSBOM on every imageFIPS built-inAir-gap readyMulti-arch

What it is

Every container we ship stands on a foundation we control.

Provenium is IndirectTek's in-house image capability: minimal, hardened, cryptographically-signed container images with a complete bill of materials and FIPS-mode cryptography built directly in. We don't rent our supply chain — we build it, sign it, and stand behind it.

Minimal by design

No shell, no package manager, nothing extra — just the runtime and your application. The attack surface collapses to almost nothing.

FIPS built in

Approved-only cryptography operates inside the image, in FIPS mode. Not a checkbox on a datasheet — it runs.

Signed & provable

A cryptographic signature and a full software bill of materials travel with every image, verifiable by anyone, offline.

Near-zero known CVEs

Continuously rebuilt and scanned; the scan report and severity scope ship alongside every image, so the claim carries its own evidence.

Air-gap ready

The entire set moves into a disconnected environment with signatures and provenance intact. Built for the enclave.

Owned outright

The capability itself is ours — not a subscription, not a vendor gate. New images ship on our schedule, not someone else’s.

The architecture

Trusted in. Hardened, signed, and FIPS-enabled out.

A closed loop we run end to end — vetted components become hardened, verifiable images, then flow to wherever they're deployed, on-prem or air-gapped.

The Provenium pipeline

every image · continuously rebuilt
Harden Vulnerability-scan & gate Generate SBOM Cryptographically sign Enable FIPS
FIPS, built into the image Self-test gated Runs in FIPS mode
FIPS crypto moduleinside the image
Approved algorithms onlynon-approved rejected
Your applicationoperates in FIPS mode

The catalogue

multi-arch · signed · SBOM on each

Runtime

Minimal application base

Runtime · FIPS

FIPS mode built in

Build

Toolchain for building

Static

Compiled binaries

Data services

Verified & hardened

Where it runs

signature verifiable offline

Elixium

Built on Provenium, top to bottom

Cloud & on-prem

SaaS and self-hosted

Air-gapped / gov

FIPS mode, no internet

Your environment

Wherever trust matters

Proof, not claims

FIPS mode isn't a promise here. It's a passing test.

provenium — FIPS verification
$ verify FIPS module
  FIPS provider                 status: active ✓
# FIPS cryptography, live inside the image

$ crypto check — FIPS enforced
  SHA-256 · SHA-512 · HMAC ....... APPROVED ✓
  AES-256-GCM · RSA-2048 ......... APPROVED ✓
  MD5 (legacy, non-approved) ..... BLOCKED  ✗

$ Elixium — FIPS enforced
  GET /health → 200   application healthy
   boots + serves in FIPS mode — zero breakage

$ continuous verification
  ✓ passing   every build proves the module active before it ships

Why it matters

Anyone can rent a hardened catalog. Almost no one owns the capability.

Renting the outcome

  • Hardened images you pull; FIPS behind a paid tier
  • Tied to a vendor’s roadmap and pricing
  • Hard to carry into a disconnected environment
  • Provenance is theirs to vouch for, not yours
  • The differentiator belongs to the vendor

Provenium · owned outright

  • Hardened images with FIPS mode built directly in
  • A capability that ships on our schedule, not a vendor’s
  • Moves into any air-gapped environment, signatures intact
  • Provenance signed by us, verifiable by anyone
  • The trust — and the advantage — stays in the building

Compliance fit

Supply-chain and FIPS controls implemented by construction.

FIPS cryptography

Approved-only cryptography operating in FIPS mode inside the image — the control implemented where the work happens.

Software bill of materials

A complete, signed SBOM on every image gives supply-chain requirements a machine-verifiable answer, every build.

Least functionality

No shell, no package manager — minimal by construction, not by after-the-fact policy.

Validated upgrade path

A clear path to a formally certified cryptographic module the moment a contract requires the certificate.

Control references indicate where Provenium artifacts provide implementing evidence. Assessment and authorization decisions rest with your assessor and authorizing official.

Credentials

Professional certifications across security, cloud, and platform engineering

See all →
AWS Certified Solutions Architect – Professional
AWS Certified Solutions Architect – Professional
Certified Information Systems Security Professional (CISSP)
Certified Information Systems Security Professional (CISSP)
Certified Kubernetes Administrator (CKA)
Certified Kubernetes Administrator (CKA)
Google Cloud Professional Cloud Architect
Google Cloud Professional Cloud Architect
Google Cloud Professional Cloud DevOps Engineer
Google Cloud Professional Cloud DevOps Engineer
Google Cloud Professional Machine Learning Engineer
Google Cloud Professional Machine Learning Engineer

Swipe to see all credentials.