diff --git a/sdk_container/src/third_party/portage-stable/changelog/changes/2022-03-22-fips.md b/sdk_container/src/third_party/portage-stable/changelog/changes/2022-03-22-fips.md
new file mode 100644
index 0000000000..392b8ab443
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/changelog/changes/2022-03-22-fips.md
@@ -0,0 +1 @@
+- Enabled FIPS mode for cryptsetup ([portage-stable#312](https://github.com/flatcar-linux/portage-stable/pull/312))
diff --git a/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.3.6.ebuild b/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.3.6.ebuild
index e96df12d24..cbe28613d0 100644
--- a/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.3.6.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/cryptsetup-2.3.6.ebuild
@@ -16,9 +16,9 @@ KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x
 CRYPTO_BACKENDS="gcrypt kernel nettle +openssl"
 # we don't support nss since it doesn't allow cryptsetup to be built statically
 # and it's missing ripemd160 support so it can't provide full backward compatibility
-IUSE="${CRYPTO_BACKENDS} +argon2 nls pwquality reencrypt static static-libs +udev urandom"
+IUSE="${CRYPTO_BACKENDS} +argon2 +fips nls pwquality reencrypt static static-libs +udev urandom"
 REQUIRED_USE="^^ ( ${CRYPTO_BACKENDS//+/} )
-	static? ( !gcrypt )" #496612
+	static? ( !gcrypt !fips )" #496612
 
 LIB_DEPEND="
 	dev-libs/json-c:=[static-libs(+)]
@@ -86,6 +86,7 @@ src_configure() {
 		$(use_enable udev)
 		$(use_enable !urandom dev-random)
 		$(usex argon2 '' '--with-luks2-pbkdf=pbkdf2')
+		$(use_enable fips)
 	)
 	econf "${myeconfargs[@]}"
 }
diff --git a/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/metadata.xml
index d2968cbd56..20e84e9162 100644
--- a/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/metadata.xml
@@ -7,6 +7,7 @@
 </maintainer>
 <use>
 	<flag name="argon2">Enable password hashing algorithm from <pkg>app-crypt/argon2</pkg></flag>
+	<flag name="fips">Enable FIPS mode restrictions</flag>
 	<flag name="gcrypt">Use <pkg>dev-libs/libgcrypt</pkg> crypto backend</flag>
 	<flag name="kernel">Use kernel crypto backend (mainly for embedded systems)</flag>
 	<flag name="nettle">Use <pkg>dev-libs/nettle</pkg> crypto backend</flag>