FIPS compliance

Do you plan to make Temporal FIPS compliant?

There isn’t much resources available for building FIPS compliant Go applications. A few things I found:

A blog post: https://kupczynski.info/2019/12/15/fips-golang.html

A maintained branch of Go using BoringCrypto, a FIPS compliant library: https://github.com/golang/go/tree/dev.boringcrypto/misc/boring

I guess this would mean separate, FIPS compliant builds for those who need them.

As a clarification question, would using custom FIPS compliant encryption in combination with a data serializer solve this need? This is something you can accomplish today and would prevent Temporal server from touching anything but appropriately encrypted data. Obviously the workers/SDK are a separate story.

Unfortunately, no. FIPS compliance not only requires using appropriate encryption, it also requires using a validated library, guaranteeing the use of such encryption (eg. the aformentioned boringcrypto: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Certificate/3318 )

@sagikazarmark I asked a similar question regarding building temporal with boringcrypto here: Building temporal with boringcrypto

Because our team already has a docker image which is based on alpine linux and installs the boringcrypto fork of golang, it was pretty straightforward to get this working.

I just needed to change this line in the temporal Dockerfile to use our custom alpine image (with the boringcrypto fork of golang installed) and then set CGO_ENABLED=1 here.

We haven’t done much testing with this build of temporal yet, but we are able to stand it up locally with the docker-compose-mysql file in the temporal repo and run some basic workflows against it. Building with the boringcrypto fork of golang and enabling cgo didn’t seem to cause any issues.

1 Like

Thanks @Kevin_Flynn

That’s what I thought as well. You probably also need to import _ "crypto/tls/fipsonly" somewhere, to force using FIPS compliant algos.

1 Like

Another solution is to deploy with Envoy. Configure it’s https external interface for FIPS (TLS1.2, the subset of the encryption-suite, etc.) and map the https/http internally. On the go/server side, yes, BoringCyrpto is another option. Java clients are a little trickier: you either have to configure in BouncyCastle FIPS compliant library (which is the only reasonable one we could find), or again wrap with Envoy.

1 Like

Made a mistake, realize I’d written http above, where I meant grpc.