FIPS compliance

sagikazarmark · July 28, 2020, 10:10pm

Do you plan to make Temporal FIPS compliant?

There isn’t much resources available for building FIPS compliant Go applications. A few things I found:

A blog post: https://kupczynski.info/posts/fips-golang/

A maintained branch of Go using BoringCrypto, a FIPS compliant library: go/misc/boring at dev.boringcrypto · golang/go · GitHub

I guess this would mean separate, FIPS compliant builds for those who need them.

ryland · July 28, 2020, 10:12pm

As a clarification question, would using custom FIPS compliant encryption in combination with a data serializer solve this need? This is something you can accomplish today and would prevent Temporal server from touching anything but appropriately encrypted data. Obviously the workers/SDK are a separate story.

sagikazarmark · July 28, 2020, 11:02pm

Unfortunately, no. FIPS compliance not only requires using appropriate encryption, it also requires using a validated library, guaranteeing the use of such encryption (eg. the aformentioned boringcrypto: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Certificate/3318 )

Kevin_Flynn · July 30, 2020, 1:13pm

@sagikazarmark I asked a similar question regarding building temporal with boringcrypto here: Building temporal with boringcrypto

Because our team already has a docker image which is based on alpine linux and installs the boringcrypto fork of golang, it was pretty straightforward to get this working.

I just needed to change this line in the temporal Dockerfile to use our custom alpine image (with the boringcrypto fork of golang installed) and then set CGO_ENABLED=1 here.

We haven’t done much testing with this build of temporal yet, but we are able to stand it up locally with the docker-compose-mysql file in the temporal repo and run some basic workflows against it. Building with the boringcrypto fork of golang and enabling cgo didn’t seem to cause any issues.

sagikazarmark · July 30, 2020, 1:36pm

Thanks @Kevin_Flynn

That’s what I thought as well. You probably also need to import _ "crypto/tls/fipsonly" somewhere, to force using FIPS compliant algos.

sdonovan · July 30, 2020, 4:49pm

Another solution is to deploy with Envoy. Configure it’s https external interface for FIPS (TLS1.2, the subset of the encryption-suite, etc.) and map the https/http internally. On the go/server side, yes, BoringCyrpto is another option. Java clients are a little trickier: you either have to configure in BouncyCastle FIPS compliant library (which is the only reasonable one we could find), or again wrap with Envoy.

sdonovan · October 1, 2020, 5:26pm

Made a mistake, realize I’d written http above, where I meant grpc.

Topic		Replies	Views
Building temporal with boringcrypto Community Support use-case-validation , general-impl	3	1145	July 6, 2020
Temporal Encryption Converter: My New Go Library for Workflow Security Show & Tell go-sdk	2	478	July 11, 2023
Server Side Encryption Community Support server , feature-request	4	935	May 7, 2021
What are best practices for making Temporal GDPR compliant? Community Support java-sdk , compliance	4	1926	October 1, 2021
Secrets / PII in Request/Response? Community Support	2	1540	January 11, 2023

FIPS compliance

Related topics