No results for ""
EXPAND ALL
  • Home
  • API docs

LaunchDarkly in environments requiring FIPS 140-2 validated encryption modules

Read time: 2 minutes
Last edited: Nov 12, 2024

Overview

In some customer environments, notably those serving the US government community, there may be compliance requirements to use FIPS 140-2 validated encryption modules. This topic explains how customers can use LaunchDarkly in environments that require that all data is encrypted in transit using FIPS 140-2 validated encryption modules.

To comply with these requirements, customers must:

  • Use the LaunchDarkly federal environment.
  • Use FIPS 140-2 validated encryption modules for any data transmission. One such module is BoringCrypto. It is a fork of OpenSSL that is maintained by Google, and allows for Golang applications to use FIPS 140-2 validated encryption, in place of the standard Golang crypto libraries.
Complying with regulatory requirements is the customer's responsibility

While this topic guides you in meeting your compliance needs, it is up to you to ensure that your encryption practices are documented in your SSP and are reviewed by your auditors, to ensure they are applicable and sufficient to your particular needs.

SDKs

Because the LaunchDarkly SDKs are bundled into your applications, they should inherit the encryption modules used by your application.

For example, in Golang, you can use the boringcrypto experiment flag when building your Go (1.19+) code. The Relay Proxy is a great example of such an application, written in Go, using the LaunchDarkly Go SDK.

Relay Proxy

To build the LaunchDarkly Relay Proxy using BoringCrypto, run:

GOEXPERIMENT=boringcrypto go build .

Use this instead of running make or go build . to build the Relay Proxy with FIPS 140-2 encryption.

Verification

To verify that a Go binary was indeed built with BoringCrypto, there are two methods you can use.

One method is to call go version and check the Experiments list. For example, here's how to check a binary called ld-relay:

$ go version ld-relay
ld-relay: go1.19 X:boringcrypto

The X:boringcrypto indicates that this binary includes the FIPS 140-2 validated encryption modules.

The other method is to examine the symbol table in the binary, looking for BoringCrypto symbols:

$ go tool nm ld-relay | grep _Cfunc__goboringcrypto_

If this command returns results and a 0 exit code, then the binary includes the FIPS 140-2 validated encryption modules.

Code references

If you are using code references you will need to build the ld-find-code-refs binary similarly.