LaunchDarkly in environments requiring FIPS 140-2 validated encryption modules
Read time: 2 minutes
Last edited: Nov 12, 2024
Overview
In some customer environments, notably those serving the US government community, there may be compliance requirements to use FIPS 140-2 validated encryption modules. This topic explains how customers can use LaunchDarkly in environments that require that all data is encrypted in transit using FIPS 140-2 validated encryption modules.
To comply with these requirements, customers must:
- Use the LaunchDarkly federal environment.
- Use FIPS 140-2 validated encryption modules for any data transmission. One such module is BoringCrypto. It is a fork of OpenSSL that is maintained by Google, and allows for Golang applications to use FIPS 140-2 validated encryption, in place of the standard Golang crypto libraries.
While this topic guides you in meeting your compliance needs, it is up to you to ensure that your encryption practices are documented in your SSP and are reviewed by your auditors, to ensure they are applicable and sufficient to your particular needs.
SDKs
Because the LaunchDarkly SDKs are bundled into your applications, they should inherit the encryption modules used by your application.
For example, in Golang, you can use the boringcrypto
experiment flag when building your Go (1.19+) code. The Relay Proxy is a great example of such an application, written in Go, using the LaunchDarkly Go SDK.
Relay Proxy
To build the LaunchDarkly Relay Proxy using BoringCrypto, run:
GOEXPERIMENT=boringcrypto go build .
Use this instead of running make
or go build .
to build the Relay Proxy with FIPS 140-2 encryption.
Verification
To verify that a Go binary was indeed built with BoringCrypto, there are two methods you can use.
One method is to call go version
and check the Experiments list. For example, here's how to check a binary called ld-relay
:
$ go version ld-relayld-relay: go1.19 X:boringcrypto
The X:boringcrypto
indicates that this binary includes the FIPS 140-2 validated encryption modules.
The other method is to examine the symbol table in the binary, looking for BoringCrypto symbols:
$ go tool nm ld-relay | grep _Cfunc__goboringcrypto_
If this command returns results and a 0
exit code, then the binary includes the FIPS 140-2 validated encryption modules.
Code references
If you are using code references you will need to build the ld-find-code-refs binary similarly.