• Home
  • Integrations
  • SDKs
  • Guides
  • API docs
    No results for ""
    EXPAND ALL

    EDIT ON GITHUB

    LaunchDarkly in environments requiring FIPS 140-2 validated encryption modules

    Read time: 1 minute
    Last edited: Oct 31, 2022

    Overview

    In some customer environments, notably those serving the US government community, there may be compliance requirements to use FIPS 140-2 validated encryption modules.

    One such module is BoringCrypto. It is a fork of OpenSSL that is maintained by Google, and allows for Golang applications to use FIPS 140-2 validated encryption, in place of the standard Golang crypto libraries.

    Complying with regulatory requirements is the customer's responsibility

    While this topic guides you in meeting your compliance needs, it is up to you to ensure that your encryption practices are documented in your SSP and are reviewed by your auditors, to ensure they are applicable and sufficient to your particular needs.

    SDKs

    Because the LaunchDarkly SDKs are bundled into your applications, they should inherit the encryption modules used by your application.

    For example, in Golang, you can use the boringcrypto experiment flag when building your Go (1.19+) code. The Relay Proxy is a great example of such an application, written in Go, using the LaunchDarkly Go SDK.

    Relay Proxy

    To build the LaunchDarkly Relay Proxy using BoringCrypto, run:

    GOEXPERIMENT=boringcrypto go build .

    Use this instead of running make or go build . to build the Relay Proxy with FIPS 140-2 encryption.

    Verification

    To verify that a Go binary was indeed build with BoringCrypto, there are two methods you can use.

    One method is to call go version and check the experiments list. For example, here's how to check a binary called ld-relay:

    $ go version ld-relay
    ld-relay: go1.19 X:boringcrypto

    The X:boringcrypto indicates that this binary includes the FIPS 140-2 validated encryption modules.

    The other method is to examine the symbol table in the binary, looking for BoringCrypto symbols:

    $ go tool nm ld-relay | grep _Cfunc__goboringcrypto_

    If this command returns results and a 0 exit code, then the binary includes the FIPS 140-2 validated encryption modules.

    Code References

    If you are using code references you will need to build the ld-find-code-refs binary similarly.