LaunchDarkly in environments requiring FIPS 140-2 validated encryption modules
Read time: 1 minute
Last edited: Oct 31, 2022
In some customer environments, notably those serving the US government community, there may be compliance requirements to use FIPS 140-2 validated encryption modules.
One such module is BoringCrypto. It is a fork of OpenSSL that is maintained by Google, and allows for Golang applications to use FIPS 140-2 validated encryption, in place of the standard Golang crypto libraries.
While this topic guides you in meeting your compliance needs, it is up to you to ensure that your encryption practices are documented in your SSP and are reviewed by your auditors, to ensure they are applicable and sufficient to your particular needs.
Because the LaunchDarkly SDKs are bundled into your applications, they should inherit the encryption modules used by your application.
For example, in Golang, you can use the
boringcrypto experiment flag when building your Go (1.19+) code. The Relay Proxy is a great example of such an application, written in Go, using the
LaunchDarkly Go SDK.
To build the LaunchDarkly Relay Proxy using BoringCrypto, run:
GOEXPERIMENT=boringcrypto go build .
Use this instead of running
go build . to build the Relay Proxy with FIPS 140-2 encryption.
To verify that a Go binary was indeed build with BoringCrypto, there are two methods you can use.
One method is to call
go version and check the experiments list. For example, here's how to check a binary called
$ go version ld-relayld-relay: go1.19 X:boringcrypto
X:boringcrypto indicates that this binary includes the FIPS 140-2 validated encryption modules.
The other method is to examine the symbol table in the binary, looking for BoringCrypto symbols:
$ go tool nm ld-relay | grep _Cfunc__goboringcrypto_
If this command returns results and a
0 exit code, then the binary includes the FIPS 140-2 validated encryption modules.