FIPS support with boringcrypto
seanorama opened this issue · comments
Which component:
controller and kubeseal, though more important for kubeseal since that is where the cryptographic functions happen.
Is your feature request related to a problem? Please describe.
Many high compliance environments, require crypto modules to be FIPS-compliant and validated by NIST. Thankfully, for Go, Google freely provides BoringCrypt (aka boringssl).
Describe the solution you'd like
Provide container images containing controller
and kubeseal
which have been compiled with FIPS-validation, likely via boringcrypto.
To test that the applications can be built with boringcrypto, I followed this guide, to build it on ubi8-minimal
and used the go-toolset
to validate that FIPS mode is enabled.
$ docker run -it redhat/ubi8-minimal
# microdnf install -y git go-toolset make findutils
# git clone https://github.com/bitnami-labs/sealed-secrets
# make
# ./kubeseal --version
kubeseal version: f88b8ce629576082d52d63a0257217f457d47c7d
# go tool nm ./kubeseal | grep FIPS_mode
1275820 T _cgo_0edd79296193_Cfunc__goboringcrypto_FIPS_mode
22622d8 d _g_FIPS_mode
653cd0 t vendor/github.com/golang-fips/openssl-fips/openssl._Cfunc__goboringcrypto_FIPS_mode.abi0
21a1208 d vendor/github.com/golang-fips/openssl-fips/openssl._cgo_0edd79296193_Cfunc__goboringcrypto_FIPS_mode
# go tool nm ./controller | grep FIPS_mode
14fe760 T _cgo_0edd79296193_Cfunc__goboringcrypto_FIPS_mode
288c278 d _g_FIPS_mode
58d090 t vendor/github.com/golang-fips/openssl-fips/openssl._Cfunc__goboringcrypto_FIPS_mode.abi0
27c1250 d vendor/github.com/golang-fips/openssl-fips/openssl._cgo_0edd79296193_Cfunc__goboringcrypto_FIPS_mode
Describe alternatives you've considered
No alternatives. FIPS-validation is not negotiable for high compliance environments, such as those required by the Federal government and others who comply with NIST controls.
Hi @seanorama thanks for the report. FIPS compliance is indeed an important feature for many corporate or regulated environments. While we do not provide a default compilation for the Sealed Secrets components supporting FIPS, customers with those requirements should consider the Tanzu Application Catalog alternative instead.
The Sealed Secrets container distributed with TAC includes the Kubseal binary and FIPS compliance is verified using the PhotonOS images.
Let me know if you need further assistance on obtaining a TAC subscription and accessing the FIPS-compliant version of Sealed Secrets.
Regards
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
Due to the lack of activity in the last 7 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.