Skip to content

feat(fips): native FIPS support #3973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 32 commits into from
Jul 15, 2025
Merged

feat(fips): native FIPS support #3973

merged 32 commits into from
Jul 15, 2025

Conversation

DanielHougaard
Copy link
Member

@DanielHougaard DanielHougaard commented Jul 7, 2025
edited
Loading

Description 📣

Native FIPS support

This PR introduces FIPS validation support (enterprise-only) for plain Infisical installations. There is no way to migrate from non-FIPS -> FIPS, so things doesn't need to be backwards compatible with each other.

Core changes:

  1. We've bundled in OpenSSL 3.1.2 which is FIPS validated, and we've toggled on FIPS mode for it
  2. We are forcing FIPS mode Node.js during startup. This means that Node.js won't allow OpenSSL to execute non-fips validated algorithms
  3. Introduced crypto.js usage. This is only intended to be used in cases where we absolutely have to use non-fips validated algorithms. We use their md5 implementation for MongoDB digest auth for our dynamic secrets.
  4. We're moved all crypto usage into a crypto provider (cryptographyFactory), which will handle all exports of crypto. This way we can be very explicit about what crypto we are using.
  5. TweetNacl has been replaced with native node crypto. We replicate tweetnacl's asymmetric key-sharing encryption by using the Diffie-Hellman key exchange algorithm; which is implemented in native node.
  6. jsonwebtoken is replaced with our own JWT implementation using native Node.
  7. BCrypt has been replaced with pkdf2. We enforce a minimum of 1.000.000 iterations to keep the compute intensity high to avoid brute-force attacks.

To test things out, you can run make up-dev. Development node will now always run in FIPS-mode to ensure that we aren't developing features that won't be compatible with FIPS.

Type ✨

  • Bug fix
  • New feature
  • Improvement
  • Breaking change
  • Documentation

@DanielHougaard DanielHougaard self-assigned this Jul 7, 2025
@maidul98
Copy link
Collaborator

maidul98 commented Jul 7, 2025
edited
Loading

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

@DanielHougaard DanielHougaard marked this pull request as ready for review July 8, 2025 18:29
sheensantoscapadngan
sheensantoscapadngan reviewed Jul 9, 2025
View reviewed changes
sheensantoscapadngan
sheensantoscapadngan reviewed Jul 10, 2025
View reviewed changes
sheensantoscapadngan
sheensantoscapadngan reviewed Jul 10, 2025
View reviewed changes
@DanielHougaard
Copy link
Member Author

Merging at a later time as this is high-impact

akhilmhdh
akhilmhdh reviewed Jul 13, 2025
View reviewed changes
maidul98
maidul98 reviewed Jul 15, 2025
View reviewed changes
Copy link
Collaborator

@maidul98 maidul98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

implementation looks good, just left some minor comments

@DanielHougaard DanielHougaard merged commit bf62aae into main Jul 15, 2025
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akhilmhdh akhilmhdh akhilmhdh left review comments

@maidul98 maidul98 maidul98 approved these changes

@sheensantoscapadngan sheensantoscapadngan sheensantoscapadngan left review comments

Assignees

@DanielHougaard DanielHougaard

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@DanielHougaard @maidul98 @akhilmhdh @sheensantoscapadngan