Traefik Hub FIPS Compliance
The Federal Information Processing Standard (FIPS) 140-2 sets the required cryptographic standards for handling sensitive data. Traefik Hub complies with these standards by using approved cryptographic implementations.
Cryptographic Implementation with Go and BoringCrypto
Traefik Hub is built with the Go programming language and uses BoringCrypto
for Linux binaries/images only. This setup meets FIPS 140-2 requirements.
What Is BoringCrypto
BoringCrypto is a FIPS 140-2 validated cryptographic module derived from BoringSSL. It performs essential operations like hashing, encryption, and digital signature verification with approved algorithms.
Why BoringCrypto
- It aligns Traefik Hub’s cryptographic operations with FIPS 140-2 standards.
- Although some weak algorithms (for example, MD5, SHA-1) may appear for legacy or interoperability reasons, their usage is controlled.
Compilation Process
Traefik Hub’s Go binaries are compiled with a toolchain linked to BoringCrypto. This process guarantees that the cryptographic functions use FIPS 140-2 validated primitives.
FIPS Compliance For Traefik Hub Gateway: Overview
The following table provides an overview of the key features in our product and their compliance status with FIPS 140-2:
| Feature | Note |
|---|---|
| TLS Implementation | Default TLS configuration is already FIPS compliant. Only validated ciphers are used and TLS 1.3 is turned off. |
| Basic/Digest Auth Middleware | To be FIPS compliant, you need to use only BCrypt for the hashed password. |
| API Key Middleware | In FIPS mode, md5 and sha are turned off. |
| JWT Authentication | In FIPS mode, only validated alg are accepted. |
| HMAC Middleware | In FIPS mode, sha1 is turned off. |
| OPA Integration | When using Open Policy Agent, it is your responsibility to ensure that any OPA components or dependencies you use comply with FIPS requirements. Our product does not enforce FIPS compliance at this level, but you should verify that your usage aligns with your security needs. |
| Plugins | When using plugins, it is your responsibility to ensure that any plugins you use comply with FIPS requirements. Our product does not enforce FIPS compliance at this level, but you should verify that your usage aligns with your security needs. |
| QUIC/HTTP3 Support | In FIPS mode, HTTP3 is turned off. |
Additional Information
For more details on configuring FIPS compliance in your Traefik Hub installation, refer to our FIPS compliant installation guide. If you have any questions about these settings, please consult our sales team.
Related Content
-
Learn how to deploy Traefik Hub with FIPS 140-2 compliance on Kubernetes
-
Learn how to deploy Traefik Hub with FIPS 140-2 compliance on Nomad