LaunchDarkly in environments requiring FIPS 140-3 validated encryption modules

In some customer environments, notably those serving the US government community, there may be compliance requirements to use FIPS 140-3 validated encryption modules. This topic explains how to use LaunchDarkly in environments that require encryption for data in transit using FIPS 140-3 validated encryption modules.

To comply with these requirements, customers must:

Complying with regulatory requirements is the customer's responsibility

Although this topic guides you in meeting your compliance needs, it is up to you document your encryption practices in your SSP and have them reviewed by your auditors, to ensure that they are applicable and sufficient to your particular needs.

SDKs

Because the LaunchDarkly SDKs are bundled into your applications, they should inherit the encryption modules used by your application.

For example, in Golang, you can build your Go (1.24+) code against the native FIPS 140-3 module with GOFIPS140. The Relay Proxy is a great example of such an application, written in Go, using the LaunchDarkly Go SDK.

Relay Proxy

To build the LaunchDarkly Relay Proxy with the native Go FIPS 140-3 module, run:

Shell
$GOFIPS140=v1.0.0 go build .

Use this instead of running make or go build . to build the Relay Proxy with FIPS 140-3 encryption. To run in FIPS 140-3 mode, set GODEBUG=fips140=on in the runtime environment if it is not already enabled by your build settings.

OpenSSL FIPS with Microsoft Go

If your environment requires a platform OpenSSL FIPS provider, build with the Microsoft build of Go using CGO_ENABLED=1 and GOEXPERIMENT=systemcrypto:

Shell
$CGO_ENABLED=1 GOEXPERIMENT=systemcrypto go build .

Ensure the runtime environment provides OpenSSL 3 (libssl3 on Debian-based systems).

Verification

To verify that a Go binary was built with the native FIPS 140-3 module, call go version -m and check the build settings. For example:

Shell
$ $ go version -m ld-relay
$ ...
$ build GOFIPS140=v1.0.0

To verify a binary built with Microsoft Go and OpenSSL, check for microsoft_systemcrypto=1in the build setting:

Shell
$ $ go version -m ld-relay
$ ...
$ build microsoft_systemcrypto=1

You can also examine the symbol table for OpenSSL symbols:

Shell
$$ go tool nm ld-relay | grep _mkcgo_EVP_

If this command returns results and a 0 exit code, then the binary includes the FIPS-validated OpenSSL encryption modules.

Code references

If you are using code references build the ld-find-code-refs binary similarly.