LaunchDarkly in environments requiring FIPS 140-3 validated encryption modules
LaunchDarkly in environments requiring FIPS 140-3 validated encryption modules
In some customer environments, notably those serving the US government community, there may be compliance requirements to use FIPS 140-3 validated encryption modules. This topic explains how to use LaunchDarkly in environments that require encryption for data in transit using FIPS 140-3 validated encryption modules.
To comply with these requirements, customers must:
- Use the LaunchDarkly federal environment.
- Use FIPS 140-3 validated encryption modules for any data transmission. For Golang applications, Go 1.24+ includes a native FIPS 140-3 cryptographic module in the standard library. Alternatively, you can build with the Microsoft build of Go, which uses platform-provided cryptographic libraries such as OpenSSL with a FIPS-validated provider.
Complying with regulatory requirements is the customer's responsibility
Although this topic guides you in meeting your compliance needs, it is up to you document your encryption practices in your SSP and have them reviewed by your auditors, to ensure that they are applicable and sufficient to your particular needs.
SDKs
Because the LaunchDarkly SDKs are bundled into your applications, they should inherit the encryption modules used by your application.
For example, in Golang, you can build your Go (1.24+) code against the native FIPS 140-3 module with GOFIPS140. The Relay Proxy is a great example of such an application, written in Go, using the LaunchDarkly Go SDK.
Relay Proxy
To build the LaunchDarkly Relay Proxy with the native Go FIPS 140-3 module, run:
Use this instead of running make or go build . to build the Relay Proxy with FIPS 140-3 encryption. To run in FIPS 140-3 mode, set GODEBUG=fips140=on in the runtime environment if it is not already enabled by your build settings.
OpenSSL FIPS with Microsoft Go
If your environment requires a platform OpenSSL FIPS provider, build with the Microsoft build of Go using CGO_ENABLED=1 and GOEXPERIMENT=systemcrypto:
Ensure the runtime environment provides OpenSSL 3 (libssl3 on Debian-based systems).
Verification
To verify that a Go binary was built with the native FIPS 140-3 module, call go version -m and check the build settings. For example:
To verify a binary built with Microsoft Go and OpenSSL, check for microsoft_systemcrypto=1in the build setting:
You can also examine the symbol table for OpenSSL symbols:
If this command returns results and a 0 exit code, then the binary includes the FIPS-validated OpenSSL encryption modules.
Code references
If you are using code references build the ld-find-code-refs binary similarly.