News KrakenD CE v2.8 released with improved Lua and OpenTelemetry

Document updated on Apr 23, 2024

Docker Container with FIPS-140 Cryptographic Module

The NIST (National Institute of Standards and Technology) released the FIPS-140-2 publication as a security standard for cryptographic modules that U.S. federal agencies must use. Still, it gained interest from other sectors and industries that started to follow the same standards.

While KrakenD’s stateless design does not handle customer data storage, it still offers a binary compiled using the BoringCrypto encryption module to protect customers’ data in-transit, which is a FIPS 140-2 validated encryption module (certified until September 21, 2026).

The main benefit of the FIPS image is helping in regulatory compliance, as the cryptography used by KrakenD meets the requirements of industries regulated by government standards, ensuring that cryptographic security requirements are not only met but are officially recognized.

Use standard KrakenD when not having compliance needs
If your company does not have regulatory needs, we suggest using the standard KrakenD image instead of FIPS. While the non-FIPS standard KrakenD images are very secure, they use the native cryptography modules in the Go language, which provides better performance.

With the implementation of FIPS, KrakenD enables encryption between users and upstream services using FIPS 140-2 validated encryption. Notice that the Cryptographic Module Validation Program (CMVP) validates only the cryptography used by KrakenD. However, you still must integrate a FIPS-validated cryptographic module yourself to secure your data at rest and properly use proper TLS end to end.

The most common industries mandated to follow strict cryptographic standards due to the sensitivity of the information they handle are:

  • Government and defense: Entities that deal with national security data.
  • Healthcare: Organizations handling protected health information (PHI) that must comply with HIPAA requirements.
  • Financial services: Financial institutions that must secure customer data and comply with regulations like the Sarbanes-Oxley Act (SOX) or Gramm–Leach–Bliley Act (GLBA).
  • Technology and cloud: Providers that need to ensure data protection for their clients across different jurisdictions.

FIPS Docker container

The following images are available to start using the KrakenD Docker container with the FIPS-140 compliant cryptographic module.

Equivalent Standard ContainerFIPS container
krakend/krakend-ee:latestkrakend/krakend-ee:fips
krakend/krakend-ee:2krakend/krakend-ee:2-fips
krakend/krakend-ee:2.7.6krakend/krakend-ee:fips-2.7.6
krakend/krakend-ee:2.7krakend/krakend-ee:fips-2.7

When using the FIPS container, it has no functional or operational difference from the standard container krakend/krakend-ee:2.7

For your convenience, all images are hosted on Docker Hub, but you should store them in your own registry.

Important differences with the default Docker image
The FIPS container is based on the Debian operating system while the standard KrakenD image is based on Alpine. If you are using custom Go plugins, they must be compiled using the linux-generic builder.
Scarf

Unresolved issues?

The documentation is only a piece of the help you can get! Whether you are looking for Open Source or Enterprise support, see more support channels that can help you.

See all support channels