Document updated on Apr 23, 2024
Docker Container with FIPS-140 Cryptographic Module
The NIST (National Institute of Standards and Technology) released the FIPS-140-2 publication as a security standard for cryptographic modules that U.S. federal agencies must use. Still, it gained interest from other sectors and industries that started to follow the same standards.
While KrakenD’s stateless design does not handle customer data storage, it still offers a binary compiled using the BoringCrypto encryption module to protect customers’ data in-transit, which is a FIPS 140-2 validated encryption module (certified until September 21, 2026).
The main benefit of the FIPS image is helping in regulatory compliance, as the cryptography used by KrakenD meets the requirements of industries regulated by government standards, ensuring that cryptographic security requirements are not only met but are officially recognized.
With the implementation of FIPS, KrakenD enables encryption between users and upstream services using FIPS 140-2 validated encryption. Notice that the Cryptographic Module Validation Program (CMVP) validates only the cryptography used by KrakenD. However, you still must integrate a FIPS-validated cryptographic module yourself to secure your data at rest and properly use proper TLS end to end.
The most common industries mandated to follow strict cryptographic standards due to the sensitivity of the information they handle are:
- Government and defense: Entities that deal with national security data.
- Healthcare: Organizations handling protected health information (PHI) that must comply with HIPAA requirements.
- Financial services: Financial institutions that must secure customer data and comply with regulations like the Sarbanes-Oxley Act (SOX) or Gramm–Leach–Bliley Act (GLBA).
- Technology and cloud: Providers that need to ensure data protection for their clients across different jurisdictions.
FIPS Docker container
The following images are available to start using the KrakenD Docker container with the FIPS-140 compliant cryptographic module.
Equivalent Standard Container | FIPS container |
---|---|
krakend/krakend-ee:latest | krakend/krakend-ee:fips |
krakend/krakend-ee:2 | krakend/krakend-ee:2-fips |
krakend/krakend-ee:2.7.6 | krakend/krakend-ee:fips-2.7.6 |
krakend/krakend-ee:2.7 | krakend/krakend-ee:fips-2.7 |
When using the FIPS container, it has no functional or operational difference from the standard container krakend/krakend-ee:2.7
For your convenience, all images are hosted on Docker Hub, but you should store them in your own registry.