-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Utilize FIPS-validated cryptographic modules #4145
Comments
[aws (s3), splunk, tenable] = load data areas, [github, okta, oidc, 'passport', etc] = log in, [axios, seqeulize] = calls between db+backend+frontend, [operating system, docker, nodejs, browser, db, nginx] = deployment environment, [bcrypt] = password/api key generation |
what is the request? is it 'fips enabled heimdall' or is it 'fips enabled deployment of heimdall'? |
going to need to figure out how to a) run postgres in fips compliant mode and b) use libraries that can interface with it while fips compliant. OR we're gonna need to swap out DB's entirely.
|
All encryption must be accomplished utilizing a FIPS 140-2 compliant modules:
References: Application Security and Development Security Technical Implementation Guide :: Version 5, Release: 2 Benchmark Date: 27 Oct 2022
Heimdall Server uses bcryptjs for encryption/hashing, which at this time is NOT FIPS 140-2 compliant.
The bcryptjs npm module is used to generate encryption key. It makes use of cryptographic salt to ensure keys and passwords are uniquely encrypted. In the browser, bcrypt.js relies on Web Crypto API's getRandomValues interface to obtain secure random numbers.
Build Heimdall on a host OS that has FIPS turned on (Ubuntu with FIPS enabled) - look at ubuntu advanced from AWS or Canonical - reference https://canonical.com/blog/how-to-develop-linux-applications-for-fips-on-ubuntu. Create a development machine with FIPS enabled. Example: https://github.com/valentincanonical/ubuntu-ua-fips-nginx-example
Replace or conditionally use bycrypt library
Create a process to configure FIPS in Heimdall so it can be run with or without FIPS enabled
The text was updated successfully, but these errors were encountered: