FIPS 140-2/140-3 Compliance for Credential Encryption #256
Description
Summary
Implement FIPS-compliant encryption modes for customers in regulated environments (UK government, US federal, defence, healthcare).
Background
Issue #171 implemented credential encryption using ASP.NET Core Data Protection with AES-256-GCM (FIPS-approved algorithm). This issue tracks additional work needed for full FIPS compliance.
Requirements
From Issue #171 (Deferred)
- Support FIPS-compliant encryption modes
- Use only FIPS-approved algorithms when FIPS mode is enabled
- Detect and respect OS-level FIPS mode settings
- Document FIPS-compliant configuration options
- BYOK (Bring Your Own Key) support via file
Additional Considerations
- HSM (Hardware Security Module) integration for key storage
- Azure Key Vault / AWS KMS integration options
- FIPS testing matrix across platforms (Windows with FIPS policy, Linux with OpenSSL FIPS module)
- Documentation for customers requiring FIPS compliance
Technical Notes
Current implementation uses:
- AES-256-GCM (NIST-approved, FIPS-compliant algorithm)
- Windows CNG (FIPS-validated) or Linux OpenSSL providers
- File-based key storage with restricted permissions
For full FIPS compliance, may need:
- Check
CryptoConfig.AllowOnlyFipsAlgorithmsat runtime - Custom
IXmlRepositoryfor HSM key storage - FIPS mode documentation and configuration guidance
References
- UK NCSC Guidance: https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance/b-3-data-security
- NIST SP 800-57: https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final
- CISA Secure by Design: https://www.cisa.gov/securebydesign
- Parent issue: Encrypt connector credential passwords at rest #171
🤖 Generated with Claude Code