Merge master into custom-go-auth

buger · web-flow · commit c268150f1c37 · 2025-09-25T13:41:48.000+03:00
diff --git a/tyk-docs/content/developer-support/release-types/fips-release.md b/tyk-docs/content/developer-support/release-types/fips-release.md
@@ -1,105 +1,93 @@
 ---
-title: "FIPS Tyk Release"
+title: "Tyk FIPS Policy"
 date: 2024-07-25
 tags: ["FAQ", "FIPS Releases", "Special Release - FIPS"]
 description: "Explain what FIPS Release means, what it includes, and what to expect"
 aliases:
   - /developer-support/special-releases-and-features/fips-release
 ---
 
-The Federal Information Processing Standards (FIPS) are a series of cryptography and hashing standards defined by the U.S.
-Federal Government's National Institute of Standards and Technology (NIST). These standards are crucial for organizations dealing with sensitive
-government data and are widely recognized as a benchmark for security in various regulated industries.
+## What is FIPS
 
-FIPS compliance is important for industries such as:
-- Government and military
-- Healthcare
-- Finance
-- Critical infrastructure
+The [Federal Information Processing Standards](https://csrc.nist.gov/glossary/term/federal_information_processing_standard) (FIPS) are U.S. government standards for cryptographic modules, defined by the [National Institute of Standards and Technology](https://www.nist.gov) (NIST).
 
-### Importance of FIPS Compliance in API Management
+The most relevant standard for API management is **[FIPS 140-2](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf)**, which specifies how cryptographic modules must be designed and validated.
 
-FIPS compliance is particularly important in API management for several reasons:
+FIPS compliance is often required for organizations in:
 
-1. **Security of Data in Transit:** API management often involves handling sensitive data as it moves between clients
-and backend services. FIPS compliance ensures that this data is encrypted using approved, robust cryptographic
-algorithms.
-2. **Authentication and Authorization:** API gateways typically handle user authentication and authorization.
-FIPS-compliant cryptographic modules ensure these processes are performed securely, using approved methods for key
-generation, storage, and cryptographic operations.
-3. **Regulatory Compliance:** For organizations working with U.S. government agencies or in regulated industries, using
-a FIPS-compliant API management solution can be a requirement to meet regulatory standards.
-4. **Key Management:** API keys and other secrets used in API management need to be securely generated, stored, and
-managed. FIPS provides standards for these cryptographic operations.
-5. **SSL/TLS Implementation:** API gateways often terminate SSL/TLS connections. FIPS compliance ensures that these
-connections use approved protocols and cipher suites.
-6. **Logging and Auditing:** FIPS compliance can extend to how API activity logs are stored and protected, which is a
-crucial part of API management.
-7. **Plugin and Extension Security:** For API management platforms that support plugins or extensions, FIPS compliance
-ensures that any cryptographic operations performed by these components also adhere to the required standards.
-8. **Identity Federation:** When API management platforms integrate with identity providers, FIPS compliance ensures
-that the cryptographic aspects of these integrations meet federal standards.
+* Government and defense
+* Healthcare and life sciences
+* Financial services
+* Critical infrastructure
 
-### FIPS 140-2 Overview
+For API management, FIPS matters because it ensures:
 
-[FIPS 140-2](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf) is a specific standard within the FIPS
-framework that focuses on the security of cryptographic modules. It defines four levels of security, from Level 1
-(lowest) to Level 4 (highest), each building upon the security requirements of the previous level. These levels cover
-a wide range of potential applications and environments in which cryptographic modules may be employed. A cryptographic
-module, as defined by FIPS 140-2, is a set of hardware, software, firmware, or some combination thereof that implements
-cryptographic functions or processes, including cryptographic algorithms and optional key generation, and is contained
-within a defined cryptographic boundary.
+* **Secure data in transit**: only strong, approved algorithms are used.
 
-FIPS 140-2 validation is performed by accredited [Cryptographic and Security Testing](https://csrc.nist.rip/Projects/cryptographic-module-validation-program/Standards#:~:text=FIPS%20140%2D2%20(effective%2015%2DNov%2D2001)&text=NVLAP%20accredited%20Cryptographic%20and%20Security,for%20Cryptographic%20Modules%20%5B%20PDF%20%5D.)
-(CST) laboratories. The validation covers various aspects of the cryptographic module, including Electromagnetic
-Interference/Electromagnetic Compatibility (EMI/EMC), Cryptographic Module Specification, and mitigation of Other Attacks.
+* **Robust authentication & key management**: cryptographic operations like token signing and API key hashing are performed using validated methods.
 
-### Tyk's FIPS Compliance
+* **Regulatory alignment**: supports compliance where FIPS 140-2 is mandated.
 
-We are pleased to announce that Tyk Gateway and Pump offer a FIPS compliant package (together, the *"FIPS Tyk
-Product”*).
+## Tyk’s FIPS Offering
 
-The *FIPS Tyk Product* has not been submitted to a [NIST](https://www.nist.gov/federal-information-processing-standards-fips) testing lab for validation.
+Tyk provides a **FIPS-compliant package** of the Tyk Gateway (Enterprise Edition) and Tyk Pump (together, the *FIPS Tyk Product*). Please note that the FIPS Tyk Product has not been submitted to a [NIST](https://www.nist.gov/federal-information-processing-standards-fips) testing lab for validation and Tyk is not FIPS certified.. 
 
-*FIPS compliance* means that the *FIPS Tyk Product* only uses FIPS 140-2 approved cryptographic [algorithms]({{< ref "#fips-compliant-cryptographic-operations" >}})
-while running in FIPS mode. This compliance applies only to specific Tyk-built packages or Docker images of the *FIPS Tyk Product*.
-These packages and images are not publicly accessible. Please speak to your assigned account manager for more information.
+**FIPS-compliant** means that the FIPS Tyk Product only uses FIPS 140-2 approved cryptographic algorithms (see below) when running in FIPS mode. This is only available to specific Tyk-built packages or Docker images of the FIPS Tyk Product. These packages and images are not publicly accessible.
 
-{{< note success >}}
-**Note**  
+* The FIPS Tyk Product uses the **[BoringCrypto module](https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md#fips-140_2)**, enabling only FIPS 140-2 approved algorithms when run in FIPS mode.
 
-Use of the <i>FIPS Tyk Product</i> is conditional on the user accepting any specific terms and conditions
-applicable to this feature and a paid license. Please contact your account manager if you would like further information.
-{{< /note >}}
+* These packages are distributed separately, identifiable by the `-fips` suffix (e.g., `tyk-gateway-fips`, `tyk-pump-fips`).
 
-#### FIPS Compliant Cryptographic Operations
+* The FIPS Tyk Product is available for selected enterprise-supported Linux distributions. Please [contact](https://tyk.io/contact/) your account manager for details.
 
-The *FIPS Tyk Product* uses the [BoringCrypto](https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md#fips-140_2) module to provide FIPS 140-2 validated cryptographic operations. This ensures that when running in FIPS mode, only FIPS 140-2 approved algorithms are used.
+* The FIPS Tyk Product **has not been submitted to a NIST testing lab**. It is therefore *FIPS-compliant*, as per the above definition, and is not *FIPS-certified*.
 
-For more details on the cryptographic operations supported in Tyk's FIPS-compliant mode, please contact your Tyk account manager.
+* Compliance applies only to the binaries we ship as part of the FIPS Tyk Product only, not to the entire system or deployment environment or otherwise. Customers remain responsible for ensuring compliance with their overall deployment.
 
-### Configuring Tyk for FIPS Compliance
+## Configuring Tyk for FIPS Mode
 
-The *FIPS Tyk Product* packages are identifiable by the `-fips` suffix. E.g. `tyk-gateway-fips` or `tyk-pump-fips`.
+When running the FIPS Tyk Product in the Tyk Gateway, you must set the key hashing algorithm to SHA-256:
 
-The only change to configuration, when using the *FIPS Tyk Product*, is to set your key hashing algorithm to SHA256 either by setting `hash_key_function` in your Gateway configuration file (`tyk.conf`) or the `TYK_GW_HASHKEYFUNCTION` environment variable to the value: `sha256`.
+In `tyk.conf`:
 
-### Frequently Asked Questions
+ `"hash_key_function": "sha256"`  
+Or via environment variable:
 
-Q: What level of FIPS 140-2 compliance does Tyk support?
+ `TYK_GW_HASHKEYFUNCTION=sha256` 
 
-A: Tyk provides FIPS 140-2 compliance, ensuring the use of approved algorithms in FIPS mode.
+When using FIPS mode for Tyk Pump, you do not need to set this algorithm. 
 
-Q: Can I use Tyk in FIPS mode in the Tyk Cloud environment?
+## Important Note
 
-A: Yes but only for hybrid gateways deployed on your premises and connecting to the Tyk Cloud control plane.
+Use of the FIPS Tyk Product is conditional upon:
 
-Q: Does FIPS mode affect Tyk's performance?
+* A paid enterprise license agreement.
+* Acceptance of any additional terms specific to FIPS releases.
 
-A: There should be no material impact on performance from the use of FIPS mode.
+Please speak with your [Tyk account manager](https://tyk.io/contact/) for more information.
 
-### Additional Resources
+## FAQ
 
-- [Official NIST FIPS 140-2 documentation](https://csrc.nist.gov/publications/detail/fips/140/2/final)
+<details> <summary><b>What level of FIPS 140-2 compliance does Tyk support?</b></summary>
 
-For more information on FIPS compliance in Tyk, please contact your account manager or {{< button_left href="https://tyk.io/contact/" color="green" content="Contact us" >}}.
+Tyk provides compliance by ensuring that in FIPS mode, only FIPS 140-2 approved algorithms are used. The Tyk FIPS Product is not FIPS-certified.
+
+</details> 
+
+<details> <summary><b>Can I use Tyk in FIPS mode in the Tyk Cloud environment?</b></summary>
+
+Yes, on the data plane with hybrid gateways using the Tyk FIPS product deployed on your premises that connect to the Tyk Cloud control plane.
+
+</details> 
+
+<details> <summary><b>Does FIPS mode affect performance?</b></summary>
+
+There is no expected impact on performance.
+
+</details> 
+
+<details> <summary><b>Are all Tyk components FIPS-compliant?</b></summary>
+
+Compliance applies only to the specific FIPS Tyk Product binaries. Other components, plugins, and integrations must be reviewed separately by customers for compliance. The Tyk FIPS Product is provided in certain Linux distributions. Docker images are also available containing these binaries, however Tyk does not claim FIPS compliance at the image level, only the binaries.
+
+</details> 
