You are browsing documentation for an outdated version. See the latest documentation here.

FIPS 140-2

The Federal Information Processing Standard (FIPS) 140-2 is a federal standard defined by the National Institute of Standards and Technology. It specifies the security requirements that must be satisfied by a cryptographic module. The FIPS Kong Gateway package is FIPS 140-2 compliant. Compliance means that the software has met all of the rules of FIPS 140-2, but has not been submitted to a NIST testing lab for validation.

Kong Enterprise provides a FIPS 140-2 compliant package for Ubuntu 20.04 . This package provides compliance for the core Kong Gateway product .

The package replaces the primary library in Kong Gateway, OpenSSL, with BoringSSL, which at its core uses the FIPS 140-2 validated BoringCrypto for cryptographic operations.

Installing the Kong Gateway FIPS compliant Ubuntu package

The FIPS compliant Ubuntu 20.04 and Ubuntu 22.04 packages can be installed using the package distinctively named kong-enterprise-edition-fips. To install the package follow these instructions:

Set up the Kong APT repository:

 curl -1sLf "https://packages.konghq.com/public/gateway-30/gpg..key" |  gpg --dearmor >> /usr/share/keyrings/kong-gateway-30-archive-keyring.gpg
 curl -1sLf "https://packages.konghq.com/public/gateway-30/config.deb.txt?distro=ubuntu&codename=$(lsb_release -sc)" > /etc/apt/sources.list.d/kong-gateway-30.list

Update the repository:
```
 sudo apt-get update
```

Install the Kong Gateway FIPS package:

 apt install kong-enterprise-edition-fips

Configure FIPS

To start in FIPS mode, set the following variable to on in the kong.conf configuration file before starting Kong Gateway.

fips = on # fips mode is enabled, causing incompatible ciphers to be disabled

You can also use an environment variable:

export KONG_FIPS=on

Migrating from non-FIPS to FIPS mode and backwards is not supported.