Kong Gateway provides support for the Federal Information Processing Standard (FIPS 140-2). Compliance with this standard is typically required for working with U.S. federal government agencies and their contractors.
Kong Gateway offers a FIPS package. The package replaces the primary library in Kong Gateway, OpenSSL, with the BoringSSL, which at its core uses the FIPS 140-2 compliant BoringCrypto for cryptographic operations.
Kong Gateway uses BoringSSL algorithms in all core components when configured.
Kong Gateway and the Kong Gateway FIPS package are not FIPS-validated or certified.
Install the Kong Gateway FIPS package
The only supported Kong Gateway distribution is based on Ubuntu 20.04 and can be installed with the package distinctively named
To install the Kong Gateway FIPS package use:
apt install kong-enterprise-edition-fips
FIPS mode is only supported in Ubuntu 20.04
To start in FIPS mode, set the following variable to
on in the
kong.conf configuration file before starting Kong Gateway.
fips = on # fips mode is enabled, causing incompatible ciphers to be disabled
You can also use an environment variable:
Migrating from non-FIPS to FIPS mode and backwards is not supported.