diff options
| author | Chris Lu <chrislusf@users.noreply.github.com> | 2025-12-01 12:17:58 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-12-01 12:17:58 -0800 |
| commit | caca3bf427232cc608530e5e44cdc7794caf38bf (patch) | |
| tree | e5a696a93059f50c60ddbcfa7068a1df7542015a /docker/entrypoint.sh | |
| parent | ab222709e3012912f585ab332ba76a4ffcd12008 (diff) | |
| download | seaweedfs-caca3bf427232cc608530e5e44cdc7794caf38bf.tar.xz seaweedfs-caca3bf427232cc608530e5e44cdc7794caf38bf.zip | |
Enable FIPS 140-3 compliant crypto by default (#7590)
* Enable FIPS 140-3 compliant crypto by default
Addresses #6889
- Enable GOEXPERIMENT=systemcrypto by default in all Makefiles
- Enable GOEXPERIMENT=systemcrypto by default in all Dockerfiles
- Go 1.24+ has native FIPS 140-3 support via this setting
- Users can disable by setting GOEXPERIMENT= (empty)
Algorithms used (all FIPS approved):
- AES-256-GCM for data encryption
- AES-256-CTR for SSE-C
- HMAC-SHA256 for S3 signatures
- TLS 1.2/1.3 for transport encryption
* Fix: Remove invalid GOEXPERIMENT=systemcrypto
Go 1.24 uses GODEBUG=fips140=on at runtime, not GOEXPERIMENT at build time.
- Remove GOEXPERIMENT=systemcrypto from all Makefiles
- Remove GOEXPERIMENT=systemcrypto from all Dockerfiles
FIPS 140-3 mode can be enabled at runtime:
GODEBUG=fips140=on ./weed server ...
* Add FIPS 140-3 support enabled by default
Addresses #6889
- FIPS 140-3 mode is ON by default in Docker containers
- Sets GODEBUG=fips140=on via entrypoint.sh
- To disable: docker run -e GODEBUG=fips140=off ...
Diffstat (limited to 'docker/entrypoint.sh')
| -rwxr-xr-x | docker/entrypoint.sh | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index afbc5ef6e..822f2fa6e 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,5 +1,9 @@ #!/bin/sh +# Enable FIPS 140-3 mode by default (Go 1.24+) +# To disable: docker run -e GODEBUG=fips140=off ... +export GODEBUG="${GODEBUG:+$GODEBUG,}fips140=on" + # Fix permissions for mounted volumes # If /data is mounted from host, it might have different ownership # Fix this by ensuring seaweed user owns the directory |