FIPS 140-3 Compliance
Starting with Go 1.24, Go binaries can natively operate in a mode that facilitates FIPS 140-3 compliance. Moreover, the toolchain can build against frozen versions of the cryptography packages that constitute the Go Cryptographic Module.
FIPS 140-3
NIST FIPS 140-3 is a U.S. Government compliance regime for cryptography applications that amongst other things requires the use of a set of approved algorithms, and the use of CMVP-validated cryptographic modules tested in the target operating environments.
The mechanisms described in this page facilitate compliance for Go applications.
Applications that have no need for FIPS 140-3 compliance can safely ignore them, and should not enable FIPS 140-3 mode.
NOTE: Simply using a FIPS 140-3 compliant and validated cryptographic module may not—on its own—satisfy all relevant regulatory requirements. The Go team cannot provide any guarantees or support around how usage of the provided FIPS 140-3 mode may, or may not, satisfy specific regulatory requirements for individual users. Care should be taken in determining if usage of this module satisfies your specific requirements.
The Go Cryptographic Module
The Go Cryptographic Module is a collection of standard library Go packages
under crypto/internal/fips140/... that implement FIPS 140-3 approved
algorithms.
Public API packages such as crypto/ecdsa and crypto/rand transparently use
the Go Cryptographic Module to implement FIPS 140-3 algorithms.
FIPS 140-3 mode
The run-time fips140 GODEBUG option controls whether the Go
Cryptographic Module operates in FIPS 140-3 mode. It defaults to off. It can’t
be changed after the program has started.
When operating in FIPS 140-3 mode (the fips140 GODEBUG setting is on):
-
The Go Cryptographic Module automatically performs an integrity self-check at
inittime, comparing the checksum of the module’s object file computed at build time with the symbols loaded in memory. -
All algorithms perform known-answer self-tests according to the relevant FIPS 140-3 Implementation Guidance, either at
inittime, or on first use. -
Pairwise consistency tests are performed on generated cryptographic keys. Note that this can cause a slowdown of up to 2x for certain key types, which is especially relevant for ephemeral keys.
-
crypto/rand.Readeris implemented in terms of a NIST SP 800-90A DRBG. To guarantee the same level of security asGODEBUG=fips140=off, random bytes are also sourced from the platform’s CSPRNG at everyReadand mixed into the output as uncredited additional data. -
The
crypto/tlspackage will ignore and not negotiate any protocol version, cipher suite, signature algorithm, or key exchange mechanism that is not FIPS 140-3 approved. -
crypto/rsa.SignPSSwithPSSSaltLengthAutowill cap the length of the salt at the length of the hash.
When GODEBUG=fips140=only is used, in addition to the above, cryptographic
algorithms that are not FIPS 140-3 compliant will return an error or panic. Note
that this mode is a best effort and can’t guarantee compliance with all FIPS
140-3 requirements.
GODEBUG=fips140=on and only are not supported on OpenBSD, Wasm, AIX, and
32-bit Windows platforms.
The crypto/fips140 package
The crypto/fips140.Enabled function reports
whether FIPS 140-3 mode is active.
The GOFIPS140 environment variable
The GOFIPS140 environment variable can be used with go build, go install,
and go test to select the version of the Go Cryptographic Module to be linked
into the executable program.
-
offis the default, and uses thecrypto/internal/fips140/...packages in the standard library tree in use. -
latestis likeoff, but enables FIPS 140-3 mode by default. -
v1.0.0uses Go Cryptographic Module version v1.0.0, frozen in early 2025 and first shipped with Go 1.24. It enables FIPS 140-3 mode by default.
Module Validations
Google currently has a contractual relationship with Geomys to facilitate at least yearly CMVP validations of the Go Cryptographic Module. At the time of validation we will freeze the Go Cryptographic Module and create a new module version for submission.
These validations are tested on a comprehensive set of Operating Environments, supporting many popular operating system and hardware platform combinations.
Off-cycle validations may be performed if security issues are discovered in the module.
Validated Module Versions
List of module versions which have completed CMVP validation:
There are currently no module versions which have completed validation.
In Process Module Versions
List of module versions which are currently in the CMVP Modules In Process List:
- v1.0.0 (CAVP Certificate A6650), Review Pending, available in Go 1.24+
Implementation Under Test Module Versions
List of module versions which are currently in the CMVP Implementation Under Test List:
There are currently no module versions under test.
Go+BoringCrypto
The previous, unsupported mechanism to use the BoringCrypto module for certain FIPS 140-3 approved algorithms is currently still available, but it is meant to be removed and replaced with the mechanism described in this page in a future release.
Go+BoringCrypto is incompatible with the native FIPS 140-3 mode.