You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In FIPS mode it should behave just like any other FIPS-mode component, use proper IAM FIPS mode endpoints, use FIPS-approved crypto library and algorithms.
The text was updated successfully, but these errors were encountered:
For invocation, mimic the same flag used by teleport e.g tbot start --fips.
FIPS flag should:
Ensure compiled with boringcrypto
Ensure generated keys use 2048-bit RSA
When IAM joining, use FIPS compliant STS endpoints
Restrict TLS protocol version to TLS 1.2
Open questions:
Is there any disadvantage to always building tbot with boringcrypto on platforms where boringcrypto is supported?
If not, why don't we just do that as a first approach?
If there is a reason not to do this, we should build release pipelines for:
FIPS compliant tbot binary
Docker image containing only the FIPS compliant tbot.
Is this Enterprise only ? - At this point, I think building out an Enterprise build of tbot represents a lot of work, and I think most elements of Enterprise can be enforced server-side with tbot anyway, but want to check we are happy with this going into OSS builds.
In FIPS mode it should behave just like any other FIPS-mode component, use proper IAM FIPS mode endpoints, use FIPS-approved crypto library and algorithms.
The text was updated successfully, but these errors were encountered: