Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Machine ID: FIPS support #22448

Closed
klizhentas opened this issue Mar 1, 2023 · 2 comments · Fixed by #23563
Closed

Machine ID: FIPS support #22448

klizhentas opened this issue Mar 1, 2023 · 2 comments · Fixed by #23563
Assignees
@strideynet
Labels
feature-request Used for new features in Teleport, improvements to current should be #enhancements machine-id

Comments

@klizhentas
Copy link
Contributor

In FIPS mode it should behave just like any other FIPS-mode component, use proper IAM FIPS mode endpoints, use FIPS-approved crypto library and algorithms.
@klizhentas klizhentas added feature-request Used for new features in Teleport, improvements to current should be #enhancements machine-id labels Mar 1, 2023
@klizhentas klizhentas mentioned this issue Mar 1, 2023
Closed
@strideynet
Copy link
Contributor

strideynet commented Mar 1, 2023
edited

Action Plan

For invocation, mimic the same flag used by teleport e.g tbot start --fips.

FIPS flag should:

  • Ensure compiled with boringcrypto
  • Ensure generated keys use 2048-bit RSA
  • When IAM joining, use FIPS compliant STS endpoints
  • Restrict TLS protocol version to TLS 1.2

Open questions:

  • Is there any disadvantage to always building tbot with boringcrypto on platforms where boringcrypto is supported?
    • If not, why don't we just do that as a first approach?
    • If there is a reason not to do this, we should build release pipelines for:
      • FIPS compliant tbot binary
      • Docker image containing only the FIPS compliant tbot.
  • Is this Enterprise only ? - At this point, I think building out an Enterprise build of tbot represents a lot of work, and I think most elements of Enterprise can be enforced server-side with tbot anyway, but want to check we are happy with this going into OSS builds.

Resources:

@strideynet strideynet changed the title Machine ID tbot should support FIPS mode. Machine ID: FIPS support Mar 22, 2023
@strideynet
Copy link
Contributor

strideynet commented Mar 24, 2023
edited

Related ticket questioning if --fips flag is necessary with a FIPS binary #15328

@strideynet strideynet assigned strideynet and unassigned zmb3 Mar 24, 2023
@strideynet strideynet mentioned this issue Mar 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@strideynet strideynet

Labels
feature-request Used for new features in Teleport, improvements to current should be #enhancements machine-id
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Machine ID FIPS support gravitational/teleport
3 participants
@klizhentas @zmb3 @strideynet