lsm/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-02-09 09:17:28 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
Page: Cryptography and FIPS Compliance
Pages
AWS CLI with SeaweedFS AWS IAM CLI Actual Users Admin UI Amazon IAM API Amazon S3 API Applications Async Backup Async Filer Metadata Backup Async Replication to Cloud Async Replication to another Filer Benchmark SeaweedFS as a GlusterFS replacement Benchmarks from jinleileiking Benchmarks Cache Remote Storage Choosing a Filer Store Client Libraries Cloud Drive Architecture Cloud Drive Benefits Cloud Drive Quick Setup Cloud Monitoring Cloud Tier Components Configure Remote Storage Cryptography and FIPS Compliance Customize Filer Store Data Backup Data Structure for Large Files Deployment to Kubernetes and Minikube Directories and Files Docker Compose for S3 Docker Image Registry with SeaweedFS Environment Variables Erasure Coding for warm storage Error reporting to sentry FAQ FIO benchmark FUSE Mount Failover Master Server File Operations Quick Reference Filer Active Active cross cluster continuous synchronization Filer Cassandra Setup Filer Change Data Capture Filer Commands and Operations Filer Data Encryption Filer JWT Use Filer Metadata Events Filer Notification Webhook Filer Redis Setup Filer Server API Filer Setup Filer Store Replication Filer Stores Filer as a Key Large Value Store Gateway to Remote Object Storage Getting Started HDFS via S3 connector Hadoop Benchmark Hadoop Compatible File System Hardware Hobbyest Tinkerer scale on premises tutorial Home Independent Benchmarks Kafka to Kafka Gateway to SMQ to SQL Kubernetes Backups and Recovery with K8up Large File Handling Load Command Line Options from a file Master Server API Migrate to Filer Store Mount Remote Storage OIDC Integration Optimization Path Specific Configuration Path Specific Filer Store PostgreSQL compatible Server weed db Production Setup Pub Sub to SMQ to SQL Quick Start with weed mini Replication Run Blob Storage on Public Internet Run Presto on SeaweedFS S3 API Audit log S3 API Benchmark S3 API FAQ S3 Bucket Quota S3 CORS S3 Conditional Operations S3 Configuration S3 Credentials S3 Nginx Proxy S3 Object Lock and Retention S3 Object Versioning S3 Policy Variables S3 Rate Limiting S3 Table Bucket Commands S3 Table Bucket SQL Queries on Message Queue SQL Quick Reference SRV Service Discovery Seaweed Message Queue SeaweedFS Java Client SeaweedFS in Docker Swarm Security Configuration Security Overview Server Side Encryption SSE C Server Side Encryption SSE KMS Server Side Encryption Server Startup via Systemd Store file with a Time To Live Structured Data Lake with SMQ and SQL Super Large Directories System Metrics TUS Resumable Uploads TensorFlow with SeaweedFS Tiered Storage UrBackup with SeaweedFS Use Cases Volume Files Structure Volume Management Volume Server API WebDAV Words from SeaweedFS Users Worker fstab nodejs with Seaweed S3 rclone with SeaweedFS restic with SeaweedFS run HBase on SeaweedFS run Spark on SeaweedFS s3cmd with SeaweedFS weed shell
Clone
2
Cryptography and FIPS Compliance
Chris Lu edited this page 2026-01-29 19:24:42 -08:00
Table of Contents

Cryptography and FIPS Compliance

This document describes the cryptographic algorithms used in SeaweedFS and provides guidance for FIPS 140-3 compliance.

Overview

SeaweedFS uses Go's standard library cryptographic packages (crypto/*) for all encryption operations. All algorithms used are FIPS-approved algorithms. Starting with Go 1.24, native FIPS 140-3 mode can be enabled at runtime.

Cryptographic Algorithms Used

Data Encryption (At Rest)

Feature Algorithm Key Size Notes
Filer Data Encryption AES-256-GCM 256-bit Per-file random keys stored in filer metadata
SSE-C (Customer Keys) AES-256-CTR 256-bit Customer-provided keys, never stored
SSE-S3 (Managed Keys) AES-256-GCM 256-bit SeaweedFS-managed keys
SSE-KMS AES-256-GCM 256-bit External KMS-managed data encryption keys

Authentication & Signatures

Feature Algorithm Notes
S3 Signature V4 HMAC-SHA256 AWS-compatible request signing
S3 Signature V2 HMAC-SHA1 Legacy AWS signature support
JWT Tokens HMAC-SHA256 For volume server and filer access control
OIDC Tokens RSA, ECDSA For OIDC identity provider integration
SSE-C Key Validation MD5 For key integrity verification (AWS S3 compatible)

Transport Encryption (In Transit)

Feature Protocol Configuration
gRPC (Control Plane) TLS 1.2/1.3 mTLS with configurable cipher suites
HTTP (Data Plane) HTTPS (TLS 1.2/1.3) Certificate-based with configurable versions

FIPS 140-3 Compliance

Algorithm Compliance

All cryptographic algorithms used by SeaweedFS are FIPS-approved:

SeaweedFS Feature Algorithm FIPS 140-3 Status
Data Encryption AES-256-GCM Approved
SSE-C Encryption AES-256-CTR Approved
S3 Signatures HMAC-SHA256 Approved
Hashing SHA-256 Approved
OIDC Validation RSA, ECDSA Approved
Transport TLS 1.2/1.3 Approved
Legacy S3 Signatures HMAC-SHA1 ⚠️ Approved (use V4 preferred)
SSE-C Key Validation MD5 ⚠️ Used for AWS S3 compatibility only

FIPS 140-3 Mode

FIPS 140-3 mode is enabled by default in Docker containers. SeaweedFS requires Go 1.24+, which has native FIPS 140-3 support.

# FIPS is enabled by default in Docker
docker run chrislusf/seaweedfs server ...

# To disable FIPS mode
docker run -e GODEBUG=fips140=off chrislusf/seaweedfs server ...

# For non-Docker: enable FIPS mode
GODEBUG=fips140=on ./weed server ...

# Strict FIPS mode (non-approved functions will error/panic)
GODEBUG=fips140=only ./weed server ...

You can verify FIPS mode is enabled programmatically:

import "crypto/fips140"

if fips140.Enabled() {
    fmt.Println("FIPS 140-3 mode is enabled")
}

Recommended Configuration for FIPS Environments

  1. Enable FIPS mode at runtime:

    GODEBUG=fips140=on ./weed server ...

  2. Use S3 Signature V4 (not V2) to avoid SHA1:

    • All modern S3 clients use V4 by default

  3. Enable TLS 1.2 or higher with FIPS-approved cipher suites:

    # In security.toml
[tls]
min_version = "TLS 1.2"
cipher_suites = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

  4. Use SSE-KMS or SSE-S3 for encryption:

    • Both use AES-256-GCM which is FIPS approved
    • SSE-C also uses FIPS-approved algorithms but relies on MD5 for key validation (AWS S3 compatibility requirement)

Cryptographic Implementation Details

Random Number Generation

SeaweedFS uses crypto/rand for all cryptographic random number generation:

  • Cipher key generation
  • Nonce/IV generation
  • Upload ID generation
  • Version ID generation

Key Storage

Key Type Storage Location Protection
Filer encryption keys Filer metadata store Per-file, randomly generated
SSE-C keys Never stored Customer-provided per request
SSE-S3 keys In-memory or KMS Managed by SeaweedFS or external KMS
SSE-KMS keys External KMS AWS KMS, Google Cloud KMS, OpenBao/Vault, Azure Key Vault
TLS certificates File system User-managed
JWT signing keys security.toml User-configured

Security Best Practices

  1. Enable FIPS mode with GODEBUG=fips140=on in regulated environments
  2. Enable mTLS for all gRPC communications
  3. Use HTTPS for all HTTP endpoints in production
  4. Configure JWT signing for volume server access control
  5. Use external KMS (SSE-KMS) for enterprise key management with audit trails
  6. Regularly rotate TLS certificates and JWT signing keys
  7. Restrict cipher suites to FIPS-approved algorithms

Related Documentation

Introduction

API

Configuration

Filer

Filer Stores

Management

Advanced Filer Configurations

FUSE Mount

WebDAV

Cloud Drive

AWS S3 API

S3 Table Bucket

S3 Authentication & IAM

Server-Side Encryption

S3 Client Tools

Machine Learning

HDFS

Replication and Backup

Metadata Change Events

Messaging

Use Cases

Operations

Advanced

Security

Misc Use Case Examples