Enable FIPS Mode
This page describes how to enable FIPS 140-3 ready cryptography for AIStor deployments on Kubernetes.
When enabled, FIPS mode restricts cryptographic operations to algorithms that align with the Federal Information Processing Standards (FIPS) 140-3 program. Organizations subject to U.S. federal government compliance requirements, or those with similar regulatory needs, may require FIPS-aligned cryptography.
Overview
AIStor uses Go 1.24’s native FIPS 140-3 cryptographic module.
Enable FIPS mode at runtime with the GODEBUG environment variable.
There is no separate binary required.
With FIPS mode enabled, the following apply:
- TLS connections use only AES-GCM cipher suites (CHACHA20-POLY1305 is excluded).
- Object encryption (DARE) uses only AES-256-GCM.
- SSH/SFTP connections exclude weak key exchange algorithms and non-compliant ciphers.
- JWT operations use FIPS-validated SHA3 implementations.
Enable FIPS mode
FIPS mode requires setting the GODEBUG environment variable on both the AIStor Operator and the Object Store pods.
AIStor Operator
Modify the Operator Deployment to include the GODEBUG environment variable.
If you installed the Operator using Helm, create or update your values file:
env:
- name: GODEBUG
value: "fips140=on"
Then upgrade the Operator Helm release:
helm upgrade aistor minio/aistor-operator \
-n aistor \
-f aistor-operator-values.yaml
Object Store
Add the GODEBUG environment variable to your Object Store deployment using the objectStore.env field in your Helm values:
objectStore:
env:
- name: GODEBUG
value: "fips140=on"
Apply the configuration:
helm upgrade primary-object-store minio/aistor-objectstore \
-n primary-object-store \
-f aistor-objectstore-values.yaml
The Operator restarts the Object Store pods to apply the new environment variable.
Verify FIPS mode
Operator
Check the Operator version output for the FIPS indicator:
kubectl logs -n aistor deployment/object-store-operator | grep -i version
When FIPS mode is active, the version string includes FIPS 140-3:
Version: RELEASE.2025-12-16T20-51-03Z FIPS 140-3
Object Store
Connect to the Object Store and check the server information:
mc admin info ALIAS
The output indicates FIPS mode status in the server details.
FIPS mode cipher restrictions
The following tables summarize which cryptographic algorithms are available in FIPS mode versus standard mode.
TLS cipher suites
| Cipher Suite | Standard Mode | FIPS Mode |
|---|---|---|
TLS_AES_128_GCM_SHA256 (TLS 1.3) |
✓ | ✓ |
TLS_AES_256_GCM_SHA384 (TLS 1.3) |
✓ | ✓ |
TLS_CHACHA20_POLY1305_SHA256 (TLS 1.3) |
✓ | ✗ |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
✓ | ✓ |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
✓ | ✓ |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
✓ | ✓ |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
✓ | ✓ |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 |
✓ | ✗ |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 |
✓ | ✗ |
Object encryption (DARE)
| Algorithm | Standard Mode | FIPS Mode |
|---|---|---|
| AES-256-GCM | ✓ | ✓ |
| CHACHA20-POLY1305 | ✓ | ✗ |
Public key algorithms
| Algorithm | Standard Mode | FIPS Mode |
|---|---|---|
| RSA (2048-4096 bit) | ✓ | ✓ |
| ECDSA (P-256, P-384, P-521) | ✓ | ✓ |
| EdDSA/Ed25519 | ✓ | ✗ |
Considerations
Certificate compatibility
Ensure your TLS certificates use FIPS-compatible algorithms. Certificates signed with EdDSA/Ed25519 are not compatible with FIPS mode. Use ECDSA with NIST P-256/P-384/P-521 curves or RSA keys instead.
Client compatibility
Clients connecting to a FIPS-enabled deployment must support the available cipher suites. Modern TLS clients generally support AES-GCM cipher suites, but verify compatibility with older clients if necessary.
Performance
AES-GCM cipher suites benefit from hardware acceleration on most modern CPUs (AES-NI instruction set). Performance impact from enabling FIPS mode is typically minimal on hardware with AES-NI support.
Related resources
- Enable Network Encryption for TLS configuration
- Operator Environment Variables for additional Operator configuration options