FIPS 140-3 Compliance Guide¶

Overview¶

HeliosDB-Lite supports FIPS 140-3 compliant cryptographic operations through the fips feature flag. When enabled, all cryptographic operations use the AWS-LC FIPS module (Certificate #4816).

Certification Status¶

Component	Standard Mode	FIPS Mode	Certification
Crypto Library	ring 0.17	AWS-LC 1.12	FIPS 140-3 #4816
Content Hashing	BLAKE3	SHA-256	NIST FIPS 180-4
Key Derivation	Argon2id	PBKDF2-HMAC-SHA256	NIST SP 800-132
Encryption	AES-256-GCM	AES-256-GCM	NIST FIPS 197/SP 800-38D
TLS	rustls + ring	rustls + AWS-LC	NIST SP 800-52
Random	ring SystemRandom	AWS-LC DRBG	NIST SP 800-90A

Building with FIPS Support¶

Prerequisites¶

Linux x86_64 or aarch64: AWS-LC FIPS is currently certified for Linux only
CMake 3.12+: Required for building AWS-LC
Go 1.18+: Required for AWS-LC's build system (optional, for BoringSSL compatibility)
Clang or GCC: C/C++ compiler

Build Commands¶

# Build with FIPS support
cargo build --release --no-default-features --features fips,encryption,vector-search

# Verify FIPS mode
./target/release/heliosdb-lite --version
# Output should include: "Crypto: AWS-LC FIPS (Certificate #4816)"

# Run FIPS self-tests explicitly
HELIOSDB_FIPS_SELFTEST=1 ./target/release/heliosdb-lite --check-fips

Docker Build¶

FROM rust:1.75-bookworm AS builder

# Install AWS-LC build dependencies
RUN apt-get update && apt-get install -y \
    cmake \
    clang \
    golang-go \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app
COPY . .

# Build with FIPS
RUN cargo build --release --no-default-features \
    --features fips,encryption,vector-search

FROM debian:bookworm-slim
COPY --from=builder /app/target/release/heliosdb-lite /usr/local/bin/
CMD ["heliosdb-lite"]

Algorithm Replacements in FIPS Mode¶

Content-Addressed Storage¶

Operation	Standard	FIPS
Content hash	BLAKE3	SHA-256
Hash length	256 bits	256 bits
Performance	~10 GB/s	~1 GB/s

Note: SHA-256 is slower than BLAKE3 but is required for FIPS compliance. Content-addressed storage performance may be reduced by approximately 10x.

Key Derivation¶

Parameter	Standard (Argon2id)	FIPS (PBKDF2)
Algorithm	Argon2id	PBKDF2-HMAC-SHA256
Memory	64 MB	N/A
Iterations	3	600,000
Parallelism	4	1

Note: PBKDF2 requires more iterations to achieve comparable security to Argon2id. Key derivation from password will be slower in FIPS mode.

Encryption¶

AES-256-GCM is used in both modes. The only difference is the underlying implementation:

Aspect	Standard	FIPS
Library	aes-gcm crate	AWS-LC
Algorithm	AES-256-GCM	AES-256-GCM
AEAD	Yes	Yes

FIPS Self-Tests¶

AWS-LC automatically runs Power-On Self-Tests (POST) at module initialization. HeliosDB-Lite adds application-level verification:

Automatic Self-Tests¶

SHA-256 KAT: Known Answer Test for hash function
PBKDF2 KAT: Key derivation verification
AES-GCM KAT: Encryption/decryption verification
DRBG Health: Random number generator verification

Manual Verification¶

# Run explicit FIPS verification
heliosdb-lite --check-fips

# Expected output:
# FIPS 140-3 Self-Test Results:
#   Module: AWS-LC FIPS (Certificate #4816)
#   SHA-256: PASS
#   PBKDF2: PASS
#   AES-GCM: PASS
#   DRBG: PASS
#   Status: OPERATIONAL

Configuration¶

Environment Variables¶

# Force FIPS mode verification at startup (recommended)
export HELIOSDB_FIPS_SELFTEST=1

# Panic on FIPS self-test failure (default: error log)
export HELIOSDB_FIPS_STRICT=1

Config File (heliosdb.toml)¶

[crypto]
# Verify FIPS mode at startup
fips_self_test = true

# Strict mode: fail startup if FIPS self-test fails
fips_strict = true

# Minimum PBKDF2 iterations (NIST recommends 10,000+)
pbkdf2_iterations = 600000

Compliance Documentation¶

Audit Trail¶

HeliosDB-Lite logs cryptographic operations for audit purposes:

INFO crypto::provider: FIPS 140-3 self-tests passed (AWS-LC Certificate #4816)
INFO crypto::provider: Using FIPS-approved algorithms: SHA-256, PBKDF2, AES-256-GCM
DEBUG crypto::key_manager: Key derived using PBKDF2-HMAC-SHA256 (600000 iterations)

Security Considerations¶

Key Material: All keys are stored using zeroize for secure memory erasure
Salt Requirements: Minimum 128-bit salt for key derivation
IV/Nonce: Unique 96-bit nonce per encryption operation
Algorithm Negotiation: No fallback to non-FIPS algorithms in FIPS mode

Migration Guide¶

From Standard to FIPS Mode¶

Backup existing data
Export keys (if using password-derived keys)
Rebuild with FIPS feature
Re-encrypt data (content hashes will differ)

-- Re-index content-addressed data after FIPS migration
REINDEX CONTENT_ADDRESSED;

Data Compatibility¶

Warning: Content-addressed storage hashes are NOT compatible between BLAKE3 (standard) and SHA-256 (FIPS) modes. Migration requires:

Export all data
Rebuild with new mode
Re-import data (re-computes hashes)

Limitations¶

Platform Support¶

Platform	FIPS Support
Linux x86_64	Certified
Linux aarch64	Certified
macOS	Not certified*
Windows	Not certified*

*AWS-LC builds on these platforms but lacks FIPS certification.

Performance Impact¶

Operation	Standard	FIPS	Impact
Content hash (1 MB)	0.1 ms	1.0 ms	-10x
Key derivation	100 ms	800 ms	-8x
AES-GCM encrypt	0.01 ms/KB	0.01 ms/KB	~Same
TLS handshake	2 ms	3 ms	-1.5x

Feature Restrictions¶

In FIPS mode, the following are disabled:

BLAKE3 hashing (non-approved algorithm)
Argon2id KDF (non-approved algorithm)
ChaCha20-Poly1305 (if used anywhere)

Verification Checklist¶

Deployment Verification¶

[ ] Built with --features fips
[ ] FIPS self-tests pass at startup
[ ] Version output shows "AWS-LC FIPS"
[ ] No BLAKE3/Argon2 warnings in logs
[ ] TLS negotiates FIPS-approved cipher suites

Compliance Audit¶

[ ] AWS-LC Certificate #4816 current and valid
[ ] Operating in approved mode
[ ] Keys stored/derived using approved methods
[ ] Audit logs enabled
[ ] Incident response procedures documented

References¶

Support¶

For FIPS compliance questions: - Email: security@heliosdb.io - GitHub: Open an issue with the "fips" label