FIPS 140-3
HeliosLogs can run against the AWS-LC FIPS 140-3 validated cryptographic module. FIPS is a build property — the same application code runs either way; the build selects the cryptographic backend. The Docker image is a FIPS build by default.
What's covered
All cryptography routes through a single seam backed by aws-lc-rs:
| Use | Algorithm |
|---|---|
| Control-plane encryption at rest | AES-256-GCM |
| Password hashing | PBKDF2-HMAC-SHA256 (600k iterations) |
| JWT signing | HMAC-SHA256 (HS256) |
| Content hashes / fingerprints | SHA-256 |
| Keys, nonces, tokens | DRBG |
| Outbound TLS (LLM APIs, S3) | rustls + aws-lc-rs |
Building a FIPS binary
cargo build --features fips --releaseThe FIPS module compiles from source and needs Go, Perl, and CMake plus a C toolchain available at build time. The provided Dockerfile already includes these and builds with --features fips.
Verifying FIPS is active
Two independent confirmations:
- Startup gating — a FIPS build won't start unless the validated module initializes successfully.
- Runtime config view — open Admin → General and check the crypto provider. A FIPS build reports
AWS-LC FIPS 140-3 (active); a standard build reportsAWS-LC (standard, non-FIPS build).
One image, identical behavior
Because FIPS only changes the crypto backend, you can adopt it without changing any configuration or call sites — build with the feature (or use the default image) and verify via the runtime-config view.