Compliance Frameworks
Overview
FusionAuth is in the process of conforming with various standards including the Federal Information Processing Standards (FIPS) and FedRAMP.
While full certification is not yet available, FusionAuth conforms and self-certifies compliance as appropraite. Since most compliance frameworks restrict encryption standards, this is currently the primary focus area.
Below you will find the status of FusionAuth’s compliance as well as details about the encryption in use.
Cryptographic and Encryption Functionality
Here is a non-exhaustive list of cryptographic and encryption functionality FusionAuth uses:
- signing
- encryption
- password hashing
Signing
FusionAuth signs the items below using various cryptographic signature algorithms including HMAC, RSA, ECDSA, and EdDSA:
- JWT signing
- XML signing for SAML
- Webhook signing
- WebAuthN (Passkeys) signing
Encryption
FusionAuth encrypts the items below using various cryptographic algorithms including AES, RSA, and ECDSA:
- XML encryption for SAML
- Various encryption of plain-text passwords prior to being hashed
- Encryption for all cookies that contain data
- TLS connections to the database and search engine
- TLS connections to Reactor (advanced threat detection and breached password detection)
Password Hashing
FusionAuth hashes the items below using various cryptographic algorithms including bcrypt, PBKDF2, MD5, SHA, and others:
- Passwords
- API keys
FusionAuth allows custom password hashing algorithms to be enabled via our plugin system. These custom algorithms are not checked for compliance.
FusionAuth also allows the password hashing algorithm to be changed per tenant, Application, or User. FusionAuth cannot certify that the algorithms used are secure or conform to any particular compliance framework.
FIPS Compliance
This feature is only available in the Enterprise plan. Please visit our pricing page to learn more.
Beginning with version 1.62.0, FusionAuth supports a runtime mode that provides compliance with FIPS 140-3 cryptographic module restrictions.
This support is provided by Bouncy Castle’s FIPS compliant library, and is configurable via the fusionauth-app.fips.enabled configuration parameter (i.e. in fusionauth.properties, a command-line parameter, or an environment variable).
Limitations
Running FusionAuth in FIPS compliant mode has limitations:
- This mode may only be enabled on new installations of FusionAuth. An existing FusionAuth installation cannot be converted to run in this mode.
- All nodes in a cluster must be running in this mode.
- Customers must use a FIPS compliant database and search engine version. FusionAuth does not provide the database or the search engine, so this is the responsibility of the customer to use a FIPS compliant PostgreSQL, MySQL, and OpenSearch version.
- This mode is only available for self-hosted instances.