docs

NATS

FIPS

Synadia offers licensed NATS server builds for environments requiring strict enforcement of only using FIPS 140-3 approved algorithms.

Please contact us to learn more.

Certification Disclaimer

FIPS mode uses Go's native cryptographic module, which restricts operations to FIPS 140-3 approved algorithms. Synadia makes no statements or representations regarding FIPS 140-3 certification status. Evaluate whether this implementation meets your specific compliance requirements.

Disabled Server Features

Some server features are actively disabled due to non-approved algorithms being used:

  • Auth callout - relies on the Curve25519 (X25519) algorithm for key exchange, which is not currently NIST approved for strict FIPS-enabled environments.
  • Filestore encryption using ChaCha20-Poly1305 - the alternate option, AES-256, is supported.
  • TLS handshakes with non-compliant algorithms - only compliant ciphers are enabled.

FAQ

How to I validate the build?

Once downloaded, use the go tool.

go version -m ./nats-server-fips | grep 'fips140=only'

Are there any special requirements for running the binary?

No. The only constraint is when server configuration is used which attempts to enable features that are explicitly disabled, as noted above. If they are, the server will fail to start.

Previous
FAQ
Next
Security & Operations