Standards Compliance

Overview

dotsecenv aligns with several NIST and IETF standards for cryptographic operations. This page documents:

Compliance Standards — specify how to use cryptographic primitives securely:

FIPS 140-3 — Security requirements for cryptographic modules
FIPS 186-5 — Digital Signature Standard (approved algorithms)
RFC 9580 — OpenPGP with mandatory AEAD encryption

Foundational Standards — define the cryptographic primitives themselves:

FIPS 197 — Advanced Encryption Standard (AES)
FIPS 180-4 — Secure Hash Standard (SHA-2 family)

Understanding these standards helps organizations deploy dotsecenv in regulated environments.

FIPS 140-3: Cryptographic Module

FIPS 140-3 defines security requirements for cryptographic modules. dotsecenv leverages Go’s native FIPS 140-3 cryptographic module, introduced in Go 1.24.

CAVP Validation

The Go Cryptographic Module v1.0.0 holds CAVP certificate A6650, validating the cryptographic algorithm implementations. This certificate confirms that AES, SHA-2, RSA, ECDSA, and other primitives produce correct outputs per NIST test vectors.

Identifier	Description
A6650	CAVP certificate number
v1.0.0	Module version frozen for validation
Geomys	Organization pursuing CMVP certification

The module is currently on the CMVP Modules In Process list with status “Review Pending” and underwent a security audit by Trail of Bits.

Native Go Implementation

This module is built directly into Go’s standard library and requires no external C dependencies or cgo bindings. The validated module provides:

Mandatory self-tests — Module integrity verification at startup
NIST SP 800-90A DRBG — Approved deterministic random bit generator
Approved algorithms — All cryptographic operations use FIPS-approved algorithms

Build vs. Runtime Environment

FIPS 140-3 validation applies to the runtime Operating Environment—not the build environment. Because Go compiles to standalone, statically-linked binaries with no foreign function interface overhead, the resulting executable is portable and deterministic regardless of where it was compiled.

Our official releases are built on GitHub Actions runners (Ubuntu-based), but the cryptographic operations execute within your deployment environment.

Validated Operating Environments

When you run dotsecenv on a NIST-listed Operating Environment, the Go Cryptographic Module operates in its validated configuration:

Platform	Versions
Red Hat Enterprise Linux	9
Amazon Linux	2023
Oracle Linux	9
SUSE Linux Enterprise Server	15
Alpine Linux	Latest
macOS (Apple Silicon)	11–15
Windows Server	2016–2025
FreeBSD	12–14

The Geomys validation (the organization pursuing FIPS 140-3 certification for Go’s crypto module) also includes Vendor Affirmed coverage for generic Linux 3.10+ on x86-64 and ARM architectures, providing broad compatibility across modern Linux distributions.

Module Locking

Setting the GOFIPS140 environment variable during build locks the binary to a specific cryptographic module version:

GOFIPS140=v1.0.0 go build -o dotsecenv ./cmd/dotsecenv

Verify which module version was embedded in any binary:

go version -m ./dotsecenv

Why v1.0.0 Specifically?

The v1.0.0 identifier is significant:

Build Flag	Behavior
`GOFIPS140=v1.0.0`	Locks to the exact snapshot submitted to CAVP/CMVP
`GOFIPS140=latest`	Uses whatever module ships with your Go version
`GOFIPS140=off`	Disables FIPS mode (default)

Using v1.0.0 ensures:

Validated code path — The binary uses the exact cryptographic implementation that was formally tested and awarded certificate A6650
Deterministic behavior — Runtime behavior matches what was audited by Trail of Bits
Compliance evidence — Auditors can verify the module version matches the NIST validation record

Build It Yourself

dotsecenv is open source, and we encourage security-conscious organizations to fork and build the project on infrastructure under their direct control—whether air-gapped systems, internal CI/CD pipelines, or hardened build servers.

Requirement	Value
Go version	1.24 or later
Build flag	`GOFIPS140=v1.0.0`
Runtime	Listed Operating Environment

Cryptographic Primitives

The following standards define the cryptographic algorithms themselves. dotsecenv uses these primitives within the compliance framework established by FIPS 140-3 and FIPS 186-5.

FIPS 197: Advanced Encryption Standard

FIPS 197 defines the AES block cipher algorithm. dotsecenv uses AES-256 exclusively for symmetric encryption of secrets.

Property	Value
Block size	128 bits
Key size	256 bits (AES-256)
Mode	GCM (per NIST SP 800-38D)

FIPS 180-4: Secure Hash Standard

FIPS 180-4 defines the SHA-2 family of hash functions. dotsecenv uses SHA-256 and SHA-512 for integrity verification and signatures.

Hash	Output Size	Usage in dotsecenv
SHA-256	256 bits	Standard key operations
SHA-512	512 bits	High-strength keys (RSA-4096, ECC P-521)

Adaptive Hash Selection

dotsecenv automatically selects the appropriate hash strength based on key parameters:

Key strength ≥ 256 bits (RSA-4096, ECC P-521) → SHA-512
Key strength < 256 bits (RSA-3072, ECC P-384) → SHA-256

This follows security best practices for matching hash strength to key strength.

Hash Usage

SHA-2 hashes serve multiple purposes in dotsecenv:

Purpose	Description
Integrity verification	Detect tampering in vault entries
Digital signatures	Hash-then-sign for identity and secret signatures
Key binding	Link subkeys to primary keys in OpenPGP
Fingerprints	Key identification (transitioning from SHA-1 to SHA-256)

FIPS 186-5: Digital Signature Standard

FIPS 186-5 (2023) specifies approved algorithms for digital signatures. dotsecenv enforces these standards for all vault signatures.

Approved Signature Algorithms

Algorithm	Parameters	Status
RSA	2048-bit minimum, 3072-bit recommended	Approved
ECDSA	P-256, P-384, P-521 curves	Approved
EdDSA	Ed25519, Ed448	Approved
DSA	—	Deprecated (removed)

GPG Algorithm Compatibility

dotsecenv validates GPG key algorithms against FIPS 186-5 requirements. The default configuration enforces:

approved_algorithms:
  - rsa:3072
  - ecdsa:p384
  - eddsa:ed25519

Keys using weaker algorithms are rejected during encryption and signing operations.

Signature Coverage

Every vault entry is signed using a FIPS 186-5 compliant algorithm. The signature covers:

Entry signature covers:
├── Secret key name
├── Available-to list (fingerprints)
├── Encrypted value blob
├── Timestamp
└── Originator fingerprint

Modifications to any field cause signature verification to fail:

dotsecenv validate
# ✓ Vault header: valid
# ✓ Identity entries: 2 valid
# ✗ Secret entry 5: signature mismatch
# Error: vault validation failed

Key Strength Requirements

Algorithm	Minimum	Recommended
RSA	2048-bit	3072-bit or 4096-bit
ECDSA	P-256	P-384 or P-521
EdDSA	Ed25519	Ed25519 or Ed448

RFC 9580: OpenPGP with AEAD

RFC 9580 (2024) is the updated OpenPGP standard, replacing RFC 4880. dotsecenv uses the RFC 9580 profile which enforces authenticated encryption.

AEAD Encryption

RFC 9580 mandates Authenticated Encryption with Associated Data (AEAD) for all symmetric encryption. dotsecenv uses AES-256-GCM as the symmetric cipher:

// Use RFC9580 profile which enforces AEAD with AES-256-GCM
// RFC 9580 is the updated OpenPGP standard with mandatory AEAD support

Property	Value
Cipher	AES-256
Mode	GCM (Galois/Counter Mode)
Nonce	12 octets (96 bits)
Auth tag	16 octets (128 bits)
Standard	NIST SP 800-38D

Why AES-256-GCM?

GCM mode provides both confidentiality and integrity in a single operation:

Authenticated — Tampering is detected via the 128-bit authentication tag
Efficient — Hardware-accelerated on modern CPUs (AES-NI)
Parallelizable — GCM allows parallel encryption/decryption
FIPS-approved — Compliant with NIST SP 800-38D

Key Differences from RFC 4880

Feature	RFC 4880	RFC 9580
Symmetric encryption	CFB mode	AEAD mandatory
Default cipher	3DES/AES-128	AES-256-GCM
Signatures	RSA, DSA, ECDSA	Ed25519/Ed448 preferred
Key derivation	S2K (simple)	Argon2
Version	v4 keys	v6 keys

Compression and Side-Channel Attacks

dotsecenv explicitly disables compression to prevent CRIME/BREACH-style side-channel attacks:

// Explicitly disable compression per RFC 9580 (avoids CRIME-style side-channel attacks)
encHandle, err := pgp.Encryption().Recipients(recipients).CompressWith(constants.NoCompression).New()

Why Disable Compression?

When data is compressed before encryption, the ciphertext length varies based on plaintext content. Attackers can exploit this:

CRIME attack — Inject known strings into plaintext
Observe ciphertext length — Compressed duplicates are shorter
Iterate — Guess secrets character by character

Compression	Ratio	Speed	Security Risk
BZIP2	Best	Slowest	Length leakage
ZLIB	Good	Fast	Length leakage
ZIP	Good	Fast	Length leakage
Uncompressed	None	Fastest	Safe

Hybrid Encryption Model

dotsecenv uses hybrid encryption combining symmetric and asymmetric cryptography:

┌─────────────────────────────────────────────────────────────┐
│                     Secret Value                            │
└─────────────────────────────────────────────────────────────┘
                            │
                            ▼
┌─────────────────────────────────────────────────────────────┐
│           Symmetric Encryption (AES-256-GCM)                │
│                                                             │
│   Random session key (256-bit) + Nonce (96-bit)             │
│   → Encrypted data + Authentication tag                     │
└─────────────────────────────────────────────────────────────┘
                            │
                            ▼
┌─────────────────────────────────────────────────────────────┐
│             Asymmetric Encryption (GPG)                     │
│                                                             │
│   Session key encrypted for each recipient's public key     │
│   → One key blob per authorized identity                    │
└─────────────────────────────────────────────────────────────┘
                            │
                            ▼
┌─────────────────────────────────────────────────────────────┐
│            Cryptographic Signature (GPG)                    │
│                                                             │
│   SHA-256/SHA-512 hash signed with originator's key         │
│   → Detached signature for integrity + non-repudiation      │
└─────────────────────────────────────────────────────────────┘

Why Hybrid Encryption?

Hybrid encryption enables efficient multi-recipient encryption:

Component	Size	Operations per Recipient
Session key	256 bits	Encrypted once per recipient (fast, tiny payload)
Secret data	Variable	Encrypted once total with AES (fast)

For 10 recipients, this means:

1 AES encryption of the full payload
10 RSA/ECC encryptions of the 256-bit session key

Without hybrid encryption, you would need 10 full asymmetric encryptions—orders of magnitude slower for large secrets.

Encrypted Value Structure

Each secret value blob contains:

┌─────────────────────────────────────────┐
│ Encrypted Value Blob                    │
├─────────────────────────────────────────┤
│ AES-256-GCM nonce (96 bits)            │
│ AES-256-GCM ciphertext                 │
│ AES-256-GCM auth tag (128 bits)        │
│ GPG-encrypted session key (per-user)   │
│ Detached GPG signature (FIPS 186-5)    │
└─────────────────────────────────────────┘

Summary

Compliance Standards

These standards specify how to use cryptographic primitives securely:

Standard	Scope	dotsecenv Compliance
FIPS 140-3	Cryptographic modules	Go 1.24+ native module (CAVP A6650)
FIPS 186-5	Digital signatures	RSA, ECDSA, EdDSA; DSA rejected
NIST SP 800-38D	GCM mode	AES-256-GCM for symmetric encryption
RFC 9580	OpenPGP	AEAD mandatory, v6 key support

Foundational Standards

These standards define the cryptographic primitives themselves:

Standard	Defines	dotsecenv Usage
FIPS 197	AES block cipher	AES-256 for symmetric encryption
FIPS 180-4	SHA-2 hash family	SHA-256/SHA-512 for integrity and signatures