Logo / Docs

Compliance Frameworks

Overview

FusionAuth is in the process of conforming with various standards including the Federal Information Processing Standards (FIPS) and FedRAMP. While full certification is not yet available, FusionAuth will conform and self-certify compliance as it is developed. Since most compliance frameworks restrict encryption standards, this is currently the primary focus area. Below you will find the status of FusionAuth’s compliance as well as details about the encryption in use.

Encryption

Here is a non-exhaustive list of encryption FusionAuth uses:

Signing

FusionAuth signs the items below using various cryptographic signature algorithms including HMAC, RSA, and ECDSA:

  • JWT signing
  • XML signing for SAML
  • Webhook signing
  • WebAuthN (Passkeys) signing

Encryption

FusionAuth encrypts the items below using various cryptographic algorithms including AES, RSA, and ECDSA:

  • XML encryption for SAML
  • Various encryption of plain-text passwords prior to being hashed
  • Encryption for all cookies that contain data
  • TLS connections to the database and search engine
  • TLS connections to Reactor (advanced threat detection and breached password detection)

Password Hashing

FusionAuth encrypts the items below using various cryptographic algorithms including bcrypt, PBKDF2, MD5, SHA, and others:

  • Password hashing uses various one-way hashing algorithms including

FusionAuth allows custom hashing algorithms to enabled via our Plugin system. These are not checked for compliance.

FusionAuth allows the password hashing algorithm to be changed per tenant, Application, or User. FusionAuth cannot certify that the algorithms used are secure or conform to any particular compliance framework.

FIPS Compliance

FusionAuth is in the process of conforming to FIPS. This is a work in progress and expected to be completed in 2025. This support is dependent on the use of Bouncy Castle’s FIPS compliant library, which will be configurable via a configuration parameter (i.e. in fusionauth.properties, a command-line parameter, or an environment variable).

In addition to the use of Bouncy Castle, FusionAuth is in the process of updating our database scripts to be FIPS compliant.

Customers must use a FIPS compliant database and search engine version as well. FusionAuth does not provide the database or the search engine, so this is the responsibility of the customer to use a FIPS compliant PostgreSQL, MySQL, and OpenSearch version.

Timeline

  • November 2025 - fusionauth-jwt is updated to support Bouncy Castle’s FIPS compliant library
  • November 2025 - FusionAuth is updated to remove uses of the md5 function in PostgreSQL database scripts

Check back here in the near future for updates.