.svg)
Rocket.Chat is engineered for high-security environments, offering dedicated FIPS-compliant support to protect sensitive communications across highly regulated sectors. This is particularly relevant for government agencies, defense organizations, and regulated industries that require compliance with recognized cryptographic standards.
What is FIPS ?
Federal Information Processing Standards (FIPS) are security standards developed by the U.S. National Institute of Standards and Technology (NIST). These standards define the requirements for cryptographic modules used to protect sensitive information. FIPS 140-3 is the current standard for cryptographic module validation and is widely recognized across government and regulated sectors worldwide.
How FIPS works in Rocket.Chat
Rocket.Chat provides dedicated FIPS-compliant Docker images that include FIPS-validated cryptographic modules at both the container and application level. This ensures that cryptographic compliance is met at every layer of the deployment, not just the infrastructure level.
When a FIPS-compliant Rocket.Chat workspace is deployed:
Cryptographic operations use approved algorithms, including AES, RSA, and SHA-256 or stronger.
Non-approved algorithms are excluded from the Rocket.Chat cryptographic boundary.
Docker base images include validated cryptographic modules.
Cryptographic functions such as TLS, token generation, encryption at rest, and end-to-end encryption operate within the compliant configuration.
Deploying a FIPS-compliant Rocket.Chat workspace does not change the user interface or user experience.
Deploy a FIPS-compliant Rocket.Chat workspace
Rocket.Chat publishes a dedicated FIPS-compliant Docker image alongside each standard release. Both builds stay in sync with the overall release cycle, ensuring organizations on the FIPS build receive product updates and fixes simultaneously with the standard release track. Organizations that require FIPS compliance must deploy the FIPS image instead of the standard Rocket.Chat image.
The FIPS image is available only to workspaces on the Government and Defense plans. To access the image, contact the Sales team.
To deploy Rocket.Chat in FIPS mode, follow the Docker deployment documentation and specify the FIPS image tag for your target release in the .env file:
RELEASE=<fips-docker-image tag>This configuration instructs Docker to pull and run the corresponding FIPS image during deployment.
Known limitations
While core functionality remains unchanged, operating a FIPS-compliant Rocket.Chat workspace has the following limitations:
Apps-Engine is unavailable: The Rocket.Chat Apps-Engine depends on the Deno runtime to execute Marketplace and custom apps. As the underlying cryptographic libraries used by Deno are not fully FIPS-validated, the Apps-Engine cannot run in FIPS environments. Consequently, Marketplace and custom apps are not supported when running Rocket.Chat in FIPS mode.
Bcrypt password hashing: Rocket.Chat continues to use Bcrypt for user password hashing to maintain backwards compatibility across deployments. While Bcrypt is widely recognized as a secure industry-standard hashing algorithm, it is not FIPS-validated. Migration plans are underway to transition password hashing in a future release to a FIPS-approved algorithm, such as PBKDF2.
FAQs
Do users see any changes in a FIPS complaint workspace UI ?
FIPS mode affects only the underlying cryptographic implementation used by the workspace. It does not introduce any changes to the user interface or standard user workflows.
Do I need a special deployment for FIPS in Rocket.Chat?
Organizations that require FIPS compliance must deploy Rocket.Chat using the designated FIPS-compliant Docker images and follow the Docker deployment documentation.
Are Marketplace apps and custom apps supported in FIPS mode?
Marketplace apps and custom apps are not supported in FIPS mode because Apps-Engine is unavailable. Apps-Engine depends on the Deno runtime, which is not supported in the Rocket.Chat FIPS-compliant configuration.
Are external integrations covered by FIPS mode?
External integrations operate outside the Rocket.Chat cryptographic boundary and may have their own cryptographic implementations. If FIPS compliance is required for an integration, it must be evaluated independently.
Can I migrate an existing standard Rocket.Chat deployment to the FIPS image?
Rocket.Chat does not support switching an existing workspace between the standard and FIPS Docker images. To maintain compliance and avoid cryptographic compatibility issues, you must deploy the designated FIPs image from the initial installation of the workspace.