GOST crypto profiles setup
Status: Production-ready, opt-in Contract: Provider-based GOST support (OQ-2026-022 Option A)
Overview
AngaraBase supports GOST cipher suites for TLS 1.2 in regulated environments (GOST 28147-89, GOST R 34.10-2012).
Key properties:
- Opt-in: GOST disabled by default
- Fail-closed: Server refuses to start if GOST is enabled but crypto provider is incompatible
- Provider-based: Uses OpenSSL GOST engine or compatible crypto provider (not bundled)
Prerequisites
1. Install GOST crypto provider
Option A: OpenSSL with GOST engine (Linux)
# Install OpenSSL with GOST support
sudo apt-get install openssl libssl-dev libengines-gost
# Verify GOST engine is available
openssl engine gost -c
Option B: Custom provider
Implement GostCryptoProvider trait in crates/angarabase/src/security/crypto.rs.
2. Generate TLS certificates
# Generate server certificate with GOST algorithm
openssl req -new -x509 -days 365 \
-newkey gost2012_256 \
-keyout server.key \
-out server.crt \
-nodes \
-subj "/CN=localhost"
Configuration
Enable GOST cipher suites
export ANGARABASE_TLS_ENABLE=1
export ANGARABASE_TLS_CERT_PATH=/path/to/server.crt
export ANGARABASE_TLS_KEY_PATH=/path/to/server.key
export ANGARABASE_TLS_GOST_ENABLED=1
export ANGARABASE_TLS_GOST_CIPHER_SUITES="GOST2012-GOST8912-GOST8912"
Or via config file:
[tls]
enable = true
cert_path = "/etc/angarabase/tls/server.crt"
key_path = "/etc/angarabase/tls/server.key"
gost_enabled = true
gost_cipher_suites = "GOST2012-GOST8912-GOST8912"
Verify configuration
Check effective settings:
SELECT name, value FROM sys.settings WHERE name LIKE 'tls.%';
Expected output:
tls.enable | true
tls.cert_path | /etc/angarabase/tls/server.crt
tls.key_path | /etc/angarabase/tls/server.key
tls.gost_enabled | true
tls.gost_cipher_suites | GOST2012-GOST8912-GOST8912
Client connection
psql with GOST
Requires psql built with OpenSSL GOST support:
psql "host=localhost port=5152 dbname=mydb sslmode=require"
Verify cipher suite
From client:
SHOW ssl_cipher;
Should return GOST cipher suite name.
Security notes
Fail-closed behavior
- If
ANGARABASE_TLS_GOST_ENABLED=1but GOST provider is unavailable, server refuses to start (no silent fallback to standard ciphers) - Invalid cipher suites are rejected at startup (fail-closed validation)
Secrets handling
All tls.* knobs are marked security-sensitive in settings registry:
tls.gost_cipher_suitesis sensitive (policy: alltls.*knobs are security-sensitive per SECURITY_GOVERNANCE.md)- Private key (
tls.key_path) is never exposed insys.settingsor logs
Troubleshooting
Server fails to start with “GOST provider not available”
Cause: GOST crypto provider is not installed or OpenSSL GOST engine is missing.
Fix: Install OpenSSL GOST support (see Prerequisites).
Invalid cipher suites error
Cause: tls.gost_cipher_suites contains invalid cipher names.
Fix: Use valid GOST cipher suite names from OpenSSL GOST engine documentation:
# List available GOST ciphers
openssl ciphers -v | grep GOST
Client connection fails with “no shared cipher”
Cause: Client does not support GOST cipher suites.
Fix: Use psql/libpq built with OpenSSL GOST support.
Limitations (v0)
- Provider availability: GOST support requires compatible crypto provider (not bundled with AngaraBase)
- Platform support: Linux only (OpenSSL GOST engine availability)
- Cipher suite coverage: TLS 1.2 + GOST only (TLS 1.3 GOST deferred to future release)
Reference
- OQ-2026-022: GOST crypto support decision
- Implementation scope
crates/angarabase/src/security/crypto.rs: GOST provider abstraction
Next
After the GOST provider is installed and angarabase starts with crypto.profile = gost:
- GOST compatibility — which scenarios (TLS, TDE, audit-sink) are already covered and which are on the roadmap.
- Encryption (TDE + client-side) — the general encryption contract that embeds the GOST profile.
- Hardening runbook — the final check before putting the instance into production.