{"id":404,"date":"2025-07-29T09:53:35","date_gmt":"2025-07-29T16:53:35","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/go\/?p=404"},"modified":"2025-07-29T09:53:35","modified_gmt":"2025-07-29T16:53:35","slug":"microsoft-go-defaults-to-system-crypto","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/go\/microsoft-go-defaults-to-system-crypto\/","title":{"rendered":"Microsoft build of Go 1.25 crypto backend changes"},"content":{"rendered":"<p>Starting in <strong>Go 1.25<\/strong>, the <a href=\"https:\/\/github.com\/microsoft\/go\">Microsoft build of Go<\/a> will <strong>default to using system-provided cryptography<\/strong>: OpenSSL on Linux and CNG on Windows.\nThe <code>systemcrypto<\/code> GOEXPERIMENT will be enabled by default and picks the supported backend for the target platform.<\/p>\n<p>This change aligns the Microsoft build of Go with Microsoft&#8217;s internal security and compliance policies, while keeping opt-out paths available for use cases that require it.<\/p>\n<h2>What&#8217;s changing?<\/h2>\n<p>Prior to Go 1.25, developers can opt into using system-provided cryptography by setting the <code>GOEXPERIMENT<\/code> environment variable to <code>systemcrypto<\/code> before building their program.<\/p>\n<p>Starting with Go 1.25, the Microsoft toolchain enables <code>systemcrypto<\/code> by default. Developers can opt out by setting the <code>GOEXPERIMENT<\/code> environment variable to <code>nosystemcrypto<\/code>.<\/p>\n<p>For more details on FIPS-140 compliance and how <code>systemcrypto<\/code> interacts with FIPS mode, see the <a href=\"https:\/\/github.com\/microsoft\/go\/blob\/microsoft\/main\/eng\/doc\/fips\/README.md\">Microsoft build of Go FIPS Documentation<\/a>.<\/p>\n<h2>Why this change?<\/h2>\n<p>Microsoft&#8217;s internal security and compliance policies require the use of system-provided cryptography libraries. By defaulting to enable <code>systemcrypto<\/code>, the Microsoft build of Go now builds programs that meet this requirement automatically, without additional configuration by developers.<\/p>\n<p>While <code>systemcrypto<\/code> can help enable FIPS-140 compliance in some environments, FIPS-140 is not the primary motivator of this change. Using a system-provided cryptographic library is part of a broader Microsoft internal cryptography policy, and most Go programs at Microsoft do not require FIPS mode. However, we expect that some developers who do need FIPS-140 compliance will find it easier after this change.<\/p>\n<h2>Will this break my builds?<\/h2>\n<p>There are a few scenarios where you may need to take action:<\/p>\n<ul>\n<li><strong>Linux without cgo.<\/strong> <code>systemcrypto<\/code> requires cgo on Linux. Cgo must be enabled and a C compiler must be available on the build system. Cgo can be manually enabled or disabled by the <code>CGO_ENABLED<\/code> setting if necessary. If your builds disable cgo or do not provide a working C compiler, you need to adjust your configuration or opt out of <code>systemcrypto<\/code>.\n<ul>\n<li>On Windows, <code>systemcrypto<\/code> does not require cgo.<\/li>\n<li>The preview macOS crypto backend requires cgo.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Distroless or minimal images<\/strong>: If you&#8217;re using Linux container images without glibc or OpenSSL, you&#8217;ll need to opt out of <code>systemcrypto<\/code> or use a base image that includes the required libraries.<\/li>\n<li><strong>Deployment of a Linux program built on one OS (or OS version) to a different OS (or version).<\/strong> Cgo introduces a dependency on the build system&#8217;s version of glibc. This may make the program incompatible with a different Linux distribution if it has a lower version of glibc. It&#8217;s recommended to build and deploy using the same OS, but if deployment compatibility is a requirement, a common solution is to build on the oldest possible OS, or manually target an old version of glibc. If glibc (or a compatible equivalent) is not available, <code>systemcrypto<\/code> can&#8217;t be used, and you&#8217;ll need to opt out of <code>systemcrypto<\/code>.<\/li>\n<\/ul>\n<h2>More Information<\/h2>\n<p>This change was developed in consultation with engineering teams across Microsoft. It prioritizes security and compliance, while still providing opt-out options for scenarios with special requirements.<\/p>\n<p>We welcome your feedback\u2014please don&#8217;t hesitate to reach out by <a href=\"https:\/\/github.com\/microsoft\/go\/issues\/new\">filing an issue<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Starting with Go 1.25, the Microsoft build of Go will use system-provided crypto by default to align with Microsoft&#8217;s internal cryptography strategy and compliance policies.<\/p>\n","protected":false},"author":9392,"featured_media":405,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1,3],"tags":[14,13,4,5,6,12],"class_list":["post-404","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-go","category-security","tag-compliance","tag-fips","tag-go","tag-release","tag-security","tag-systemcrypto"],"acf":[],"blog_post_summary":"<p>Starting with Go 1.25, the Microsoft build of Go will use system-provided crypto by default to align with Microsoft&#8217;s internal cryptography strategy and compliance policies.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/go\/wp-json\/wp\/v2\/posts\/404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/go\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/go\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/go\/wp-json\/wp\/v2\/users\/9392"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/go\/wp-json\/wp\/v2\/comments?post=404"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/go\/wp-json\/wp\/v2\/posts\/404\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/go\/wp-json\/wp\/v2\/media\/405"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/go\/wp-json\/wp\/v2\/media?parent=404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/go\/wp-json\/wp\/v2\/categories?post=404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/go\/wp-json\/wp\/v2\/tags?post=404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}