Enable FIPS 140-3 compliant crypto by default

Addresses #6889

- Enable GOEXPERIMENT=systemcrypto by default in all Makefiles
- Enable GOEXPERIMENT=systemcrypto by default in all Dockerfiles
- Go 1.24+ has native FIPS 140-3 support via this setting
- Users can disable by setting GOEXPERIMENT= (empty)

Algorithms used (all FIPS approved):
- AES-256-GCM for data encryption
- AES-256-CTR for SSE-C
- HMAC-SHA256 for S3 signatures
- TLS 1.2/1.3 for transport encryption

Makefile

@@ -6,6 +6,10 @@ ADMIN_DIR = weed/admin
 SOURCE_DIR = .
 debug ?= 0
 
+# Enable FIPS 140-3 compliant crypto by default (Go 1.24+)
+# Set GOEXPERIMENT= (empty) to disable
+export GOEXPERIMENT ?= systemcrypto
+
 all: install
 
 install: admin-generate

docker/Dockerfile.foundationdb_large

@@ -50,6 +50,10 @@ RUN cd /tmp && \
 ENV CGO_CFLAGS="-I/usr/include/foundationdb"
 ENV CGO_LDFLAGS="-lfdb_c"
 
+# Enable FIPS 140-3 compliant crypto by default (Go 1.24+)
+ARG GOEXPERIMENT=systemcrypto
+ENV GOEXPERIMENT=${GOEXPERIMENT}
+
 # build SeaweedFS sources; prefer local context but fall back to git clone if context only has docker files
 ARG SOURCE_REF=master
 WORKDIR /go/src/github.com/seaweedfs/seaweedfs

docker/Dockerfile.go_build

@@ -12,6 +12,10 @@ RUN cd /go/src/github.com/seaweedfs/seaweedfs && \
       git checkout $BRANCH) || \
      (echo "ERROR: Branch/commit $BRANCH not found in repository" && \
       echo "Available branches:" && git branch -a && exit 1))
+# Enable FIPS 140-3 compliant crypto by default (Go 1.24+)
+# Set GOEXPERIMENT= (empty) to disable
+ARG GOEXPERIMENT=systemcrypto
+ENV GOEXPERIMENT=${GOEXPERIMENT}
 RUN cd /go/src/github.com/seaweedfs/seaweedfs/weed \
   && export LDFLAGS="-X github.com/seaweedfs/seaweedfs/weed/util/version.COMMIT=$(git rev-parse --short HEAD)" \
   && CGO_ENABLED=0 go install -tags "$TAGS" -ldflags "-extldflags -static ${LDFLAGS}"

docker/Dockerfile.rocksdb_large

@@ -21,6 +21,9 @@ RUN mkdir -p /go/src/github.com/seaweedfs/
 RUN git clone https://github.com/seaweedfs/seaweedfs /go/src/github.com/seaweedfs/seaweedfs
 ARG BRANCH=master
 RUN cd /go/src/github.com/seaweedfs/seaweedfs && git checkout $BRANCH
+# Enable FIPS 140-3 compliant crypto by default (Go 1.24+)
+ARG GOEXPERIMENT=systemcrypto
+ENV GOEXPERIMENT=${GOEXPERIMENT}
 RUN cd /go/src/github.com/seaweedfs/seaweedfs/weed \
   && export LDFLAGS="-X github.com/seaweedfs/seaweedfs/weed/util/version.COMMIT=$(git rev-parse --short HEAD)" \
   && go install -tags "5BytesOffset rocksdb" -ldflags "-extldflags -static ${LDFLAGS}"

docker/Dockerfile.rocksdb_large_local

@@ -1,5 +1,9 @@
 FROM chrislusf/rocksdb_dev_env as builder
 
+# Enable FIPS 140-3 compliant crypto by default (Go 1.24+)
+ARG GOEXPERIMENT=systemcrypto
+ENV GOEXPERIMENT=${GOEXPERIMENT}
+
 # build SeaweedFS
 RUN mkdir -p /go/src/github.com/seaweedfs/
 ADD . /go/src/github.com/seaweedfs/seaweedfs

weed/Makefile

@@ -2,6 +2,10 @@ BINARY = weed
 
 SOURCE_DIR = .
 
+# Enable FIPS 140-3 compliant crypto by default (Go 1.24+)
+# Set GOEXPERIMENT= (empty) to disable
+export GOEXPERIMENT ?= systemcrypto
+
 all: install
 
 .PHONY : clean debug_mount