Which strategy should I use for CockroachDB v26.1 FIPS Planning Before FIPS 140-2 Turns Historical in September?
Choose whether regulated deployments should treat CockroachDB v26.1 as a validation waypoint only or continue standardizing production FIPS deployments on v25.4 until v26.2 is available ahead of the September 2026 FIPS 140-2 transition.
Blockers
- capability/fips-140-2 — EOL 2026-09-22
- CockroachDB v26.1 introduces Go 1.25 native FIPS 140-3 support.
- In v26.1, the Go 1.25 native FIPS 140-3 approach replaces the prior OpenSSL-based approach.
- FIPS 140-3 mode requires minimum 14-character passwords; shorter-password users may be locked out after upgrade.
Who this is for
- compliance
- enterprise
Candidates
Skip v26.1 for FIPS work and keep production deployments on v25.4 until a direct upgrade to v26.2
As of 2026-04-08, CockroachDB states that production FIPS-ready clusters should stay on v25.4 or wait and upgrade directly to v26.2, because v26.1 FIPS support is only Preview. The FIPS docs say v26.2 is expected in May 2026 and will return FIPS support to GA status using the frozen Go module version submitted for CMVP validation. CockroachDB release support policy lists v25.4 as GA, with maintenance support through 2026-11-03 and assistance through 2027-05-03.
When to choose
Best for compliance + enterprise deployments that want to avoid spending effort on a Preview FIPS release and need a defensible production posture now. The decisive factor is that Cockroach Labs explicitly recommends v25.4 or direct upgrade to v26.2 for production FIPS continuity, not v26.1.
Tradeoffs
Most conservative path and aligns with vendor guidance, but it forgoes hands-on validation of the new Go-native FIPS architecture before v26.2 ships.
Cautions
FIPS 140-2 transitions to historical status on 2026-09-22. Upgrading an existing cluster in-place from non-FIPS to FIPS is not supported; CockroachDB says to restore into a new FIPS-ready cluster instead.
Treat CockroachDB v26.1 as a validation waypoint, not the production FIPS standard
As of 2026-04-08, CockroachDB v26.1 introduces Go 1.25 native FIPS 140-3 support and replaces the prior OpenSSL-based approach, but the docs say this build uses the current non-frozen Go module and will not be FIPS 140-3 validated. CockroachDB marks FIPS support in v26.1 as Preview and recommends it only for testing and evaluation rather than as the production FIPS standard. The release support policy classifies v26.1 as an Innovation release with maintenance support ending 2026-08-02, and the releases page says Innovation releases can be skipped. In v26.1 feature availability, FIPS 140-3 Readiness is listed for self-hosted and Cloud Advanced, not Standard or Basic.
When to choose
Use this when you want a deliberate two-track posture: keep regulated production fleets on v25.4 while using v26.1 in non-production to rehearse the architecture change before v26.2. The decisive factor is that v26.1 is suitable for pre-production readiness work, not for standardizing regulated production fleets.
Tradeoffs
You take on extra validation work on a Preview Innovation release, but you get earlier exposure to the new FIPS 140-3 path and can reduce migration risk before May 2026.
Cautions
CockroachDB warns that FIPS 140-3 mode requires minimum 14-character passwords, so shorter-password users may be locked out after upgrade. v26.1 can be skipped, and CockroachDB does not recommend it as the regulated production FIPS target.
Try with your AI agent
$ npm install -g pocketlantern $ pocketlantern init # Restart Claude Code, Cursor, or your MCP client, then ask: # "Which strategy should I use for CockroachDB v26.1 FIPS Planning Before FIPS 140-2 Turns Historical in September?"