All posts
October 11, 20251 min read

Making Pgcli FIPS 140-3 Compliant

The command line waits, blinking. You type, and Pgcli answers with speed and certainty. But now your toolchain needs to meet FIPS 140-3 compliance. No guessing. No compromises. FIPS 140-3 is the latest U.S. government standard for cryptographic modules. It replaces FIPS 140-2, tightening rules on algorithm choice, key management, and module validation. Any product handling sensitive data for federal systems must be built and configured to pass this bar. Pgcli, the popular Postgres CLI with rich

Free White Paper

FIPS 140-3: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The command line waits, blinking. You type, and Pgcli answers with speed and certainty. But now your toolchain needs to meet FIPS 140-3 compliance. No guessing. No compromises.

FIPS 140-3 is the latest U.S. government standard for cryptographic modules. It replaces FIPS 140-2, tightening rules on algorithm choice, key management, and module validation. Any product handling sensitive data for federal systems must be built and configured to pass this bar. Pgcli, the popular Postgres CLI with rich auto-complete and syntax highlighting, is no exception if you’re working in regulated environments.

To make Pgcli FIPS 140-3 compliant, you need more than an install script. The work happens at the crypto layer. Postgres must be compiled with OpenSSL operating in FIPS mode. Python, the language behind Pgcli, must be linked to a FIPS-validated OpenSSL library. The operating system must load that library under enforced FIPS rules. Together, they ensure that every TLS handshake, every password hash, and every secure connection runs only approved algorithms.

Continue reading? Get the full guide.

FIPS 140-3: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Steps to align Pgcli with FIPS 140-3:

  1. Use a platform with a FIPS 140-3 validated cryptographic module.
  2. Compile and configure OpenSSL in FIPS mode.
  3. Build Python against that FIPS-enabled OpenSSL.
  4. Install Pgcli in a controlled environment that enforces these crypto policies.
  5. Test with openssl version and python -m ssl to verify FIPS mode is active.

This is not optional if your workload falls under FIPS jurisdiction. Without these controls, Pgcli—like any CLI—will silently default to weaker crypto paths. Compliance means certainty: every connection adheres to the standard, every byte is protected under the rules.

A FIPS 140-3 Pgcli setup gives you secure Postgres access from terminal to wire. No custom clients. No blind spots. Once you have the validated modules in place, Pgcli behaves exactly as before—only now it passes the compliance audit.

You can see a FIPS 140-3–ready Pgcli in action without touching a single compiler. Deploy a secure environment in minutes at hoop.dev. Build it, run it, prove it—live.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts