diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3ddee02..db46c27 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -30,3 +30,26 @@ jobs:
       run: make check
     - name: Check Licenses
       run: make check-license
+    - uses: actions/cache@v3
+      id: goboring-cache
+      with:
+        path: /opt/goboring/
+        key: ${{ runner.os }}-goboring-${{ hashFiles('/opt/goboring/go/VERSION') }}
+        restore-keys: |
+          ${{ runner.os }}-goboring-
+    - name: Set up GoBoring
+      if: steps.goboring-cache.outputs.cache-hit != 'true'
+      run: |
+        mkdir -p /opt/goboring
+        cd /opt/goboring
+        wget --no-verbose https://go-boringcrypto.storage.googleapis.com/go1.18b7.linux-amd64.tar.gz
+        tar -xzvf go1.18b7.linux-amd64.tar.gz
+        /opt/goboring/go/bin/go version
+    - name: Build
+      run: make GOBIN=/opt/goboring/go/bin/go CGO_ENABLED=1 GO_BUILD_ARGS='-v -tags "netgo fips" -trimpath' GO_LDFLAGS='-s -w -linkmode=external -extldflags=-static' static-build
+      env:
+        GOROOT: /opt/goboring/go
+    - name: Test
+      run: make GOBIN=/opt/goboring/go/bin/go CGO_ENABLED=1 GO_BUILD_ARGS='-v -tags "netgo fips" -trimpath' GO_LDFLAGS='-s -w -linkmode=external -extldflags=-static' test
+      env:
+        GOROOT: /opt/goboring/go
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 40a8156..db7e209 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,6 +24,21 @@ jobs:
       uses: sigstore/cosign-installer@main
       with:
         cosign-release: 'v1.6.0'
+    - uses: actions/cache@v3
+      id: goboring-cache
+      with:
+        path: /opt/goboring/
+        key: ${{ runner.os }}-goboring-${{ hashFiles('/opt/goboring/go/VERSION') }}
+        restore-keys: |
+          ${{ runner.os }}-goboring-
+    - name: Set up GoBoring
+      if: steps.goboring-cache.outputs.cache-hit != 'true'
+      run: |
+        mkdir -p /opt/goboring
+        cd /opt/goboring
+        wget --no-verbose https://go-boringcrypto.storage.googleapis.com/go1.18b7.linux-amd64.tar.gz
+        tar -xzvf go1.18b7.linux-amd64.tar.gz
+        /opt/goboring/go/bin/go version
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v2
       with:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index e28eca4..e2f62aa 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -16,11 +16,37 @@ builds:
   mod_timestamp: '{{ .CommitTimestamp }}'
   tags:
   - netgo
+- id: fips
+  binary: rskey-fips
+  env:
+  - CGO_ENABLED=1
+  - GOROOT=/opt/goboring/go
+  flags:
+  - -trimpath
+  gobinary: /opt/goboring/go/bin/go
+  ldflags:
+  - -s -w -linkmode=external -extldflags=-static
+  mod_timestamp: "{{ .CommitTimestamp }}"
+  tags:
+  - fips
+  - netgo
+  targets:
+  - linux_amd64
 archives:
-- files:
+- builds:
+  - rskey
+  files:
+  - LICENSE
+  - README.md
+  - NOTICE.md
+- id: fips
+  builds:
+  - fips
+  files:
   - LICENSE
   - README.md
   - NOTICE.md
+  name_template: "{{ .ProjectName }}-fips_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
 release:
   draft: true
 signs: