RedHat system-wide crypto policies (rhel 8.2)

geometric shape digital wallpaper

Across enterprise IT the security landscape is changing and attackers are coming up with more sophisticated attacks. The cryptographic algorithms that might be robust and reliable today, may not necessarily be so tomorrow.

In RHEL 8.2 to enable users to specify their own crypto policies if the built-in policies do not meet their requirements.

As a refresher, system-wide crypto policies introduced in RHEL 8 are:

  1. Centrally managed on the system using a simple command to show the currently set system-wide crypto policy and update the system-wide crypto policy.$ update-crypto-policies --show DEFAULTUpdate the system-wide crypto policy to set the level to future$ update-crypto-policies --set FUTURE Setting system policy to FUTURE
  2. Show the system-wide crypto policy currently in effect 
  3. Effective across applications built using core cryptographic subsystems. For example, if your application leverages OpenSSL, or GnuTLS, these applications will be able to benefit from the RHEL crypto policies. 
  4. Configurable to a particular predefined policy level. In RHEL 8, four policies are provided under the names "LEGACY", "DEFAULT", "FUTURE" and "FIPS". Detailed settings about each policy are summarized in this post about strong crypto defaults in RHEL 8 and update-crypto-policies man pages.

Modifying an existing crypto policy

To modify existing crypto policies, use policy modifier modules. These are text files that include policy instructions to the update-crypto-policies tool. 

The naming of these files must follow the following convention: <MODULE>.pmod, where <MODULE> is the name of the modifier in uppercase without spaces, and .pmod is the file extension in lowercase. 

The location of these files should be:

/etc/crypto-policies/policies/modules folder (or the /usr/share/crypto-policies/policies/modules folder if they are in installed packages).



Try to revert back to legacy policy: sudo update-crypto-policies --set LEGACY

To get the old policy, use: sudo update-crypto-policies --set DEFAULT:FEDORA32
To get back to current policy: sudo update-crypto-policies --set DEFAULT



This article was updated on Jan 29, 2022


I'm Marco Varagnolo aka Toyhoshi, the author behind, curious about everything by nature, i'm a system architect. Huge supporter of DevOps mindset. My hands are dirty all day long with Kubernetes, containers and many similar things in between. What else do you need? :-)