update-crypto-policies (8) - Linux Manuals

update-crypto-policies: manage the policies available to the various cryptographic back-ends.


update-crypto-policies - manage the policies available to the various cryptographic back-ends.


update-crypto-policies [COMMAND]


update-crypto-policies(8) is used to set the policy applicable for the various cryptographic back-ends, such as SSL/TLS libraries. That will be the default policy used by these back-ends unless the application user configures them otherwise.

The available policies are restricted to the following three profiles.

• LEGACY: ensures maximum compatibility with legacy systems (64-bit security)

• DEFAULT: A reasonable default for today's standards (80-bit security).

• FUTURE: A level that will provide security on a conservative level that is believed to withstand any near-term future attacks (112-bit security).

The desired system policy is selected in /etc/crypto-profiles/config and this tool will generate the individual policy requirements for all back-ends that support such configuration. After this tool is called the administrator is assured that any application that utilizes the supported back-ends will policy that adheres to the configured profile.

The generated back-end policies will be placed in /etc/crypto-profiles/back-ends. Currently the supported back-ends are:

• GnuTLS library

• OpenSSL library



Policies that were present in previously released Fedora systems will be available using the -FXX suffix, where XX is the Fedora version. For example the LEGACY policy in Fedora 21 will also be available as LEGACY-F21.


Applications shipped by Fedora that provide a default configuration file that includes a cryptographic policy string will be modified gradually to support these policies.

When an application provides a configuration file, the changes needed to utilize the system-wide policy are the following.

• Applications using GnuTLS: The special priority string "@SYSTEM" should replace any other priority string.

• Applications using OpenSSL: The special cipher string "PROFILE=SYSTEM" should replace any other cipher string.

In all cases if the application isn't using a particular setting, e.g., using gnutls_priority_set_default() in GnuTLS, or no specific cipher string setting in OpenSSL, no other changes are required. The system-wide string will be used automatically.


One of the supported profiles should be set in /etc/crypto-profiles/config and this script should be run afterwards.

In case of a parsing error no policies will be updated.



The file contains the current system policy. It should contain a string of one of the profiles listed above (e.g., DEFAULT).


Contains the generated policies in separated files, and in a format readable by the supported back-ends.


Written by Nikos Mavrogiannopoulos.