'\" t
.\"     Title: crypto-policies
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 11/28/2023
.\"    Manual: \ \&
.\"    Source: crypto-policies
.\"  Language: English
.\"
.TH "CRYPTO\-POLICIES" "7" "11/28/2023" "crypto\-policies" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
crypto-policies \- system\-wide crypto policies overview
.SH "DESCRIPTION"
.sp
The security of cryptographic components of the operating system does not remain constant over time\&. Algorithms, such as cryptographic hashing and encryption, typically have a lifetime, after which they are considered either too risky to use or plain insecure\&. That means, we need to phase out such algorithms from the default settings or completely disable them if they could cause an irreparable problem\&.
.sp
While in the past the algorithms were not disabled in a consistent way and different applications applied different policies, the system\-wide crypto\-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system\-wide\&.
.sp
Several preconfigured policies (\fBDEFAULT\fR, \fBLEGACY\fR, \fBFUTURE\fR, and \fBFIPS\fR) and subpolicies are included in the \fBcrypto\-policies(7)\fR package\&. System administrators or third\-party vendors can define custom policies and subpolicies\&.
.sp
The recommended way to modify the effective configuration is to apply a custom subpolicy on top of a predefined policy\&. This allows configuration to evolve with future updates of the predefined policies keeping desired modification in place\&. Modifying effective configuration by defining a fully custom policy prevents the configuration from evolving with future updates of the predefined policies\&. The syntax to define custom policies and subpolicies is described in the CRYPTO POLICY DEFINITION FORMAT section below\&.
.sp
For rationale, see \fBRFC 7457\fR for a list of attacks taking advantage of legacy crypto algorithms\&.
.SH "COVERED APPLICATIONS"
.sp
Crypto\-policies apply to the configuration of the core cryptographic subsystems, covering \fBTLS\fR, \fBIKE\fR, \fBIPSec\fR, \fBDNSSec\fR, and \fBKerberos\fR protocols; i\&.e\&., the supported secure communications protocols on the base operating system\&.
.sp
Once an application runs in the operating system, it follows the default or selected policy and refuses to fall back to algorithms and protocols not within the policy, unless the user has explicitly requested the application to do so\&. That is, the policy applies to the default behavior of applications when running with the system\-provided configuration but the user can override it on an application\-specific basis\&.
.sp
The policies currently provide settings for these applications and libraries:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBBIND\fR
DNS name server daemon (scopes:
\fBBIND\fR,
\fBDNSSec\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBGnuTLS\fR
TLS library (scopes:
\fBGnuTLS\fR,
\fBSSL\fR,
\fBTLS\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBOpenJDK\fR
runtime environment (scopes:
\fBjava\-tls\fR,
\fBSSL\fR,
\fBTLS\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBKerberos 5\fR
library (scopes:
\fBkrb5\fR,
\fBKerberos\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBLibreswan\fR
IPsec and IKE protocol implementation (scopes:
\fBlibreswan\fR,
\fBIPSec\fR,
\fBIKE\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBNSS\fR
TLS library (scopes:
\fBNSS\fR,
\fBSSL\fR,
\fBTLS\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBOpenSSH\fR
SSH2 protocol implementation (scopes:
\fBOpenSSH\fR,
\fBSSH\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBOpenSSL\fR
TLS library (scopes:
\fBOpenSSL\fR,
\fBSSL\fR,
\fBTLS\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBlibssh\fR
SSH2 protocol implementation (scopes:
\fBlibssh\fR,
\fBSSH\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBsequoia\fR
PGP implementation, for usage outside of rpm\-sequoia (scopes:
\fBsequoia\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBrpm\-sequoia\fR
RPM Sequoia PGP backend (scopes:
\fBrpm\fR,
\fBrpm\-sequoia\fR)
.RE
.sp
Applications using the above libraries and tools are covered by the cryptographic policies unless they are explicitly configured otherwise\&.
.SH "PROVIDED POLICIES"
.PP
\fBLEGACY\fR
.RS 4
This policy ensures maximum compatibility with legacy systems; it is less secure and it includes support for
\fBTLS 1\&.0\fR,
\fBTLS 1\&.1\fR, and
\fBSSH2\fR
protocols or later\&. The algorithms
\fBDSA\fR
and
\fB3DES\fR
are allowed, while
\fBRSA\fR
and
\fBDiffie\-Hellman\fR
parameters are accepted if larger than 1024 bits\&. This policy provides at least 64\-bit security\&.
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
MACs: all
\fBHMAC\fR
with
\fBSHA\-1\fR
or better + all modern MACs (\fBPoly1305\fR
etc\&.)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Curves: all prime >= 255 bits (including Bernstein curves)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Signature algorithms: with
\fBSHA1\fR
hash or better (\fBDSA\fR
allowed)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBTLS\fR
Ciphers: all available >= 112\-bit key, >= 128\-bit block (including
\fB3DES\fR, excluding
\fBRC4\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Non\-TLS Ciphers: same as
\fBTLS\fR
ciphers with added
\fBCamellia\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Key exchange:
\fBECDHE\fR,
\fBRSA\fR,
\fBDHE\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBDH\fR
params size: >= 1024
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBRSA\fR
keys size: >= 1024
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBDSA\fR
params size: >= 1024
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBTLS\fR
protocols:
\fBTLS\fR
>= 1\&.0,
\fBDTLS\fR
>= 1\&.0
.RE
.RE
.PP
\fBDEFAULT\fR
.RS 4
The
\fBDEFAULT\fR
policy is a reasonable default policy for today\(cqs standards\&. It allows the
\fBTLS 1\&.2\fR, and
\fBTLS 1\&.3\fR
protocols, as well as
\fBIKEv2\fR
and
\fBSSH2\fR\&. The
\fBDiffie\-Hellman\fR
parameters are accepted if they are at least 2048 bits long\&. This policy provides at least 112\-bit security with the exception of allowing
\fBSHA\-1\fR
signatures in DNSSec where they are still prevalent\&.
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
MACs: all
\fBHMAC\fR
with
\fBSHA\-1\fR
or better + all modern MACs (\fBPoly1305\fR
etc\&.)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Curves: all prime >= 255 bits (including Bernstein curves)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Signature algorithms: with
\fBSHA\-224\fR
hash or better (no
\fBDSA\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBTLS\fR
Ciphers: >= 128\-bit key, >= 128\-bit block (\fBAES\fR,
\fBChaCha20\fR, including
\fBAES\-CBC\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
non\-TLS Ciphers: as
\fBTLS\fR
Ciphers with added
\fBCamellia\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
key exchange:
\fBECDHE\fR,
\fBRSA\fR,
\fBDHE\fR
(no
\fBDHE\-DSS\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBDH\fR
params size: >= 2048
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBRSA\fR
keys size: >= 2048
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBTLS\fR
protocols:
\fBTLS\fR
>= 1\&.2,
\fBDTLS\fR
>= 1\&.2
.RE
.RE
.PP
\fBNEXT\fR
.RS 4
The
\fBNEXT\fR
policy is just an alias to the
\fBDEFAULT\fR
policy\&.
.RE
.PP
\fBFUTURE\fR
.RS 4
A conservative security policy that is believed to withstand any near\-term future attacks at the expense of interoperability\&. It may prevent communication with many commonly used systems that only offer weaker security\&. This policy does not allow the use of
\fBSHA\-1\fR
in signature algorithms\&. The policy also provides some (not complete) preparation for post\-quantum encryption support in form of 256\-bit symmetric encryption requirement\&. The
\fBRSA\fR
and
\fBDiffie\-Hellman\fR
parameters are accepted if larger than 3071 bits\&. This policy provides at least 128\-bit security\&.
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
MACs: all
\fBHMAC\fR
with
\fBSHA\-256\fR
or better + all modern MACs (\fBPoly1305\fR
etc\&.)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Curves: all prime >= 255 bits (including Bernstein curves)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Signature algorithms: with
\fBSHA\-256\fR
hash or better (no
\fBDSA\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBTLS\fR
Ciphers: >= 256\-bit key, >= 128\-bit block, only Authenticated Encryption (AE) ciphers
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
non\-TLS Ciphers: same as
\fBTLS\fR
ciphers with added non AE ciphers and
\fBCamellia\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
key exchange:
\fBECDHE\fR,
\fBDHE\fR
(no
\fBDHE\-DSS\fR, no
\fBRSA\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBDH\fR
params size: >= 3072
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBRSA\fR
keys size: >= 3072
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBTLS\fR
protocols:
\fBTLS\fR
>= 1\&.2,
\fBDTLS\fR
>= 1\&.2
.RE
.RE
.PP
\fBBSI\fR
.RS 4
A security policy based on recommendations by the german government agency BSI (Bundesamt fuer Sicherheit in der Informationstechnik, translated as "agency for security in software technology") in its ruleset BSI TR 02102 (TR \- technical recommendation)\&. The BSI TR 02102 standard is updated in regular intervals\&.
.sp
.if n \{\
.RS 4
.\}
.nf
This policy does not allow the use of *SHA\-1* in signature algorithms
(except *DNSSEC* and *RPM*)\&.
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
The policy also provides some (not complete) preparation for
post\-quantum encryption support in form of 256\-bit symmetric encryption
requirement\&.
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
The *RSA* parameters are accepted if larger than 2047 bits, and
*Diffie\-Hellman* parameters are accepted if larger than 3071 bits\&.
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
This policy provides at least 128\-bit security, excepting the transition
of *RSA*\&.
.fi
.if n \{\
.RE
.\}
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
MACs: all
\fBHMAC\fR
with
\fBSHA\-256\fR
or better + all modern MACs
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Curves: all prime >= 255 bits (including Bernstein curves)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Signature algorithms: with
\fBSHA\-256\fR
hash or better (no
\fBDSA\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBTLS\fR
Ciphers: >= 256\-bit key, >= 128\-bit block, only Authenticated Encryption (AE) ciphers
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
non\-TLS Ciphers: same as
\fBTLS\fR
ciphers with added non AE ciphers
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
key exchange:
\fBECDHE\fR,
\fBDHE\fR
(no
\fBDHE\-DSS\fR, no
\fBRSA\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBDH\fR
params size: >= 3072
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBRSA\fR
keys size: >= 2048 (until end of 2023, then it will switch to 3072)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBTLS\fR
protocols:
\fBTLS\fR
>= 1\&.2,
\fBDTLS\fR
>= 1\&.2
.sp
.if n \{\
.RS 4
.\}
.nf
Note that compared to others profiles *Chacha20* and *Camellia* are not
recommended by the BSI\&.
.fi
.if n \{\
.RE
.\}
.RE
.RE
.PP
\fBFIPS\fR
.RS 4
A policy to aid conformance to the
\fBFIPS 140\fR
requirements\&. This policy is used internally by the
\fBfips\-mode\-setup(8)\fR
tool which can switch the system into the
\fBFIPS 140\fR
mode\&. This policy provides at least 112\-bit security\&.
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
MACs: all
\fBHMAC\fR
with
\fBSHA1\fR
or better
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Curves: all prime >= 256 bits
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Signature algorithms: with
\fBSHA\-256\fR
hash or better (no
\fBDSA\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBTLS\fR
Ciphers: >= 128\-bit key, >= 128\-bit block (\fBAES\fR, including
\fBAES\-CBC\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
non\-TLS Ciphers: same as
\fBTLS\fR
Ciphers
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
key exchange:
\fBECDHE\fR,
\fBDHE\fR
(no
\fBDHE\-DSS\fR, no
\fBRSA\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBDH\fR
params size: >= 2048
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBRSA\fR
params size: >= 2048
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBTLS\fR
protocols:
\fBTLS\fR
>= 1\&.2,
\fBDTLS\fR
>= 1\&.2
.RE
.RE
.PP
\fBEMPTY\fR
.RS 4
All cryptographic algorithms are disabled (used for debugging only, do not use)\&.
.RE
.SH "CRYPTO POLICY DEFINITION FORMAT"
.sp
The crypto policy definition files have a simple syntax following an \fBINI\fR file \fIkey\fR = \fIvalue\fR syntax with these particular features:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Comments are indicated by
\fI#\fR
character\&. Everything on the line following the character is ignored\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Backslash
\fI\e\fR
character followed immediately with the end\-of\-line character indicates line continuation\&. The following line is concatenated to the current line after the backslash and end\-of\-line characters are removed\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Value types for integer options can be decimal integers (\fIoption = 1\fR)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Multiple\-choice options can be specified by setting them to a list of values (\fIoption = value1 value2\fR)\&. This list can further be altered by prepending/omitting/appending values (\fIoption = \fR\fIprepended \-omitted appended\fR)\&. A follow\-up reassignment will reset the list\&. The latter syntax cannot be combined with the former one in the same directive\&. Setting an option to an empty list is possible with
\fIoption =\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Asterisk sign can be used for wildcard matching as a shortcut for specifying multiple values when setting multiple\-choice options\&. Note that wildcard matching can lead to future updates implicitly enabling algorithms not yet available in the current version\&. If this is a concern, do not use wildcard\-matching outside of algorithm\-omitting directives\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
In order to limit the scope of the directive and make it affect just some of the backends, the following extended syntax can be used:
\fIoption@scope = \&...\fR,
\fIoption@{scope1,scope2,\&...} = \&...\fR\&. Negation of scopes is possible with
\fIoption@!scope\fR
/ \*(Aqoption@{scope1,scope2,\&...}\&. Scope selectors are case\-insensitive\&.
.RE
.sp
The available options are:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBmac\fR: List of allowed MAC algorithms
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBgroup\fR: List of allowed groups or elliptic curves for key exchanges for use with other protocols
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBhash\fR: List of allowed cryptographic hash (message digest) algorithms
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBsign\fR: List of allowed signature algorithms
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBcipher\fR: List of allowed symmetric encryption algorithms (including the modes) for use with other protocols
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBkey_exchange\fR: List of allowed key exchange algorithms
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBprotocol\fR: List of allowed TLS, DTLS and IKE protocol versions; mind that some backends do not allow selectively disabling protocols versions and only use the oldest version as the lower boundary\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBmin_dh_size\fR: Integer value of minimum number of bits of parameters for
\fBDH\fR
key exchange
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBmin_dsa_size\fR: Integer value of minimum number of bits for
\fBDSA\fR
keys
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBmin_rsa_size\fR: Integer value of minimum number of bits for
\fBRSA\fR
keys
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBsha1_in_certs\fR: Value of 1 if
\fBSHA1\fR
allowed in certificate signatures, 0 otherwise (Applies to
\fBGnuTLS\fR
back end only\&.)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBarbitrary_dh_groups\fR: Value of 1 if arbitrary group in
\fBDiffie\-Hellman\fR
is allowed, 0 otherwise
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBssh_certs\fR: Value of 1 if
\fBOpenSSH\fR
certificate authentication is allowed, 0 otherwise
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBetm\fR:
\fBANY\fR/\fBDISABLE_ETM\fR/\fBDISABLE_NON_ETM\fR
allows both EtM (Encrypt\-then\-Mac) and E&M (Encrypt\-and\-Mac), disables EtM, and disables E&M respectively\&. (Currently only implemented for SSH, do not use without
\fB@SSH\fR
scope\&.)
.RE
.sp
Full policy definition files have suffix \&.pol, subpolicy files have suffix \&.pmod\&. Subpolicies do not have to have values set for all the keys listed above\&.
.sp
The effective configuration of a policy with subpolicies applied is the same as a configuration from a single policy obtained by concatenating the policy and the subpolicies in question\&.
.sp
\fBPolicy file placement and naming:\fR
.sp
The policy files shipped in packages are placed in /usr/share/crypto\-policies/policies and the subpolicies in /usr/share/crypto\-policies/policies/modules\&.
.sp
Locally configured policy files should be placed in /etc/crypto\-policies/policies and subpolicies in /etc/crypto\-policies/policies/modules\&.
.sp
The policy and subpolicy files must have names in upper\-case except for the \&.pol and \&.pmod suffix as the update\-crypto\-policies command always converts the policy name to upper\-case before searching for the policy on the filesystem\&.
.SH "COMMANDS"
.PP
\fBupdate\-crypto\-policies(8)\fR
.RS 4
This command manages the policies available to the various cryptographic back ends and allows the system administrator to change the active cryptographic policy\&.
.RE
.PP
\fBfips\-mode\-setup(8)\fR
.RS 4
This command allows the system administrator to enable, or disable the system FIPS mode and also apply the
\fBFIPS\fR
cryptographic policy which limits the allowed algorithms and protocols to these allowed by the FIPS 140 requirements\&.
.RE
.SH "NOTES"
.sp
\fBKnown notable exceptions\fR
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBGo\-language\fR
applications do not yet follow the system\-wide policy\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBGnuPG\-2\fR
application does not follow the system\-wide policy\&.
.RE
.sp
In general only the data\-in\-transit is currently covered by the system\-wide policy\&.
.sp
If the system administrator changes the system\-wide policy with the \fBupdate\-crypto\-policies(8)\fR command it is advisable to restart the system as the individual back\-end libraries read the configuration files usually during their initialization\&. The changes in the policy thus take place in most cases only when the applications using the back\-end libraries are restarted\&.
.sp
\fBRemoved cipher suites and protocols\fR
.sp
The following cipher suites and protocols are completely removed from the core cryptographic libraries listed above:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBDES\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
All export grade cipher suites
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBMD5\fR
in signatures
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBSSLv2\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBSSLv3\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
All
\fBECC\fR
curves smaller than 224 bits
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
All binary field
\fBECC\fR
curves
.RE
.sp
\fBCipher suites and protocols disabled in all predefined policies\fR
.sp
The following ciphersuites and protocols are available but disabled in all predefined crypto policies:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBDH\fR
with parameters < 1024 bits
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBRSA\fR
with key size < 1024 bits
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBCamellia\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBRC4\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBARIA\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBSEED\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBIDEA\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Integrity only ciphersuites
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBTLS\fR
\fBCBC mode\fR
ciphersuites using
\fBSHA\-384\fR
HMAC
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBAES\-CCM8\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
all
\fBECC\fR
curves incompatible with
\fBTLS 1\&.3\fR, including secp256k1
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBIKEv1\fR
.RE
.sp
\fBNotable irregularities in the individual configuration generators\fR
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBOpenSSL\fR
and
\fBNSS\fR: Disabling all TLS and/or all DTLS versions isn\(cqt actually possible\&. Trying to do so will result in the library defaults being applied instead\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBOpenSSL\fR: The minimum length of the keys and some other parameters are enforced by the @SECLEVEL value which does not provide a fine granularity\&. The list of
\fBTLS\fR
ciphers is not generated as an exact list but by subtracting from all the supported ciphers for the enabled key exchange methods\&. For that reason there is no way to disable a random cipher\&. In particular all
\fBAES\-128\fR
ciphers are disabled if the
\fBAES\-128\-GCM\fR
is not present in the list; all
\fBAES\-256\fR
ciphers are disabled if the
\fBAES\-256\-GCM\fR
is not present\&. The
\fBCBC\fR
ciphers are disabled if there isn\(cqt
\fBHMAC\-SHA1\fR
in the hmac list and
\fBAES\-256\-CBC\fR
in the cipher list\&. To disable the
\fBCCM\fR
ciphers both
\fBAES\-128\-CCM\fR
and
\fBAES\-256\-CCM\fR
must not be present in the cipher list\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBGnuTLS\fR: The minimum length of the keys and some other parameters are enforced by min\-verification\-profile setting in the
\fBGnuTLS\fR
configuration file which does not provide fine granularity\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBGnuTLS\fR: PSK key exchanges have to be explicitly enabled by the applications using them\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBGnuTLS\fR: HMAC\-SHA2\-256 and HMAC\-SHA2\-384 MACs are disabled due to concerns over the constant\-timedness of the implementation\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBOpenSSH\fR:
\fBDH\fR
group 1 is always disabled on server even if the policy allows 1024 bit
\fBDH\fR
groups in general\&. The OpenSSH configuration option HostKeyAlgorithms is set only for the
\fBSSH\fR
server as otherwise the handling of the existing known hosts entries would be broken on client\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBLibreswan\fR: The
\fBkey_exchange\fR
parameter does not affect the generated configuration\&. The use of regular
\fBDH\fR
or
\fBECDH\fR
can be limited with appropriate setting of the
\fBgroup\fR
parameter\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBSequoia\fR: only
\fBhash_algorithms\fR,
\fBsymmetric_algorithms\fR
and
\fBasymmetric_algorithms\fR
are controlled by crypto\-policies\&.
\fBasymmetric_algorithms\fR
is not controlled directly, but deduced from
\fBsign\fR
and
\fBgroup\fR\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBNSS\fR: order of
\fBgroup\fR
values is ignored and built\-in order is used instead\&.
.RE
.SH "HISTORY"
.sp
The \fBECDHE\-GSS\fR and \fBDHE\-GSS\fR algorithms are newly introduced and must be specified in the base policy for the SSH GSSAPI key exchange methods to be enabled\&. Previously the legacy SSH GSSAPI key exchange methods were automatically enabled when the \fBSHA1\fR hash and \fBDH\fR parameters of at least 2048 bits were enabled\&.
.sp
Before the introduction of the \fBcustom crypto policies\fR support it was possible to have an completely arbitrary crypto policy created as a set of arbitrary back\-end config files in /usr/share/crypto\-policies/<POLICYNAME> directory\&. With the introduction of the \fBcustom crypto policies\fR it is still possible but there must be an empty (possibly with any comment lines) <POLICYNAME>\&.pol file in /usr/share/crypto\-policies/policies so the update\-crypto\-policies command can recognize the arbitrary custom policy\&. No subpolicies must be used with such an arbitrary custom policy\&. Modifications from \fBlocal\&.d\fR will be appended to the files provided by the policy\&.
.sp
The use of the following historaically available options is discouraged:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBmin_tls_version\fR: Lowest allowed TLS protocol version (recommended replacement:
\fBprotocol@TLS\fR)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBmin_dtls_version\fR: Lowest allowed DTLS protocol version (recommended replacement:
\fBprotocol@TLS\fR)
.RE
.sp
The following options are deprecated, please rewrite your policies:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBike_protocol\fR: List of allowed IKE protocol versions (recommended replacement:
\fBprotocol@IKE\fR, mind the relative position to other
\fBprotocol\fR
directives)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBtls_cipher\fR: list of allowed symmetric encryption algorithms for use with the TLS protocol (recommended replacement:
\fBcipher@TLS\fR, mind the relative position to other
\fBcipher\fR
directives)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBssh_cipher\fR: list of allowed symmetric encryption algorithms for use with the SSH protocol (recommended replacement:
\fBcipher@SSH\fR, mind the relative position to other
\fBcipher\fR
directives)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBssh_group\fR: list of allowed groups or elliptic curves for key exchanges for use with the SSH protocol (recommended replacement:
\fBgroup@SSH\fR, mind the relative position to other
\fBgroup\fR
directives)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBsha1_in_dnssec\fR: Allow
\fBSHA1\fR
usage in DNSSec protocol even if it is not present in the
\fBhash\fR
and
\fBsign\fR
lists (recommended replacements:
\fBhash@DNSSec\fR,
\fBsign@DNSSec\fR)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBssh_etm\fR: Value of 1 if
\fBOpenSSH\fR
EtM (encrypt\-then\-mac) extension is allowed, 0 otherwise\&. Use
\fBetm@SSH\fR
instead\&.
.RE
.SH "FILES"
.PP
/etc/crypto\-policies/back\-ends
.RS 4
The individual cryptographical back\-end configuration files\&. Usually linked to the configuration shipped in the crypto\-policies package unless a configuration from
local\&.d
is added\&.
.RE
.PP
/etc/crypto\-policies/config
.RS 4
A file containing the name of the active crypto\-policy set on the system\&.
.RE
.PP
/etc/crypto\-policies/local\&.d
.RS 4
Additional configuration shipped by other packages or created by the system administrator\&. The contents of the
<back\-end>\-file\&.config
is appended to the configuration from the policy back end as shipped in the crypto\-policies package\&.
.RE
.PP
/usr/share/crypto\-policies/policies
.RS 4
System policy definition files\&.
.RE
.PP
/usr/share/crypto\-policies/policies/modules
.RS 4
System subpolicy definition files\&.
.RE
.PP
/etc/crypto\-policies/policies
.RS 4
Custom policy definition files as configured by the system administrator\&.
.RE
.PP
/etc/crypto\-policies/policies/modules
.RS 4
Custom subpolicy definition files as configured by the system administrator\&.
.RE
.PP
/usr/share/crypto\-policies/<\*(AqPOLICYNAME\*(Aq>
.RS 4
Pre\-generated back\-end configurations for policy
\fIPOLICYNAME\fR\&.
.RE
.SH "SEE ALSO"
.sp
update\-crypto\-policies(8), fips\-mode\-setup(8)
.SH "AUTHOR"
.sp
Written by Tomáš Mráz\&.