System-wide Crypto Policies in CentOS 8 [Explained]

Updated on March 7, 2022

Can we assume that people who set up systems or software are experts in their field and they do understand the details of the cryptographic algorithms and everything they set up is safe from attackers? Whether our assumption is right or wrong, it is important that the systems and software are operating under the right cryptographic settings. And what do I mean by right cryptographic settings? The settings that comply with the globally accepted standards, prevent the use of legacy protocols and algorithms. In short, I’m talking about the System-wide crypto policies.

What are crypto policies?

A Crypto policy is a package that configures the core cryptographic subsystems by enabling a set of policies, which the administrator can choose. When a system-wide crypto policy is enabled, the applications and services comply with it and reject protocols and algorithms that do not meet the policy.

Tool – update-crypto-policies

update-crypto-policies is the command to manage the current system-wide cryptographic policy. The command is installed by the package ‘crypto-policies-scripts‘ in CentOS Stream 8. However, if you don’t find the package in your OS, then install it as shown below:

Install crypto-policies-scripts

# dnf -y install crypto-policies-scripts


# yum -y install crypto-policies-scripts

View current system-wide policy

# update-crypto-policies --show

Set/Change system-wide policy

# update-crypto-policies --set FUTURE
Setting system policy to FUTURE
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

As told in the above output, restart the system to apply the new cryptographic policy.

Type of Cryptographic policies supported

DEFAULT, LEGACY, FUTURE, AND FIPS are the policies you can set using the update-crypto-policies command. Learn more about crypto-policies here.

Examples of client applications

Now, assume that you had set the system-wide crypto policy to FUTURE and see how the client applications behave to it.

Use cURL to access a website that’s using a weak SHA-1 certificate. While the crypto policy is set to FUTURE, cURL should disallow SHA-1 certificate as shown below:

# curl
curl: (60) SSL certificate problem: EE certificate key too weak
More details here:

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Trying to SSH to the server with weak ciphers should result in an error as shown below:

# ssh -vv -oCiphers=3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc centos@
Unable to negotiate with port 22: no matching cipher found. Their offer:,,aes256-ctr

Learn to disable weak key exchange algorithm, CBC Mode in SSH.

With this, we understand that the client and server applications respect the crypto policies set system-wide. It means the administrator need not worry about setting the right cryptographic algorithm and protocol for each application.

Was this article helpful?

Related Articles

Leave a Comment