Across enterprise IT the security landscape is changing and attackers are coming up with more sophisticated attacks. The cryptographic algorithms that might be robust and reliable today, may not necessarily be so tomorrow. Applying a consistent cryptographic policy at scale can be quite challenging. To solve this, we introduced system-wide crypto policies in RHEL 8, and based on customer feedback, have extended it in RHEL 8.2 to enable users to specify their own crypto policies if the built-in policies do not meet their requirements.
As a refresher, system-wide crypto policies introduced in RHEL 8 are:
-
Centrally managed on the system using a simple command to show the currently set system-wide crypto policy and update the system-wide crypto policy.
Show the system-wide crypto policy currently in effect
$ update-crypto-policies --show DEFAULT
Update the system-wide crypto policy to set the level to future
$ update-crypto-policies --set FUTURE Setting system policy to FUTURE
-
Effective across applications built using core cryptographic subsystems. For example, if your application leverages OpenSSL, or GnuTLS, these applications will be able to benefit from the RHEL crypto policies.
-
Configurable to a particular predefined policy level. In RHEL 8, four policies are provided under the names “LEGACY”, “DEFAULT”, “FUTURE” and “FIPS”. Detailed settings about each policy are summarized in this post about strong crypto defaults in RHEL 8 and update-crypto-policies man pages.
However, the predefined policy level settings are one-size-fits-all. They cannot be used to fine tune the security requirements of a system if needed. That’s where custom crypto policies come to the rescue.
Custom crypto policies in RHEL 8.2 enable users to modify predefined policy levels (by adding or removing enabled algorithms or protocols), or to write a new crypto policy from scratch.
Modifying an existing crypto policy
To modify existing crypto policies, use policy modifier modules. These are text files that include policy instructions to the update-crypto-policies
tool.
The naming of these files must follow the following convention: <MODULE>.pmod, where <MODULE> is the name of the modifier in uppercase without spaces, and .pmod is the file extension in lowercase.
The location of these files should be /etc/crypto-policies/policies/modules
folder (or the /usr/share/crypto-policies/policies/modules
folder if they are in installed packages).
For example, suppose we want to remove support for RSA and PSK (pre-shared keys) key exchanges as they do not provide forward secrecy.
In this case, missing forward secrecy means that if an attacker who is recording the encrypted data exchanged between client and server somehow obtains the RSA key, they can decrypt the pre-master secret for all recorded sessions which used the same key compromising confidentiality. Section 2 of RFC4279 details how the pre-master secret is computed. This is not possible with key exchanges providing forward secrecy such as DiffieHellman and Elliptic Curve Diffie Hellman key exchanges.
To accomplish this, create a policy modifier module called PFS-KEX.pmod
with this line:
key_exchange = -RSA -PSK
Before you apply the modifier, you can check the crypto policy using the update-crypto-policies
tool:
update-crypto-policies --show
Output:
DEFAULT
Next, you can then apply this policy modifier to other crypto policies using a command like this:
update-crypto-policies --set DEFAULT:PFS-KEX
Output:
Setting system policy to DEFAULT:PFS-KEX
Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place.
To confirm that you have applied this policy modifier properly, you can check the set crypto policy again using:
update-crypto-policies --show
Output:
DEFAULT:PFS-KEX
Creating a new policy from scratch
Depending on your requirements, you can also choose to write up a new crypto policy from scratch. As a starting point, you can create a copy of the DEFAULT.pol policy file, edit and rename it to create a new policy.
The system-wide crypto policy definition files should be owned by root and must not be writable by non-privileged users just like other system-wide configuration files.
Copy one of the four predefined policy levels and edit it:
# cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/MYPOLICY.pol # vi /etc/crypto-policies/policies/MYPOLICY.pol
After updating the MYPOLICY policy file, set the crypto-policy:
# update-crypto-policies --set MYPOLICY
Reboot the system to make the crypto-policy settings effective for all running services and applications
# reboot
Confirm after the reboot that the crypto-policy is effective. This should show MYPOLICY.
# update-crypto-policies --show
Conclusion
The examples in this blog showcase the flexibility you get with system-wide crypto policies in RHEL 8.2, that allow writing a new policy from scratch, or modifying an existing one.
Supporting system-wide crypto policies raises the security bar of default installations in Red Hat Enterprise Linux systems and with this enhancement to crypto policies, administrators now have a way to tweak security settings for cryptographic algorithms and protocols. This opens up a whole new way to meet today’s evolving security requirements.
So, if you are a system administrator needing to interoperate with other systems, needing compatibility with old devices, or a compliance auditor wanting to ensure that only approved ciphers are being used, the new customizable system-wide cryptographic policies in RHEL 8.2 are for you.
Get started today by examining the crypto_policies
man pages and RHEL 8.2 documentation. Feel free to test out various options; all of the system profiles will remain there, untouched, and easy for you to fall back to.
執筆者紹介
Tomáš Mráz is a Principal Software Engineer in the Crypto Team at Red Hat. He works on System-Wide Cryptographic Policies and the OpenSSL library.
Don Pinto is a Technical Product Marketing Manager at Red Hat focused on helping customers understand why Red Hat Enterprise Linux is an ideal operating system platform for modern application workloads. Pinto is passionate about data management and operating systems, having authored several technical blogs and white papers on various tech topics. Pinto holds a Masters degree in Computer Science and a Bachelor's degree in Computer Engineering from the University of Toronto, Canada.
チャンネル別に見る
自動化
テクノロジー、チームおよび環境に関する IT 自動化の最新情報
AI (人工知能)
お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート
オープン・ハイブリッドクラウド
ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。
セキュリティ
環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報
エッジコンピューティング
エッジでの運用を単純化するプラットフォームのアップデート
インフラストラクチャ
世界有数のエンタープライズ向け Linux プラットフォームの最新情報
アプリケーション
アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細
オリジナル番組
エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー
製品
ツール
試用、購入、販売
コミュニケーション
Red Hat について
エンタープライズ・オープンソース・ソリューションのプロバイダーとして世界をリードする Red Hat は、Linux、クラウド、コンテナ、Kubernetes などのテクノロジーを提供しています。Red Hat は強化されたソリューションを提供し、コアデータセンターからネットワークエッジまで、企業が複数のプラットフォームおよび環境間で容易に運用できるようにしています。
言語を選択してください
Red Hat legal and privacy links
- Red Hat について
- 採用情報
- イベント
- 各国のオフィス
- Red Hat へのお問い合わせ
- Red Hat ブログ
- ダイバーシティ、エクイティ、およびインクルージョン
- Cool Stuff Store
- Red Hat Summit