Across enterprise IT the security landscape is changing and attackers are coming up with more sophisticated attacks. The cryptographic algorithms that might be robust and reliable today, may not necessarily be so tomorrow. Applying a consistent cryptographic policy at scale can be quite challenging. To solve this, we introduced system-wide crypto policies in RHEL 8, and based on customer feedback, have extended it in RHEL 8.2 to enable users to specify their own crypto policies if the built-in policies do not meet their requirements.

As a refresher, system-wide crypto policies introduced in RHEL 8 are:

  1. Centrally managed on the system using a simple command to show the currently set system-wide crypto policy and update the system-wide crypto policy.

    Show the system-wide crypto policy currently in effect 

    $ update-crypto-policies --show
    DEFAULT

    Update the system-wide crypto policy to set the level to future

    $ update-crypto-policies --set FUTURE
    Setting system policy to FUTURE
  2. Effective across applications built using core cryptographic subsystems. For example, if your application leverages OpenSSL, or GnuTLS, these applications will be able to benefit from the RHEL crypto policies. 

  3. Configurable to a particular predefined policy level. In RHEL 8, four policies are provided under the names “LEGACY”, “DEFAULT”, “FUTURE” and “FIPS”. Detailed settings about each policy are summarized in this post about strong crypto defaults in RHEL 8 and update-crypto-policies man pages.

However, the predefined policy level settings are one-size-fits-all. They cannot be used to fine tune the security requirements of a system if needed. That’s where custom crypto policies come to the rescue.

Custom crypto policies in RHEL 8.2 enable users to modify predefined policy levels (by adding or removing enabled algorithms or protocols), or to write a new crypto policy from scratch.

Modifying an existing crypto policy

To modify existing crypto policies, use policy modifier modules. These are text files that include policy instructions to the update-crypto-policies tool. 

The naming of these files must follow the following convention: <MODULE>.pmod, where <MODULE> is the name of the modifier in uppercase without spaces, and .pmod is the file extension in lowercase. 

The location of these files should be /etc/crypto-policies/policies/modules folder (or the /usr/share/crypto-policies/policies/modules folder if they are in installed packages).

For example, suppose we want to remove support for RSA and PSK (pre-shared keys) key exchanges as they do not provide forward secrecy.

In this case, missing forward secrecy means that if an attacker who is recording the encrypted data exchanged between client and server somehow obtains the RSA key, they can decrypt the pre-master secret for all recorded sessions which used the same key compromising confidentiality. Section 2 of RFC4279 details how the pre-master secret is computed. This is not possible with key exchanges providing forward secrecy such as DiffieHellman and Elliptic Curve Diffie Hellman key exchanges.

To accomplish this, create a policy modifier module called PFS-KEX.pmod with this line:

key_exchange = -RSA -PSK

Before you apply the modifier, you can check the crypto policy using the update-crypto-policies tool:

update-crypto-policies --show

Output: 

DEFAULT

Next, you can then apply this policy modifier to other crypto policies using a command like this:

update-crypto-policies --set DEFAULT:PFS-KEX

Output:

Setting system policy to DEFAULT:PFS-KEX

Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place.

To confirm that you have applied this policy modifier properly, you can check the set crypto policy again using: 

update-crypto-policies --show

Output:

DEFAULT:PFS-KEX

Creating a new policy from scratch

Depending on your requirements, you can also choose to write up a new crypto policy from scratch. As a starting point, you can create a copy of the DEFAULT.pol policy file, edit and rename it to create a new policy.

The system-wide crypto policy definition files should be owned by root and must not be writable by non-privileged users just like other system-wide configuration files.

Copy one of the four predefined policy levels and edit it:

# cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/MYPOLICY.pol
# vi /etc/crypto-policies/policies/MYPOLICY.pol

After updating the MYPOLICY policy file, set the crypto-policy:

# update-crypto-policies --set MYPOLICY

Reboot the system to make the crypto-policy settings effective for all running services and applications

# reboot

Confirm after the reboot that the crypto-policy is effective. This should show MYPOLICY.

# update-crypto-policies --show

Conclusion

The examples in this blog showcase the flexibility you get with system-wide crypto policies in RHEL 8.2, that allow writing a new policy from scratch, or modifying an existing one. 

Supporting system-wide crypto policies raises the security bar of default installations in Red Hat Enterprise Linux systems and with this enhancement to crypto policies, administrators now have a way to tweak security settings for cryptographic algorithms and protocols. This opens up a whole new way to meet today’s evolving security requirements. 

So, if you are a system administrator needing to interoperate with other systems, needing compatibility with old devices, or a compliance auditor wanting to ensure that only approved ciphers are being used, the new customizable system-wide cryptographic policies in RHEL 8.2 are for you. 

Get started today by examining the crypto_policies man pages and RHEL 8.2 documentation. Feel free to test out various options; all of the system profiles will remain there, untouched, and easy for you to fall back to. 


About the authors

Tomáš Mráz is a Principal Software Engineer in the Crypto Team at Red Hat. He works on System-Wide Cryptographic Policies and the OpenSSL library.

Read full bio

Don Pinto is a Technical Product Marketing Manager at Red Hat focused on helping customers understand why Red Hat Enterprise Linux is an ideal operating system platform for modern application workloads. Pinto is passionate about data management and operating systems, having authored several technical blogs and white papers on various tech topics. Pinto holds a Masters degree in Computer Science and a Bachelor's degree in Computer Engineering from the University of Toronto, Canada.

Read full bio