update-crypto-policies man page

update-crypto-policies — manage the policies available to the various cryptographic back-ends.


update-crypto-policies [COMMAND]


update-crypto-policies(8) is used to set the policy applicable for the various cryptographic back-ends, such as SSL/TLS libraries. That will be the default policy used by these back-ends unless the application user configures them otherwise.

The available policies are restricted to the following profiles.

The desired system policy is selected in /etc/crypto-policies/config and this tool will generate the individual policy requirements for all back-ends that support such configuration. After this tool is called the administrator is assured that any application that utilizes the supported back-ends will follow a policy that adheres to the configured profile.

Note that the above assurance does apply to the extent that applications are configured to follow the default policy (the details vary on the back-end, see below for more information).

The generated back-end policies will be placed in /etc/crypto-policies/back-ends. Currently the supported back-ends are:

Applications and languages which rely on any of these back-ends will follow the system policies as well. Examples are apache httpd, nginx, php, and others.


The following commands are available in update-crypto-policies tool.


The following options are available in update-crypto-policies tool.

Application Support

Applications in the operating system that provide a default configuration file that includes a cryptographic policy string will be modified gradually to support these policies.

When an application provides a configuration file, the changes needed to utilize the system-wide policy are the following.

Policy Configuration

One of the supported profiles should be set in /etc/crypto-policies/config and this script should be run afterwards.

In case of a parsing error no policies will be updated.



The file contains the current system policy. It should contain a string of one of the profiles listed above (e.g., DEFAULT).


Contains the generated policies in separated files, and in a format readable by the supported back-ends.


Contains additional files to be appended to the generated policy files. The files present must adhere to $app-XXX.config file naming, where XXX is any arbitrary identifier. For example, to append a line to GnuTLS' generated policy, create a gnutls-extra-line.config file in local.d. This will be appended to the generated gnutls.config during update-crypto-policies. These overrides, are only functional for the gnutls, bind, java (openjdk) and krb5 back-ends.

See Also



Written by Nikos Mavrogiannopoulos.

Referenced By

ciphers.1ssl(1), fips-mode-setup(8), virt-v2v(1), vsftpd.conf(5).

11/22/2018 update-crypto-policies