Crypto policies

Managed RHEL uses the Red Hat feature crypto policies for VMs with RHEL 8 or newer. An overview of crypto policies is documented here.

Configuring an exception from the SWISSCOM crypto policy

The following conditions must be met:

• You know what you do.
• Your VM runs with RHEL 8 or newer.

This is an information message

Warning

Applying your own customized crypto policy might degrade your system security posture! Only do this as a measure of last resort and if the conditions above are met.

1. Copy an existing, secure crypto policy file e.g. the SWISSCOM crypto policy file, name the new exception policy SWISSCOM_INSECURE.

   $ sudo cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/SWISSCOM_INSECURE.pol
   

2. Adopt your exception crypto policy.

   $ sudo vi /etc/crypto-policies/policies/SWISSCOM_INSECURE.pol
   

3. Activate your exception crypto policy.

   $ sudo update-crypto-policies --set SWISSCOM_INSECURE
   Setting system policy to SWISSCOM_INSECURE
   Note: System-wide crypto policies are applied on application start-up.
   It is recommended to restart the system for the change of policies
   to fully take place.
   $ update-crypto-policies --show
   SWISSCOM_INSECURE
   
   

This is an information message

Note

Only the reserved policy-name SWISSCOM_INSECURE is allowed by the compliance check. The compliance check will inform you that you use an insecure crypto policy if SWISSCOM_INSECURE is activated.