Setting system-wide encryption policies on RHEL 8/CentOS 8

In Chapter 5, Encryption Technologies, we briefly looked at how to set system-wide encryption policies on CentOS 8. With this brand-new feature, you no longer have to configure crypto policies for each individual daemon. Instead, you just run a couple of simple commands, and the policy is instantly changed for multiple daemons. To see which daemons are covered, look in the /etc/crypto-policies/back-ends/ directory. Here’s a partial view of what’s there:

[donnie@localhost back-ends]$ ls -l
total 0
. . .
. . .
lrwxrwxrwx. 1 root root 46 Sep 24 18:17 openssh.config -> /usr/share/crypto-policies/DEFAULT/openssh.txt

lrwxrwxrwx. 1 root root 52 Sep 24 18:17 opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt

lrwxrwxrwx. 1 root root 49 Sep 24 18:17 opensslcnf.config -> /usr/share/crypto-policies/DEFAULT/opensslcnf.txt

lrwxrwxrwx. 1 root root 46 Sep 24 18:17 openssl.config -> /usr/share/crypto-policies/DEFAULT/openssl.txt
[donnie@localhost back-ends]$

As you can see, this directory contains symbolic links to text files that contain directives about which algorithms to either enable or disable for the DEFAULT configuration. One level up, in the /etc/crypto-policies directory, there’s the config file. Open it, and you’ll see that this is where the system-wide configuration is set. It also contains explanations for the various available modes:

# * LEGACY: Ensures maximum compatibility with legacy systems (64-bit
# security)
# * DEFAULT: A reasonable default for today's standards (112-bit security).
# * FUTURE: A level that will provide security on a conservative level that is
# believed to withstand any near-term future attacks (128-bit security).
# * FIPS: Policy that enables only FIPS 140-2 approved or allowed algorithms.
# After modifying this file, you need to run update-crypto-policies
# for the changes to propagate.

Scanning this VM with its DEFAULT configuration shows that quite a few older algorithms are still enabled. To get rid of them, we can change to either FUTURE mode or to FIPS mode.

To show you how this works, let’s get our hands dirty with another lab.

Hands-on lab – setting encryption policies on CentOS 8

Start with a fresh CentOS 8 VM and the scanner VM that you’ve been using. Now, follow these steps:

  1. On a CentOS 8 VM, use the update-crypto-policies utility to verify that it’s running in DEFAULT mode:
sudo update-crypto-policies --show
  1. Scan the CentOS 8 VM in its DEFAULT configuration and save the output to a file:
sudo ssh_scan -t -o ssh_scan-161.json
  1. On the CentOS 8 VM, set the system-wide crypto policy to FUTURE and reboot the VM:
sudo update-crypto-policies --set FUTURE
sudo shutdown -r now
  1. On the scanner VM, open the ~/.ssh/known_hosts file in your text editor. Delete the entry that was previously made for the CentOS 8 VM and save the file. (We have to do this because the public key fingerprint on the CentOS 8 VM will have changed because of the new policy.)
  1. Scan the CentOS 8 VM again, saving the output to a different file:
sudo ssh_scan -t -o ssh_scan_results-161-FUTURE.json
  1. Compare the two output files. You should now see fewer enabled algorithms than you did previously.
  2. Look at the files in the /etc/crypto-policies/back-ends/ directory:
ls -l /etc/crypto-policies/back-ends/

You’ll now see that the symbolic links point to files in the FUTURE directories.

  1. To set FIPS mode, you’ll need to use another utility, because the update-crypto-policies utility doesn’t install the extra modules that FIPS mode requires. First, verify that the system is not in FIPS mode:
sudo fips-mode-setup --check

You should see a message about not having FIPS modules installed.

  1. Enable FIPS mode, and then reboot:
sudo fips-mode-setup --enable
sudo shutdown -r now
  1. Verify that the VM is now in FIPS mode:
sudo fips-mode-setup --check
  1. Scan the CentOS VM again, saving the output to a new file:
sudo ssh_scan -t -o ssh_scan_results-161-FIPS.json
  1. Compare the three output files and note the differences with the enabled algorithms.
  2. View the contents of the /etc/crypto-policies/back-ends/ directory. Note that the symbolic links now point to files in FIPS directories.
ls -l /etc/crypto-policies/back-ends/
In this demo, we set the FUTURE mode first, and then we set the FIPS mode. Keep in mind that, in real life, you won’t do both. Instead, you’ll do either one or the other.

You’ve reached the end of the lab – congratulations!

You now know how to configure SSH to use only the most modern, most secure algorithms. Next, let’s look at logging.

Related Articles

How to add swap space on Ubuntu 21.04 Operating System

How to add swap space on Ubuntu 21.04 Operating System

The swap space is a unique space on the disk that is used by the system when Physical RAM is full. When a Linux machine runout the RAM it use swap space to move inactive pages from RAM. Swap space can be created into Linux system in two ways, one we can create a...

read more

Lorem ipsum dolor sit amet consectetur


Submit a Comment

Your email address will not be published. Required fields are marked *

nineteen + 6 =