From Fedora Project Wiki

Line 1: Line 1:
== Crypto Policy ==
== Crypto Policy ==

Revision as of 01:42, 8 October 2014

DocsProject Header docTeam1.png
Beat Closed on Wiki
Work on beats has now moved to git at If you have changes or additions, please contact the docs team via #fedora-docs,, or with the release-notes BZ component.

Crypto Policy

<para>Beginning in Fedora 21, a system-wide crypto policy will be available for users to quickly setup the cryptographic options for their systems. Users that must meet certain cryptographic standards can make the policy change in <filename>//etc/crypto-policies/config</filename>, and run update-crypto-policies. At this point applications that utilize the default set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy requirements.</para>

<para>The available options are: (1) <literal>LEGACY</literal>, which ensures compatibility with legacy systems - 64-bit security, (2) <literal>DEFAULT</literal>, a reasonable default for today's standards - 80-bit security, and (3) <literal>FUTURE</literal>, a conservative level that is believed to withstand any near-term future attacks - 128-bit security. These levels affect SSL/TLS settings, including elliptic curve, signature hash functions, and ciphersuites and key sizes.</para>

<para>Additional information on this new feature can be found on the <ulink url="">CryptoPolicy Changes wiki page</ulink>.</para>

systemd PrivateDevices and PrivateNetwork

Fedora is now more secure, as many long-running systemd services now run with physical device access and/or network access turned off. See [1] (NOTE:xref)

Format Security

Starting with Fedora 21, all packages built by GCC will compile with the flag *-Werror=format-security* . While this change has no user-visible change, it represents a substantial effort by Fedora packagers to protect your system from an entire class of vulnerability.

You can learn more about the security issues mitigated by Fedora's defensive security practices at

More secure Smart Card support

The PCSC daemon in Fedora 21 allows for fine grained access control to smart cards that is tied to the system processes rather than solely depending on the smart card controls. That is the polkit framework is being used to decide access on the smart card.

In addition a default policy file is shipped with Fedora that restricts access to smart cards in a system to the console users and the administrator only. The shipped policy can be modified by editing the file at /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy.

Additional documentation on the PCSC policies is provided in /usr/share/doc/pcsc-lite/README.polkit