Manage system-wide crypto policies on the Red Hat OS family

Stig Sandbeck Mathisen



1,073 latest version

5.0 quality score

Version information

  • 0.1.1 (latest)
  • 0.1.0
released Sep 3rd 2020
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.0 < 7.0.0
  • CentOS

Start using this module


ssm/crypto_policies — version 0.1.1 Sep 3rd 2020


Table of Contents

  1. Description
  2. Setup - The basics of getting started with crypto_policies
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module


This module sets the system-wide crypto policy on the Red Hat OS family.

The module also provides a fact showing the current crypto policy and if the crypto-policies software is available and installed on the OS.

This affects the security level of BIND, GnuTLS, Kerberos, NSS, OpenJDK, OpenSSH, OpenSSL and more.

The crypto-policies software available on the RedHat os family from version 8 and on configures the policy for which cryptographic algorithms are to be available and used across various applications and libraries. See the crypto-policies(7) man page or the Red Hat documentation on security hardening for more information.


Beginning with crypto_policies

This is a simple module. Include it to use the 'DEFAULT' crypto policy, or use the policy parameter to set a policy and optional policy modules.


Basic usage. This will use the DEFAULT policy, which is default for this module..

include crypto_policies

Set a policy of DEFAULT adding the NO-SHA1 module to disable the sha1 hashing algorithm.

class { 'crypto_policies':
  policy => 'DEFAULT:NO-SHA1',


For now, this only works on the RedHat OS family version 8.

On any other OS, or if the crypto-policies software is uninstalled, this module will silently do nothing.


Pull requests and bug reports are welcome.