[securityguide] Added Crypto Policy feature
Eric Christensen
sparks at fedoraproject.org
Fri Jun 27 13:31:50 UTC 2014
commit e7b0dfcc21668d0aac28ecd9253c403fa978b41c
Author: Eric H Christensen <sparks at redhat.com>
Date: Fri Jun 27 09:31:41 2014 -0400
Added Crypto Policy feature
en-US/Encryption.xml | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
---
diff --git a/en-US/Encryption.xml b/en-US/Encryption.xml
index 9b22d0c..ad937d6 100644
--- a/en-US/Encryption.xml
+++ b/en-US/Encryption.xml
@@ -64,6 +64,12 @@ AuthorizedKeysFile .ssh/authorized_keys</screen>The first line tells the SSH pro
<para>Similarly to passwords and any other authentication mechanism, you should change your <application>SSH</application> keys regularly. When you do make sure you clean out any unused key from the authorized_key file.</para>
</section>
</section>
+ <section id="Security_Guide-Encryption-CryptoPolicy">
+ <title>Crypto Policy</title>
+ <para>Beginning in Fedora 21, a system-wide crypto policy will be available for users to quickly setup the cryptographic options for their systems. Users that must meet certain cryptographic standards can make the policy change in <filename>/etc/crypto-policies/config</filename>, and run update-crypto-policies. At this point applications that are utilize the default set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy requirements.</para>
+ <para>The available options are: (1) <literal>LEGACY</literal>, which ensures compatibility with legacy systems - 64-bit security, (2) <literal>DEFAULT</literal>, a reasonable default for today's standards - 80-bit security, and (3) <literal>FUTURE</literal>, a conservative level that is believed to withstand any near-term future attacks - 128-bit security. These levels affect SSL/TLS settings, including elliptic curve, signature hash functions, and ciphersuites and key sizes.</para>
+ <para>Additional information on this new feature can be found on the <ulink url="https://fedoraproject.org/wiki/Changes/CryptoPolicy">CryptoPolicy Changes wiki page</ulink>.</para>
+ </section>
<xi:include href="DiskEncryptionUserGuide.xml" xmlns:xi="http://www.w3.org/2001/XInclude"></xi:include>
<xi:include href="Using_GPG.xml" xmlns:xi="http://www.w3.org/2001/XInclude"></xi:include>
</section>
More information about the docs-commits
mailing list