Chapter 7. Setting a custom cryptographic policy across systems

As an administrator, you can use the Crypto Policies System Role on RHEL to quickly and consistently configure custom cryptographic policies across many different systems using the Ansible Core package.

7.1. Crypto Policies System Role variables and facts

In a Crypto Policies System Role playbook, you can define the parameters for the crypto policies configuration file according to your preferences and limitations.

If you do not configure any variables, the system role does not configure the system and only reports the facts.

Selected variables for the Crypto Policies System Role

Determines the cryptographic policy the system role applies to the managed nodes. For details about the different crypto policies, see System-wide cryptographic policies .
If set to yes, the affected services, currently the ipsec, bind, and sshd services, reload after applying a crypto policy. Defaults to yes.
If set to yes, and a reboot is necessary after the system role changes the crypto policy, it sets crypto_policies_reboot_required to yes. Defaults to no.

Facts set by the Crypto Policies System Role

Lists the currently selected policy.
Lists all available policies available on the system.
Lists all available subpolicies available on the system.

7.2. Setting a custom cryptographic policy using the Crypto Policies System Role

You can use the Crypto Policies System Role to configure a large number of managed nodes consistently from a single control node.


  • Access and permissions to one or more managed nodes, which are systems you want to configure with the Crypto Policies System Role.
  • The Ansible Core package is installed on the control machine.


  1. Create a new playbook.yml file with the following content:

    - hosts: all
      - name: Configure crypto policies
          name: linux-system-roles.crypto_policies
          - crypto_policies_policy: FUTURE
          - crypto_policies_reboot_ok: true

    You can replace the FUTURE value with your preferred crypto policy, for example: DEFAULT, LEGACY, and FIPS:OSPP.

    The crypto_policies_reboot_ok: true variable causes the system to reboot after the system role changes the crypto policy.

    For more details, see Crypto Policies System Role variables and facts .

  2. Optional: Verify playbook syntax.

    # ansible-playbook --syntax-check playbook.yml
  3. Run the playbook on your inventory file:

    # ansible-playbook -i inventory_file playbook.yml


  1. On the control node, create another playbook named, for example, verify_playbook.yml:

    - hosts: all
     - name: Verify active crypto policy
         name: linux-system-roles.crypto_policies
     - debug:
         var: crypto_policies_active

    This playbook does not change any configurations on the system, only reports the active policy on the managed nodes.

  2. Run the playbook on the same inventory file:

    # ansible-playbook -i inventory_file verify_playbook.yml
    TASK [debug] **************************
    ok: [host] => {
        "crypto_policies_active": "FUTURE"

    The "crypto_policies_active": variable shows the policy active on the managed node.

7.3. Additional resources