Do I need to configure the Java Cryptography Extension unlimited strength policy files?
Applies To
Java SE JDK and JRE - Version 6 to 8
Any platform
Introduction
This article explains if you need, and how, to configure Oracle Java SE for unlimited strength cryptography. Also see the Oracle JRE and JDK Cryptographic Roadmap for specific cryptography changes already released or planned for future Oracle Java SE releases.
Do I Need to Configure or Enable the JCE Unlimited Strength Policy Files?
If using Java SE 11 or later, unlimited strength cryptography is already enabled by default. The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy is enabled by default in Java SE 8 Update 161+; Java SE 7 Update 171; Java SE 6 Update 181+; and in all later releases.
It is recommended to upgrade to the latest Java SE CPU for your version, as it is the most secure and contains all of the fixes Oracle considers critical to install. Also, Java SE patch updates are rolling patches, meaning that each new patch update accumulates and supersedes all previous patch updates. The latest CPU for each currently supported Java SE version is available from Java Downloads. Oracle customers can download from Document 1414485.1 “Latest Java SE Patches on MOS”.
Note: Both JDK 6 and JDK 7 have been EOL’d.
If you cannot update to one of the above-listed or higher patch updates due to application incompatibility, then the following alternative options are available:
How to Configure the JCE Unlimited Strength Jurisdiction Policy
If you are running a version older than Java SE 8 Update 161+, Java SE 7 Update 171, or Java SE 6 Update 181+, then you will need to enable and configure the JCE Unlimited Strength Jurisdiction Policy. The procedure depends on the version.
Java SE 8u151, 7u161, and 6u171
The JCE Unlimited Strength Jurisdiction Policy files are included with
the JDK. However, unlimited strength cryptography is not enabled by
default. To configure unlimited strength cryptography, set the new
crypto.policy Security property to unlimited as shown below. If the
crypto.policy is set in the java.security file, or if it has been
set dynamically using the Security.setProperty() method before the JCE
framework has been initialized, then that setting will be honored. By
default, the property is undefined. If the property is undefined and the
legacy JCE jurisdiction files do not exist in the legacy lib/security
directory, then the default cryptographic strength will be limited.
See the notes in the java.security file included in one of these
releases for more information.
To configure the JCE Unlimited Strength Jurisdiction Policy, edit the
java.security file under the $JAVA_HOME/jre/lib/security directory
and uncomment the crypto.policy=unlimited line as follows:
From
#crypto.policy=unlimitedTo
crypto.policy=unlimitedReleases Prior to Java SE 8u151, 7u161 and 6u171
Did You Know?
Due to import regulations in some countries, the version of the JCE
policy files that were bundled in legacy JREs allowed “strong” but
limited cryptography to be used. Here are the maximum key sizes
allowed by the default version of the jurisdiction policy files:
| Algorithm | Maximum Keysize |
|---|---|
| DES | 64 |
| DESede | * |
| RC2 | 128 |
| RC4 | 128 |
| RC5 | 128 |
| RSA | * |
| all others | 128 |
A specific download bundle is available to provide “unlimited strength” policy files for older releases. These contain no restrictions on cryptography strength.
To configure the JCE Unlimited Strength Jurisdiction Policy:
Notes: - <JAVA_HOME> (below) refers to the directory where the
JRE was installed. It is determined based on whether you are running JCE
on a JRE or a JRE contained within the Java Development Kit (JDK). The
JDK contains the JRE, but at a different level in the file hierarchy.
For example, if the JDK is installed in /home/user1/jdk1.8.0 on Unix
or in C:\jdk1.8.0 on Windows, then <JAVA_HOME> is:
/home/user1/jdk1.8.0/jre[Unix]C:\jdk1.8.0\jre[Windows] - On Windows, for each JDK installation, there may be additional JREs installed under the “Program Files” directory. Please make sure that you install the unlimited strength policy JAR files for all JREs that you plan to use.
Installation steps:
- Download the JCE Unlimited Strength Jurisidiction Policy Files for your version. - These files are updated with new signatures as of July, 2020. Use of older files with expired signatures cause a fatal handshake error. See this Release Note for details.
- Uncompress and extract the downloaded file. This will create a
subdirectory called
jce. This directory contains the following files:README.txt(Be sure to review this file for more information)local_policy.jar(Unlimited strength local policy file)US_export_policy.jar(Unlimited strength US export policy file)
- Install the unlimited strength policy JAR files.
- In case you later decide to revert to the original “strong” but
limited policy versions, first make a copy of the original JCE
policy files (US_export_policy.jar and local_policy.jar).
Then replace the strong policy files with the unlimited strength
versions extracted in the previous step. The standard place for
JCE jurisdiction policy JAR files is:
- <JAVA_HOME>/lib/security [Unix]
- <JAVA_HOME>
- In case you later decide to revert to the original “strong” but
limited policy versions, first make a copy of the original JCE
policy files (US_export_policy.jar and local_policy.jar).
Then replace the strong policy files with the unlimited strength
versions extracted in the previous step. The standard place for
JCE jurisdiction policy JAR files is:
How to Verify if JCE Unlimited Strength Jurisdiction Policy is Enabled in a Java SE Version
To verify if the JCE Unlimited Strength Jurisdiction Policy is enabled,
save the following code as a file named StrongCryptoTest.java, and
then compile and run the program.
/*
* Simple test to check whether limited crypto
* or unlimited crypto jurisdiction files are
* installed for this JDK
*
* Exit code of 0 for Unlimited Crypto
*/
import javax.crypto.*;
public class StrongCryptoTest {
public static void main(String[] args) throws Exception {
// Use the AES are the test Cipher
int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
System.out.println("Testing crypto level on JDK version: " + System.getProperty("java.version"));
System.out.println("Install directory: " + System.getProperty("java.home"));
if (maxKeyLen > 128) {
System.out.println("Unlimited crypto package is installed");
System.exit(0);
}
else {
System.out.println("Unlimited crypto package is NOT installed");
System.exit(1);
}
}
}Here is an example of how to compile and run the sample code above on Windows:
C:\<SOURCE_CODE_FOLDER>"C:\Program Files (x86)\Java\jdk1.8.0_271\bin\javac.exe" StrongCryptoTest.java
C:\<SOURCE_CODE_FOLDER>java StrongCryptoTest
Testing crypto level on JDK version: 1.8.0_271
Install directory: C:\Program Files (x86)\Java\jre1.8.0_271
Unlimited crypto package is installedCAUTION
The above sample code is provided for educational purposes only, and is
not supported by Oracle Support. It has been tested internally. However,
it is not guaranteed to work for you. Ensure that you run it in your
test environment before using. Additionally, the code and object names
used in this article represent fictitious sample names that make up an
example. Any similarity to actual code is purely coincidental and not
intended in any other manner.
References
- JDK-8170157 (The Enhancement Request where the change is documented.)
Last reviewed on Sat Feb 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time)