Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring Crypto-Policy Overview


In public key cryptography, a public/private key pair is used to encrypt and decrypt data. Data encrypted with a public key, which the owner makes available to the public, can only be decrypted with the corresponding private key, which the owner keeps secret and protected. For example, if Alice wants to send Bob an encrypted message, Alice can encrypt it with Bob’s public key and send it to him. Bob then decrypts the message with his private key.

The reverse is also useful; that is, encrypting data with a private key and decrypting it with the corresponding public key. This is known as creating a digital signature. For example, if Alice wants to present her identity as the sender of a message, she can encrypt the message with her private key and send the message to Bob. Bob then decrypts the message with Alice’s public key, thus verifying that Alice is indeed the sender.

Public/private key pairs also play an important role in the use of digital certificates.

If Negotiation mode for the IKEV1, Encryption ALG, Authentication ALG, DH Group, and Authentication Method options are disabled, then these parameters do not provide any restriction.


Although these configurations cannot be set in vsys devices, a vsys device can use these configurations through root devices that share them.

There are three types of administrators who can configure crypto-policy. They are:

  • A root administrator

  • A read-write admin user without any role attribute assigned

  • A read-write admin user with a cryptographic role