Published on Feb 7 2018 in Java Tomcat

JSE cipher strength policy was changing along with JDK versions. Read on how to enable it in different JDK versions.

JDK < 8u151 (October 17, 2017)

Basically you download from Oracle website, unzip it and and put the 2 jars (US_export_policy.jar and local_policy.jar) into $JAVA_HOME/jre/lib/security overwriting existing files.

In case of shared server where $JAVA_HOME may be not writable you need to copy $JAVA_HOME to your $HOME, update JAVA_HOME in your ~/.bashrc with new path and then copy in the jars into the new $JAVA_HOME/jre/lib/security.

Previous versions of the zip for older JDKs were named differently like, or

JDK >= 8u151 and < 8u162

Unlimited cipher policy files are included since this version by default but not enabled. Enable it with in your code with

Security.setProperty("crypto.policy", "unlimited");

before JCE framework initialization.

The other way is to uncomment #crypto.policy=unlimited in $JAVA_HOME/jre/lib/security/ file.

JDK >= 8u162

Finally nothing to do :) Unlimited policy files are included and unlimited cipher strength is enabled by default.

Testing code for AES cipher strength

Copy and paste below commands in your bash shell to verify current AES strength.

cat ><<EOF
import javax.crypto.Cipher;

class CipherTest {
    public static void main(String[] args) {
        try {
            int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
            System.out.println("Max AES key length = " + maxKeyLen);
        } catch (Exception e){
            System.out.println("FAILED: No AES found!");
java CipherTest
Max AES key length = 2147483647

Typical value for weak cipher policy is 128. Maximum value is 2147483647 and it confirms unlimited cipher strength policy.