diff --git a/xml/book_security.xml b/xml/book_security.xml
index a67cce4351..2fa18325ac 100644
--- a/xml/book_security.xml
+++ b/xml/book_security.xml
@@ -60,6 +60,7 @@
   <xi:include href="security_yast2_security.xml"/>
   <xi:include href="security_polkit.xml"/>
   <xi:include href="security_acls.xml"/>
+  <xi:include href="security_cryptopolicy.xml"/>
 <!-- this is very outdated, removing until I can rewrite
   it with updated information cschroder 12 Dec 2021
   <xi:include href="security_certificatestore.xml"/>-->
diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
new file mode 100644
index 0000000000..08934ce555
--- /dev/null
+++ b/xml/security_cryptopolicy.xml
@@ -0,0 +1,328 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE chapter
+[
+  <!ENTITY % entities SYSTEM "generic-entities.ent">
+    %entities;
+]>
+<chapter xmlns="http://docbook.org/ns/docbook"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         version="5.0"
+         xml:id="cha-security-cryptopolicies">
+  <!--taroth 2023-04-28
+    Main ToDos (based on https://bugzilla.suse.com/show_bug.cgi?id=1209998#c7)
+    * add new chapter to Security Guide, describe also integration
+    * explain how we intend customers to use the crypto-policies
+    * explain what changed exactly and what impact this has,
+    e.g. if someone updates from SP3 (no active crypto-policies)
+    to SP4 (active crypto-policies)-->
+  <title>Using system-wide cryptographic policies</title>
+  <info>
+    <abstract>
+      <para>
+        TODO
+      </para>
+    </abstract>
+    <dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
+      <dm:bugtracker></dm:bugtracker>
+      <dm:translation>yes</dm:translation>
+    </dm:docmanager>
+  </info>
+  <sect1 xml:id="sec-security-cryptopolicies-concept">
+    <title>The <command>crypto-policies</command> concept</title>
+
+    <para>
+      The <package>crypto-policies</package> RPM package provides predefined
+      configuration files with cryptographic policies for cryptographic
+      back-ends, such as SSL/TLS libraries. This package allows to set the
+      cryptographic security level for all applications that use a
+      cryptographic back-end supported by the policies.
+    </para>
+
+    <para>
+      Crypto-policies apply to the configuration of the core cryptographic
+      subsystems. They cover the supported secure communications protocols on
+      the base operating system, such as TLS, IKE, IPSec, DNSSec and Kerberos
+      protocols. Crypto-policies allow to handle the deprecation of algorithms
+      or protocols system-wide and in a transparent manner.
+    </para>
+  </sect1>
+  <sect1 xml:id="sec-security-cryptopolicies-predefined">
+    <title>Predefined cryptographic policies</title>
+
+    <para>
+      The <package>crypto-policies</package> package comes with the following
+      predefined policies that can be applied system-wide:
+    </para>
+
+    <variablelist>
+      <varlistentry>
+        <term>BSI</term>
+        <listitem>
+          <para>
+            A security policy based on recommendations by the German government
+            agency BSI (Bundesamt fuer Sicherheit in der Informationstechnik,
+            translated as <literal>agency for security in software
+            technology</literal>). The policy is based on the technical
+            recommendation ruleset <literal>TR 02102</literal>. The BSI TR
+            02102 standard is updated in regular intervals. This policy does
+            not allow the use of SHA-1 in signature algorithms (except DNSSEC
+            and RPM). The policy also provides some (not complete) preparation
+            for post-quantum encryption support in form of 256-bit symmetric
+            encryption requirement. The RSA parameters are accepted if larger
+            than 2047 bits, and Diffie-Hellman parameters are accepted if
+            larger than 3071 bits. This policy provides at least 128-bit
+            security, excepting the transition of RSA.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>DEFAULT</term>
+        <listitem>
+          <para>
+            A reasonable default policy for today's standards. It allows the
+            TLS 1.2, and TLS 1.3 protocols, as well as IKEv2 and SSH2. The
+            Diffie-Hellman parameters are accepted if they are at least 2048
+            bits long. The level provides at least 112-bit security with the
+            exception of allowing SHA-1 signatures in DNSSec where they are
+            still prevalent.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>FIPS</term>
+        <listitem>
+          <para>
+            A level that conforms to the FIPS 140-2 requirements. This policy
+            is used internally by the <command>fips-mode-setup</command> tool
+            which can switch the system into FIPS 140-2 compliance mode. The
+            level provides at least 112-bit security.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>FUTURE</term>
+        <listitem>
+          <para>
+            A conservative security level that is believed to withstand any
+            near-term future attacks. This level does not allow the use of
+            SHA-1 in signature algorithms. The level also provides some (not
+            complete) preparation for post-quantum encryption support in form
+            of 256-bit symmetric encryption requirement. The RSA and
+            Diffie-Hellman parameters are accepted if larger than 3071 bits.
+            The level provides at least 128-bit security.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>LEGACY</term>
+        <listitem>
+          <para>
+            This policy ensures maximum compatibility with legacy systems. It
+            is less secure and it includes support for TLS 1.0, TLS 1.1, and
+            SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are
+            allowed, while RSA and Diffie-Hellman parameters are accepted if
+            larger than 1023 bits. The level provides at least 64-bit security.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>
+      Policies can change over time together with the security of the
+      cryptographic components. For the latest details on the individual
+      policies, therefore see the man page of
+      <command>crypto-policies</command>. All predefined policies are located
+      in
+      <filename>/usr/share/crypto-policies/policies/<replaceable>NAME</replaceable>.pol</filename>
+      and are read-only.
+    </para>
+  </sect1>
+  <sect1 xml:id="sec-security-cryptopolicies-switch">
+    <title>Switching to a different crypto-policy</title>
+
+    <para>
+      Use the <command>update-crypto-policies</command> command to view and set
+      the policy which is applied system-wide to the cryptographic back-ends.
+      The policy which has been set with this command is used by these
+      back-ends by default unless the application user configures them
+      otherwise.
+    </para>
+
+    <procedure>
+      <step>
+        <para>
+          To check the crypto-policy that is currently in use:
+        </para>
+<screen>&prompt.root;<command>update-crypto-policies --show</command></screen>
+      </step>
+      <step>
+        <para>
+          To switch to a different policy level, use the <option>--set</option>
+          option:
+        </para>
+        <remark>taroth 2023-07-04: do we need a word of caution here for LEGACY and FIPS?
+          and can we tell that switching to 'LEGACY' enables compatibility with a specific
+          older SLE version, like SLE 12 SP5 or so?
+        </remark>
+        <important>
+          <title>LEGACY crypto-policy is less secure</title>
+          <para>
+            Switching to a LEGACY crypto-policy makes your system and
+            applications less secure.
+          </para>
+        </important>
+      </step>
+      <step>
+        <para>
+          After switching to a different policy reboot the machine to apply the
+          changes to the applications:
+        </para>
+<screen>&prompt.root;<command>reboot</command></screen>
+      </step>
+    </procedure>
+    <tip os="sles">
+      <title>Enabling FIPS mode via script</title>
+       <para>
+        For the FIPS crypto-policy, &suse; also provides a script with which you
+        can comfortably enable the FIPS mode. See
+        <xref linkend="sec-how-to-fips-install"/> for details.
+       </para>
+     </tip>
+  </sect1>
+  <sect1 xml:id="sec-security-cryptopolicies-subpolicies">
+    <title>Customizing existing crypto-policies</title>
+
+    <para>
+      You can modify aspects of any predefined policy by removing or adding
+      algorithms or protocols. This way, you create a subpolicy (or policy
+      modifier module), stored in text files that include the modifications.
+      After creation, one or multiple subpolicies can be applied on the command
+      line to one of the predefined policies. For details, see
+      <xref linkend="ex-crypto-policy-subpolicy"></xref>.
+    </para>
+
+    <para>
+      You can find example subpolicies in
+      <filename>/usr/share/crypto-policies/policies/modules</filename>.
+      However, your own subpolicies need to be stored in
+      <filename>/etc/crypto-policies/policies/modules</filename> (unless they
+      are packaged). Name the subpolicy file
+      <filename><replaceable>MODULE</replaceable>.pmod</filename>, where
+      <replaceable>MODULE</replaceable> is the name of the subpolicy. The file
+      name needs to be spelled in uppercase letters and without spaces.
+    </para>
+
+    <example xml:id="ex-crypto-policy-subpolicy">
+      <title>Removing support for RSA and PSK key exchanges</title>
+      <para>
+        The following example shows you how to create a subpolicy which removes
+        support for RSA and PSK key exchanges from the
+        <literal>DEFAULT</literal> policy. Both key exchanges do not provide
+        forward secrecy, which means they cannot make sure that session keys
+        are not compromised in case long-term secrets used in the key exchange
+        session are compromised.
+      </para>
+      <procedure>
+        <step>
+          <para>
+            In <filename>/etc/crypto-policies/policies/modules/</filename>
+            create a new file, named <filename>NO-RSA-PSK.pmod</filename>.
+          </para>
+<screen>&prompt.root;<command>touch</command> /etc/crypto-policies/policies/modules/NO-RSA-PSK.pmod</screen>
+        </step>
+        <step>
+          <para>
+            Add the following line to the file and save it afterwards:
+          </para>
+<screen>key_exchange = -RSA -PSK</screen>
+          <para>
+            Now you can apply the newly created subpolicy to one of the
+            predefined policies.
+          </para>
+        </step>
+        <step>
+          <para>
+            Assuming the current system-wide policy is
+            <literal>DEFAULT</literal> and you want to apply the newly created
+            subpolicy to <literal>DEFAULT</literal>:
+          </para>
+<screen>&prompt.root;<command>update-crypto-policies --set DEFAULT:NO-RSA-PSK</command></screen>
+        </step>
+        <step>
+          <para>
+            Double-check if the subpolicy has been added to
+            <literal>DEFAULT</literal>:
+          </para>
+<screen>&prompt.root;<command>update-crypto-policies --show</command>
+DEFAULT:NO-RSA-PSK</screen>
+        </step>
+        <step>
+          <para>
+            Reboot the machine to apply the system-wide policy adjustment to
+            the applications:
+          </para>
+<screen>&prompt.root;<command>reboot</command></screen>
+        </step>
+      </procedure>
+    </example>
+  </sect1>
+  <sect1>
+    <title>Creating a new policy from scratch</title>
+
+    <para>
+      Instead of customizing an existing crypto-policy with a subpolicy you can
+      also decide to write a new policy from scratch. You can use any of the
+      predefined policies in
+      <filename>/usr/share/crypto-policies/policies/</filename> as a starting
+      point. However, your own policy file needs to be stored in
+      <filename>/etc/crypto-policies/policies/</filename>. Name your file
+      <filename><replaceable>MY_POLICY</replaceable>.pol</filename>, where
+      <replaceable>MY_POLICY</replaceable> is the name of the policy. Make sure
+      the policy file is owned by &rootuser; and is not writable by
+      non-privileged users.
+    </para>
+
+    <example xml:id="ex-crypto-policy-custom">
+      <title>Creating a new policy and applying it</title>
+      <para>
+        The following example shows you how to create a new policy based on the
+        <literal>DEFAULT</literal> policy.
+      </para>
+      <procedure>
+        <step>
+          <para>
+            Copy the <literal>DEFAULT</literal> policy to
+            <filename>/etc/crypto-policies/policies/</filename> and rename it:
+          </para>
+<screen>&prompt.root;<command>cp</command> /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/<replaceable>MY_POLICY</replaceable>.pol</screen>
+        </step>
+        <step>
+          <para>
+            Edit the policy as desired and save it.
+          </para>
+        </step>
+        <step>
+          <para>
+            Switch the system to the new policy:
+          </para>
+<screen>&prompt.root;<command>update-crypto-policies --set</command> MY_POLICY</screen>
+        </step>
+        <step>
+          <para>
+            Reboot the machine to apply the new policy to the applications and
+            running services:
+          </para>
+<screen>&prompt.root;<command>reboot</command></screen>
+        </step>
+        <step>
+          <para>
+            Double-check if the policy is active:
+          </para>
+<screen>&prompt.root;<command>update-crypto-policies --show</command>
+MY_POLICY</screen>
+        </step>
+      </procedure>
+    </example>
+  </sect1>
+</chapter>