diff --git a/sros2/sros2/api/__init__.py b/sros2/sros2/api/__init__.py
index cb8d20c3..b5cc7a76 100644
--- a/sros2/sros2/api/__init__.py
+++ b/sros2/sros2/api/__init__.py
@@ -197,15 +197,15 @@ def create_ca_key_cert(ecdsa_param_path, ca_conf_path, ca_key_path, ca_cert_path
         (openssl_executable, ecdsa_param_path, ca_key_path, ca_cert_path, ca_conf_path))
 
 
-def create_governance_file(path, domain_id):
-    # for this application we are only looking to authenticate and encrypt;
-    # we do not need/want access control at this point.
-    governance_xml_path = get_transport_default('dds', 'governance.xml')
-    governance_xml = etree.parse(governance_xml_path)
-
+def create_governance_file(path, domain_id, policy_element):
     governance_xsd_path = get_transport_schema('dds', 'governance.xsd')
     governance_xsd = etree.XMLSchema(etree.parse(governance_xsd_path))
 
+    governance_xsl_path = get_transport_template('dds', 'governance.xsl')
+    governance_xsl = etree.XSLT(etree.parse(governance_xsl_path))
+
+    governance_xml = governance_xsl(policy_element)
+
     domain_id_elements = governance_xml.findall(
         'domain_access_rules/domain_rule/domains/id')
     for domain_id_element in domain_id_elements:
@@ -220,7 +220,7 @@ def create_governance_file(path, domain_id):
         f.write(etree.tostring(governance_xml, pretty_print=True))
 
 
-def create_signed_governance_file(signed_gov_path, gov_path, ca_cert_path, ca_key_path):
+def create_signed_governance_file(gov_path, signed_gov_path, ca_cert_path, ca_key_path):
     openssl_executable = find_openssl_executable()
     check_openssl_version(openssl_executable)
     run_shell_command(
@@ -257,23 +257,6 @@ def create_keystore(keystore_path):
     else:
         print('found CA key and cert, not creating new ones!')
 
-    # create governance file
-    gov_path = os.path.join(keystore_path, 'governance.xml')
-    if not os.path.isfile(gov_path):
-        print('creating governance file: %s' % gov_path)
-        domain_id = os.getenv(DOMAIN_ID_ENV, '0')
-        create_governance_file(gov_path, domain_id)
-    else:
-        print('found governance file, not creating a new one!')
-
-    # sign governance file
-    signed_gov_path = os.path.join(keystore_path, 'governance.p7s')
-    if not os.path.isfile(signed_gov_path):
-        print('creating signed governance file: %s' % signed_gov_path)
-        create_signed_governance_file(signed_gov_path, gov_path, ca_cert_path, ca_key_path)
-    else:
-        print('found signed governance file, not creating a new one!')
-
     # create index file
     index_path = os.path.join(keystore_path, 'index.txt')
     if not os.path.isfile(index_path):
@@ -297,7 +280,6 @@ def is_valid_keystore(path):
     res &= os.path.isfile(os.path.join(path, 'index.txt'))
     res &= os.path.isfile(os.path.join(path, 'ca.key.pem'))
     res &= os.path.isfile(os.path.join(path, 'ca.cert.pem'))
-    res &= os.path.isfile(os.path.join(path, 'governance.p7s'))
     return res
 
 
@@ -409,6 +391,7 @@ def create_signed_permissions_file(
 def create_permission(keystore_path, identity, policy_file_path):
     policy_element = get_policy(identity, policy_file_path)
     create_permissions_from_policy_element(keystore_path, identity, policy_element)
+    create_governance_from_policy_element(keystore_path, identity, policy_element)
     return True
 
 
@@ -428,6 +411,22 @@ def create_permissions_from_policy_element(keystore_path, identity, policy_eleme
         keystore_ca_cert_path, keystore_ca_key_path)
 
 
+def create_governance_from_policy_element(keystore_path, identity, policy_element):
+    domain_id = os.getenv(DOMAIN_ID_ENV, '0')
+    relative_path = os.path.normpath(identity.lstrip('/'))
+    key_dir = os.path.join(keystore_path, relative_path)
+    print('key_dir %s' % key_dir)
+    governance_path = os.path.join(key_dir, 'governance.xml')
+    create_governance_file(governance_path, domain_id, policy_element)
+
+    signed_governance_path = os.path.join(key_dir, 'governance.p7s')
+    keystore_ca_cert_path = os.path.join(keystore_path, 'ca.cert.pem')
+    keystore_ca_key_path = os.path.join(keystore_path, 'ca.key.pem')
+    create_signed_governance_file(
+        governance_path, signed_governance_path,
+        keystore_ca_cert_path, keystore_ca_key_path)
+
+
 def create_key(keystore_path, identity):
     if not is_valid_keystore(keystore_path):
         print("'%s' is not a valid keystore " % keystore_path)
@@ -447,10 +446,10 @@ def create_key(keystore_path, identity):
     shutil.copyfile(keystore_ca_cert_path, dest_identity_ca_cert_path)
     shutil.copyfile(keystore_ca_cert_path, dest_permissions_ca_cert_path)
 
-    # copy the governance file in there
-    keystore_governance_path = os.path.join(keystore_path, 'governance.p7s')
-    dest_governance_path = os.path.join(key_dir, 'governance.p7s')
-    shutil.copyfile(keystore_governance_path, dest_governance_path)
+    # # copy the governance file in there
+    # keystore_governance_path = os.path.join(keystore_path, 'governance.p7s')
+    # dest_governance_path = os.path.join(key_dir, 'governance.p7s')
+    # shutil.copyfile(keystore_governance_path, dest_governance_path)
 
     ecdsa_param_path = os.path.join(key_dir, 'ecdsaparam')
     if not os.path.isfile(ecdsa_param_path):
@@ -505,6 +504,15 @@ def create_key(keystore_path, identity):
         permissions_path, signed_permissions_path,
         keystore_ca_cert_path, keystore_ca_key_path)
 
+    governance_path = os.path.join(key_dir, 'governance.xml')
+    create_governance_file(governance_path, domain_id, policy_element)
+    signed_governance_path = os.path.join(key_dir, 'governance.p7s')
+    keystore_ca_key_path = os.path.join(keystore_path, 'ca.key.pem')
+    create_signed_governance_file(
+        governance_path, signed_governance_path,
+        keystore_ca_cert_path, keystore_ca_key_path)
+
+
     return True
 
 
@@ -550,4 +558,6 @@ def generate_artifacts(keystore_path=None, identity_names=[], policy_files=[]):
             policy_element = get_policy_from_tree(identity_name, policy_tree)
             create_permissions_from_policy_element(
                 keystore_path, identity_name, policy_element)
+            create_governance_from_policy_element(
+                keystore_path, identity_name, policy_element)
     return True
diff --git a/sros2/sros2/policy/defaults/dds/governance.xml b/sros2/sros2/policy/defaults/dds/governance.xml
index 24aedcbe..e0d80f08 100644
--- a/sros2/sros2/policy/defaults/dds/governance.xml
+++ b/sros2/sros2/policy/defaults/dds/governance.xml
@@ -8,8 +8,8 @@
             </domains>
             <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
             <enable_join_access_control>true</enable_join_access_control>
-            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
-            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>SIGN</liveliness_protection_kind>
             <rtps_protection_kind>SIGN</rtps_protection_kind>
             <topic_access_rules>
                 <topic_rule>
@@ -18,7 +18,7 @@
                     <enable_liveliness_protection>true</enable_liveliness_protection>
                     <enable_read_access_control>true</enable_read_access_control>
                     <enable_write_access_control>true</enable_write_access_control>
-                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
                     <data_protection_kind>ENCRYPT</data_protection_kind>
                 </topic_rule>
             </topic_access_rules>
diff --git a/sros2/sros2/policy/defaults/policy.xml b/sros2/sros2/policy/defaults/policy.xml
index 552a2055..efcdb8f0 100644
--- a/sros2/sros2/policy/defaults/policy.xml
+++ b/sros2/sros2/policy/defaults/policy.xml
@@ -2,13 +2,13 @@
 <policy version="0.1.0">
   <profiles>
     <profile ns="/" node="default">
-      <topics publish="ALLOW" subscribe="ALLOW">
+      <topics publish="ALLOW" subscribe="ALLOW" protection="ENCRYPT">
         <topic>/*</topic>
       </topics>
-      <services reply="ALLOW" request="ALLOW">
+      <services reply="ALLOW" request="ALLOW" protection="ENCRYPT">
         <service>/*</service>
       </services>
-      <actions call="ALLOW" execute="ALLOW">
+      <actions call="ALLOW" execute="ALLOW" protection="ENCRYPT">
         <action>/*</action>
       </actions>
     </profile>
diff --git a/sros2/sros2/policy/schemas/policy.xsd b/sros2/sros2/policy/schemas/policy.xsd
index 8086516e..93f576f7 100644
--- a/sros2/sros2/policy/schemas/policy.xsd
+++ b/sros2/sros2/policy/schemas/policy.xsd
@@ -40,6 +40,7 @@
         </xs:sequence>
         <xs:attribute name="publish" type="RuleQualifier" use="optional" />
         <xs:attribute name="subscribe" type="RuleQualifier" use="optional" />
+        <xs:attribute name="protection" type="ProtectionKind" use="required" />
         <xs:attribute ref="xml:base" />
     </xs:complexType>
 
@@ -49,6 +50,7 @@
         </xs:sequence>
         <xs:attribute name="reply" type="RuleQualifier" use="optional" />
         <xs:attribute name="request" type="RuleQualifier" use="optional" />
+        <xs:attribute name="protection" type="ProtectionKind" use="required" />
         <xs:attribute ref="xml:base" />
     </xs:complexType>
 
@@ -58,6 +60,7 @@
         </xs:sequence>
         <xs:attribute name="call" type="RuleQualifier" use="optional" />
         <xs:attribute name="execute" type="RuleQualifier" use="optional" />
+        <xs:attribute name="protection" type="ProtectionKind" use="required" />
         <xs:attribute ref="xml:base" />
     </xs:complexType>
 
@@ -72,4 +75,12 @@
         </xs:restriction>
     </xs:simpleType>
 
+    <xs:simpleType name="ProtectionKind">
+        <xs:restriction base="xs:string">
+            <xs:enumeration value="ENCRYPT" />
+            <xs:enumeration value="NONE" />
+            <xs:enumeration value="SIGN" />
+        </xs:restriction>
+    </xs:simpleType>
+
 </xs:schema>
diff --git a/sros2/sros2/policy/templates/dds/governance.xsl b/sros2/sros2/policy/templates/dds/governance.xsl
new file mode 100644
index 00000000..a9d601cc
--- /dev/null
+++ b/sros2/sros2/policy/templates/dds/governance.xsl
@@ -0,0 +1,202 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!-- TODO Sort resulting rules? -->
+<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ xmlns:ext="http://exslt.org/common" exclude-result-prefixes="ext">
+ <xsl:output omit-xml-declaration="yes" indent="yes"/>
+ <xsl:strip-space elements="*"/>
+
+
+<xsl:variable name="template_domains">
+  <domains>
+    <id>0</id>
+  </domains>
+</xsl:variable>
+
+<xsl:template match="/policy/profiles">
+  <xsl:variable name="dds">
+    <dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+      <domain_access_rules>
+        <domain_rule>
+          <!-- FIXME what to do if multiple profiles? -->
+          <xsl:for-each select="profile">
+            <xsl:variable name="_ns">
+              <xsl:call-template name="DelimitNamespace">
+                <xsl:with-param name="ns" select="@ns"/>
+              </xsl:call-template>
+            </xsl:variable>
+            <xsl:copy-of select="$template_domains"/>
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+            <enable_join_access_control>true</enable_join_access_control>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>SIGN</liveliness_protection_kind>
+            <rtps_protection_kind>SIGN</rtps_protection_kind>
+            <topic_access_rules>
+
+            <xsl:for-each select="./*[@* = 'ALLOW']">
+              <xsl:call-template name="TranslatePermissions">
+                <!--xsl:with-param name="qualifier" select="'ALLOW'"/-->
+              </xsl:call-template>
+            </xsl:for-each>
+            </topic_access_rules>
+          </xsl:for-each>
+        </domain_rule>
+      </domain_access_rules>
+    </dds>
+  </xsl:variable>
+
+ <xsl:apply-templates mode="sort"
+   select="ext:node-set($dds)"/>
+</xsl:template>
+
+<xsl:template name="TranslatePermissions">
+  <xsl:param name="qualifier"/>
+  <xsl:apply-templates select="."/>
+</xsl:template>
+
+<xsl:template name="EnableProtectionsDefault">
+  <enable_discovery_protection>true</enable_discovery_protection>
+  <enable_liveliness_protection>true</enable_liveliness_protection>
+  <enable_read_access_control>true</enable_read_access_control>
+  <enable_write_access_control>true</enable_write_access_control>
+</xsl:template>
+
+<xsl:template match="topics">
+  <xsl:for-each select="topic">
+  <xsl:variable name="fqn">
+    <xsl:apply-templates select="."/>
+  </xsl:variable>
+  <topic_rule>
+    <topic_expression>rt<xsl:value-of select="$fqn"/></topic_expression>
+    <xsl:call-template name="EnableProtectionsDefault"/>
+    <metadata_protection_kind><xsl:value-of select="../@protection"/></metadata_protection_kind>
+    <data_protection_kind><xsl:value-of select="../@protection"/></data_protection_kind>
+  </topic_rule>
+  </xsl:for-each>
+</xsl:template>
+
+<xsl:template match="services">
+  <xsl:for-each select="service">
+    <xsl:variable name="fqn">
+      <xsl:apply-templates select="."/>
+    </xsl:variable>
+    <topic_rule>
+      <topic_expression>rq<xsl:value-of select="$fqn"/>Request</topic_expression>
+      <xsl:call-template name="EnableProtectionsDefault"/>
+      <metadata_protection_kind><xsl:value-of select="../@protection"/></metadata_protection_kind>
+      <data_protection_kind><xsl:value-of select="../@protection"/></data_protection_kind>
+    </topic_rule>
+    <topic_rule>
+      <topic_expression>rr<xsl:value-of select="$fqn"/>Reply</topic_expression>
+      <xsl:call-template name="EnableProtectionsDefault"/>
+      <metadata_protection_kind><xsl:value-of select="../@protection"/></metadata_protection_kind>
+      <data_protection_kind><xsl:value-of select="../@protection"/></data_protection_kind>
+    </topic_rule>
+  </xsl:for-each>
+</xsl:template>
+
+<xsl:template match="actions">
+  <xsl:for-each select="action">
+    <xsl:variable name="fqn">
+      <xsl:apply-templates select="."/>
+    </xsl:variable>
+    <topic_rule>
+      <topic_expression>rq<xsl:value-of select="$fqn"/>/_action/cancel_goalRequest</topic_expression>
+      <xsl:call-template name="EnableProtectionsDefault"/>
+      <metadata_protection_kind><xsl:value-of select="../@protection"/></metadata_protection_kind>
+      <data_protection_kind><xsl:value-of select="../@protection"/></data_protection_kind>
+    </topic_rule>
+    <topic_rule>
+      <topic_expression>rr<xsl:value-of select="$fqn"/>/_action/cancel_goalReply</topic_expression>
+      <xsl:call-template name="EnableProtectionsDefault"/>
+      <metadata_protection_kind><xsl:value-of select="../@protection"/></metadata_protection_kind>
+      <data_protection_kind><xsl:value-of select="../@protection"/></data_protection_kind>
+    </topic_rule>
+    <topic_rule>
+      <topic_expression>rq<xsl:value-of select="$fqn"/>/_action/get_resultRequest</topic_expression>
+      <xsl:call-template name="EnableProtectionsDefault"/>
+      <metadata_protection_kind><xsl:value-of select="../@protection"/></metadata_protection_kind>
+      <data_protection_kind><xsl:value-of select="../@protection"/></data_protection_kind>
+    </topic_rule>
+    <topic_rule>
+      <topic_expression>rr<xsl:value-of select="$fqn"/>/_action/get_resultReply</topic_expression>
+      <xsl:call-template name="EnableProtectionsDefault"/>
+      <metadata_protection_kind><xsl:value-of select="../@protection"/></metadata_protection_kind>
+      <data_protection_kind><xsl:value-of select="../@protection"/></data_protection_kind>
+    </topic_rule>
+    <topic_rule>
+      <topic_expression>rq<xsl:value-of select="$fqn"/>/_action/send_goalRequest</topic_expression>
+      <xsl:call-template name="EnableProtectionsDefault"/>
+      <metadata_protection_kind><xsl:value-of select="../@protection"/></metadata_protection_kind>
+      <data_protection_kind><xsl:value-of select="../@protection"/></data_protection_kind>
+    </topic_rule>
+    <topic_rule>
+      <topic_expression>rr<xsl:value-of select="$fqn"/>/_action/send_goalReply</topic_expression>
+      <xsl:call-template name="EnableProtectionsDefault"/>
+      <metadata_protection_kind><xsl:value-of select="../@protection"/></metadata_protection_kind>
+      <data_protection_kind><xsl:value-of select="../@protection"/></data_protection_kind>
+    </topic_rule>
+    <topic_rule>
+      <topic_expression>rt<xsl:value-of select="$fqn"/>/_action/feedback</topic_expression>
+      <xsl:call-template name="EnableProtectionsDefault"/>
+      <metadata_protection_kind><xsl:value-of select="../@protection"/></metadata_protection_kind>
+      <data_protection_kind><xsl:value-of select="../@protection"/></data_protection_kind>
+    </topic_rule>
+    <topic_rule>
+      <topic_expression>rt<xsl:value-of select="$fqn"/>/_action/status</topic_expression>
+      <xsl:call-template name="EnableProtectionsDefault"/>
+      <metadata_protection_kind><xsl:value-of select="../@protection"/></metadata_protection_kind>
+      <data_protection_kind><xsl:value-of select="../@protection"/></data_protection_kind>
+    </topic_rule>
+  </xsl:for-each>
+</xsl:template>
+
+<xsl:template match="topic | service | action">
+  <xsl:variable name="ns" select="../../@ns"/>
+  <xsl:variable name="node" select="../../@node"/>
+  <xsl:variable name="name" select="."/>
+  <xsl:choose>
+    <xsl:when test="substring($name, 1, 1) = '/'">
+      <xsl:value-of select="$name"/>
+    </xsl:when>
+    <xsl:when test="substring($name, 1, 1) = '~'">
+      <xsl:variable name="_ns">
+        <xsl:call-template name="DelimitNamespace">
+          <xsl:with-param name="ns" select="$ns"/>
+        </xsl:call-template>
+      </xsl:variable>
+      <xsl:variable name="_name" select="substring($name, 2)"/>
+      <xsl:value-of select="concat($_ns, $node, '/', $_name)"/>
+    </xsl:when>
+    <xsl:otherwise>
+      <xsl:variable name="_ns">
+        <xsl:call-template name="DelimitNamespace">
+          <xsl:with-param name="ns" select="$ns"/>
+        </xsl:call-template>
+      </xsl:variable>
+      <xsl:value-of select="concat($_ns, $name)"/>
+    </xsl:otherwise>
+  </xsl:choose>
+</xsl:template>
+
+<xsl:template name="DelimitNamespace">
+  <xsl:param name="ns"/>
+  <xsl:choose>
+    <xsl:when test="substring($ns, string-length($ns), 1) = '/'">
+      <xsl:value-of select="$ns"/>
+    </xsl:when>
+    <xsl:otherwise>
+      <xsl:value-of select="concat($ns, '/')"/>
+    </xsl:otherwise>
+  </xsl:choose>
+</xsl:template>
+
+<xsl:template match="@*|node()" mode="sort">
+  <xsl:copy>
+    <xsl:apply-templates select="@*|node()" mode="sort"/>
+  </xsl:copy>
+</xsl:template>
+
+</xsl:stylesheet>
diff --git a/sros2/test/policies/add_two_ints.xml b/sros2/test/policies/add_two_ints.xml
index 9becfffd..0fa4685e 100644
--- a/sros2/test/policies/add_two_ints.xml
+++ b/sros2/test/policies/add_two_ints.xml
@@ -5,14 +5,14 @@
     <profile ns="/" node="add_two_ints_server">
       <xi:include href="common/node.xml"
         xpointer="xpointer(/profile/*)"/>
-      <services reply="ALLOW">
+      <services reply="ALLOW" protection="ENCRYPT">
         <service>add_two_ints</service>
       </services>
     </profile>
     <profile ns="/" node="add_two_ints_client">
       <xi:include href="common/node.xml"
         xpointer="xpointer(/profile/*)"/>
-      <services request="ALLOW">
+      <services request="ALLOW" protection="ENCRYPT">
         <service>add_two_ints</service>
       </services>
     </profile>
diff --git a/sros2/test/policies/common/node/logging.xml b/sros2/test/policies/common/node/logging.xml
index c7fb80ae..10679736 100644
--- a/sros2/test/policies/common/node/logging.xml
+++ b/sros2/test/policies/common/node/logging.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <profile>
-  <topics publish="ALLOW" >
+  <topics publish="ALLOW" protection="ENCRYPT">
     <topic>rosout</topic>
   </topics>
 </profile>
diff --git a/sros2/test/policies/common/node/parameters.xml b/sros2/test/policies/common/node/parameters.xml
index f6ef2bb6..c8eb937a 100644
--- a/sros2/test/policies/common/node/parameters.xml
+++ b/sros2/test/policies/common/node/parameters.xml
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <profile>
-  <topics publish="ALLOW" subscribe="ALLOW" >
+  <topics publish="ALLOW" subscribe="ALLOW" protection="ENCRYPT">
     <topic>parameter_events</topic>
   </topics>
 
-  <services reply="ALLOW" request="ALLOW" >
+  <services reply="ALLOW" request="ALLOW" protection="ENCRYPT">
     <service>~describe_parameters</service>
     <service>~get_parameter_types</service>
     <service>~get_parameters</service>
diff --git a/sros2/test/policies/common/node/time.xml b/sros2/test/policies/common/node/time.xml
index 2b36c72d..8f2413ec 100644
--- a/sros2/test/policies/common/node/time.xml
+++ b/sros2/test/policies/common/node/time.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <profile>
-  <topics subscribe="ALLOW" >
+  <topics subscribe="ALLOW" protection="ENCRYPT">
     <topic>/clock</topic>
   </topics>
 </profile>
diff --git a/sros2/test/policies/minimal_action.xml b/sros2/test/policies/minimal_action.xml
index f8e0f10f..d456b615 100644
--- a/sros2/test/policies/minimal_action.xml
+++ b/sros2/test/policies/minimal_action.xml
@@ -5,14 +5,14 @@
     <profile ns="/" node="minimal_action_server">
       <xi:include href="common/node.xml"
         xpointer="xpointer(/profile/*)"/>
-      <actions execute="ALLOW">
+      <actions execute="ALLOW" protection="ENCRYPT">
         <action>fibonacci</action>
       </actions>
     </profile>
     <profile ns="/" node="minimal_action_client">
       <xi:include href="common/node.xml"
         xpointer="xpointer(/profile/*)"/>
-      <actions call="ALLOW">
+      <actions call="ALLOW" protection="ENCRYPT">
         <action>fibonacci</action>
       </actions>
     </profile>
diff --git a/sros2/test/policies/sample_policy.xml b/sros2/test/policies/sample_policy.xml
index 589a05e3..f2f2f6ff 100644
--- a/sros2/test/policies/sample_policy.xml
+++ b/sros2/test/policies/sample_policy.xml
@@ -11,13 +11,13 @@
     <profile ns="/" node="admin">
       <xi:include href="common/node.xml"
         xpointer="xpointer(/profile/*)"/>
-      <actions call="ALLOW" execute="ALLOW">
+      <actions call="ALLOW" execute="ALLOW" protection="ENCRYPT">
         <action>fibonacci</action>
       </actions>
-      <services reply="ALLOW" request="ALLOW">
+      <services reply="ALLOW" request="ALLOW" protection="ENCRYPT">
         <service>add_two_ints</service>
       </services>
-      <topics publish="ALLOW" subscribe="ALLOW">
+      <topics publish="ALLOW" subscribe="ALLOW" protection="SIGN">
         <topic>chatter</topic>
       </topics>
     </profile>
diff --git a/sros2/test/policies/talker_listener.xml b/sros2/test/policies/talker_listener.xml
index 88709bd9..ff61de19 100644
--- a/sros2/test/policies/talker_listener.xml
+++ b/sros2/test/policies/talker_listener.xml
@@ -5,14 +5,14 @@
     <profile ns="/" node="talker">
       <xi:include href="common/node.xml"
         xpointer="xpointer(/profile/*)"/>
-      <topics publish="ALLOW" >
+      <topics publish="ALLOW" protection="SIGN">
         <topic>chatter</topic>
       </topics>
     </profile>
     <profile ns="/" node="listener">
       <xi:include href="common/node.xml"
         xpointer="xpointer(/profile/*)"/>
-      <topics subscribe="ALLOW" >
+      <topics subscribe="ALLOW" protection="SIGN">
         <topic>chatter</topic>
       </topics>
     </profile>