diff --git a/internal/util/fscrypt/fscrypt.go b/internal/util/fscrypt/fscrypt.go
index 53c5f99c9..6a3bf9c40 100644
--- a/internal/util/fscrypt/fscrypt.go
+++ b/internal/util/fscrypt/fscrypt.go
@@ -47,6 +47,17 @@ const (
 	encryptionPassphraseSize = 64
 )
 
+var policyV2Support = []util.KernelVersion{
+	{
+		Version:      5,
+		PatchLevel:   4,
+		SubLevel:     0,
+		ExtraVersion: 0,
+		Distribution: "",
+		Backport:     false,
+	},
+}
+
 func AppendEncyptedSubdirectory(dir string) string {
 	return path.Join(dir, FscryptSubdir)
 }
@@ -266,10 +277,30 @@ func IsDirectoryUnlocked(directoryPath, filesystem string) error {
 	return nil
 }
 
+func getBestPolicyVersion() (int64, error) {
+	// fetch the current running kernel info
+	release, err := util.GetKernelVersion()
+	if err != nil {
+		return 0, fmt.Errorf("fetching current kernel version failed: %w", err)
+	}
+
+	switch {
+	case util.CheckKernelSupport(release, policyV2Support):
+		return 2, nil
+	default:
+		return 1, nil
+	}
+}
+
 // InitializeNode performs once per nodeserver initialization
 // required by the fscrypt library. Creates /etc/fscrypt.conf.
 func InitializeNode(ctx context.Context) error {
-	err := fscryptactions.CreateConfigFile(FscryptHashingTimeTarget, 2)
+	policyVersion, err := getBestPolicyVersion()
+	if err != nil {
+		return fmt.Errorf("fscrypt node init failed to determine best policy version: %w", err)
+	}
+
+	err = fscryptactions.CreateConfigFile(FscryptHashingTimeTarget, policyVersion)
 	if err != nil {
 		existsError := &fscryptactions.ErrConfigFileExists{}
 		if errors.As(err, &existsError) {