diff --git a/core/authorize.php b/core/authorize.php
index a439975cd2be63710723146ad5db6e7d9ba7bda7..1544aa9062db4f201e7dbdf0d69588b2ceaf0691 100644
--- a/core/authorize.php
+++ b/core/authorize.php
@@ -12,7 +12,7 @@
  * a multistep process. This script actually performs the selected operations
  * without loading all of Drupal, to be able to more gracefully recover from
  * errors. Access to the script is controlled by a global killswitch in
- * settings.php ('allow_authorize_operations') and via the 'administer software
+ * settings.php ('allow_operations') and via the 'administer software
  * updates' permission.
  *
  * There are helper functions for setting up an operation to run via this
@@ -58,7 +58,7 @@ function authorize_access_denied_page() {
  *   TRUE if the current user can run authorize.php, and FALSE if not.
  */
 function authorize_access_allowed() {
-  return variable_get('allow_authorize_operations', TRUE) && user_access('administer software updates');
+  return config('system.authorize')->get('allow_operations') && user_access('administer software updates');
 }
 
 // *** Real work of the script begins here. ***
diff --git a/core/includes/authorize.inc b/core/includes/authorize.inc
index 6553a9cf32df378e5f400bea689a02c7032b494d..f98820f9eb979e6e3eb338a6ccc34851e19443a2 100644
--- a/core/includes/authorize.inc
+++ b/core/includes/authorize.inc
@@ -40,7 +40,7 @@ function authorize_filetransfer_form($form, &$form_state) {
   if (isset($form_state['values']['connection_settings']['authorize_filetransfer_default'])) {
     $authorize_filetransfer_default = $form_state['values']['connection_settings']['authorize_filetransfer_default'];
   }
-  elseif ($authorize_filetransfer_default = variable_get('authorize_filetransfer_default', NULL));
+  elseif ($authorize_filetransfer_default = config('system.authorize')->get('filetransfer_default'));
   else {
     $authorize_filetransfer_default = key($available_backends);
   }
@@ -139,7 +139,8 @@ function authorize_filetransfer_form($form, &$form_state) {
  * @see hook_filetransfer_backends()
  */
 function _authorize_filetransfer_connection_settings($backend) {
-  $defaults = variable_get('authorize_filetransfer_connection_settings_' . $backend, array());
+  $auth_connection_config = config('system.authorize')->get('filetransfer_connection_settings_' . $backend);
+  $defaults = $auth_connection_config ? $auth_connection_config : array();
   $form = array();
 
   // Create an instance of the file transfer class to get its settings form.
@@ -254,9 +255,9 @@ function authorize_filetransfer_form_submit($form, &$form_state) {
           }
         }
         // Set this one as the default authorize method.
-        variable_set('authorize_filetransfer_default', $filetransfer_backend);
+        config('system.authorize')->set('filetransfer_default', $filetransfer_backend);
         // Save the connection settings minus the password.
-        variable_set('authorize_filetransfer_connection_settings_' . $filetransfer_backend, $connection_settings);
+        config('system.authorize')->set('filetransfer_connection_settings_' . $filetransfer_backend, $connection_settings);
 
         $filetransfer = authorize_get_filetransfer($filetransfer_backend, $form_state['values']['connection_settings'][$filetransfer_backend]);
 
diff --git a/core/modules/system/config/system.authorize.yml b/core/modules/system/config/system.authorize.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b3d1f5dd07aa4574f05908faf35215a7d8dc064e
--- /dev/null
+++ b/core/modules/system/config/system.authorize.yml
@@ -0,0 +1,2 @@
+allow_operations: '1'
+filetransfer_default:
diff --git a/core/modules/system/system.install b/core/modules/system/system.install
index e6ab039c58f5a936e63a45984a09dad8a338bf0e..a8819c18e5697951ac3058929517f550b8513467 100644
--- a/core/modules/system/system.install
+++ b/core/modules/system/system.install
@@ -2175,6 +2175,18 @@ function system_update_8029() {
   update_variable_del('path_alias_whitelist');
 }
 
+ /**
+ * Moves authorize system settings from variable to config.
+ *
+ * @ingroup config_upgrade
+ */
+function system_update_8030() {
+  update_variables_to_config('system.authorize', array(
+    'allow_authorize_operations' => 'allow_operations',
+    'authorize_filetransfer_default' => 'filetransfer_default',
+  ));
+}
+
 /**
  * @} End of "defgroup updates-7.x-to-8.x".
  * The next series of updates should start at 9000.
diff --git a/core/modules/update/update.module b/core/modules/update/update.module
index 51e77e6b8a28bf3946ba0c52df4184776d5db45f..d9aa464249d3d49e9175741c5224f14bf94eb11b 100644
--- a/core/modules/update/update.module
+++ b/core/modules/update/update.module
@@ -251,7 +251,7 @@ function update_menu() {
  * @see update_menu()
  */
 function update_manager_access() {
-  return variable_get('allow_authorize_operations', TRUE) && user_access('administer software updates');
+  return config('system.authorize')->get('allow_operations') && user_access('administer software updates');
 }
 
 /**