Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AES-NI question for XG-1541

    Scheduled Pinned Locked Moved Official Netgate® Hardware
    4 Posts 4 Posters 696 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      ScottCall
      last edited by

      Hello

      Apologies if this is a silly question but I've been running my XG-1541s (21.05.02 with update to 22.05 scheduled this weekend) with crypto set to AES-NI + BSD Cryptodev.

      Is there any reason to change it to just AES-NI (or any reason not to?)

      Thanks!

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @ScottCall
        last edited by

        @scottcall https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#cryptographic-thermal-hardware
        “ Loads both the AES-NI and BSD Crypto Device modules together, which is the optimal configuration in most cases. Choose this unless a specific environment or configuration is found to work better without it.”
        :)

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 1
        • N
          NOCling
          last edited by

          The best is Intel Quick Assist if your Hardware supports it.

          Netgate 6100 & Netgate 2100

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            That doc is a bit old really. Loading AES-NI by itself is better in anything after 22.01. The BSD crypto device is not used by anything usefully from that point on. OpenVPN (OpenSSL) will use AES-NI directly if the CPU supports it OpenVPN with DCO enabled will use it with the AES-NI module loaded as will IPSec.
            And yes anything with QAT support should use that instead.

            Steve

            1 Reply Last reply Reply Quote 2
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.