Cryptographic Hardware
-
Hello,
We are installing new pfSense in our HP Proliant Dl320e Gen8 server. There is Cryptographic Hardware in System / Advanced / Miscellaneous with 3 options:
Which one is recommended to choose?
Beside this, in OpenVPN setup, there is Hardware Crypto with sub menu "Intel RDRAND engine - RAND". Shoud I choose it? We will have this options (Crypto: AES-256-GCM/SHA256
D-H Params: 2048 bits)
-
RTFM:
https://docs.netgate.com/pfsense/en/latest/book/config/advanced-misc.html#cryptographic-hardware
https://docs.netgate.com/pfsense/en/latest/book/openvpn/openvpn-configuration-options.html#hardware-crypto
and:
https://forum.netgate.com/search
-
Thank you for your reply. I choose AES-NI Cpu based acceleration and reboot. I read that Openvpn supports AES-NI automatically even if "No hardware crypto acceleration" is choosen in Openvpn setup. But I wonder then I don't need to choose "Intel RDRAND engine - RAND"?
And if in the future I change Hardware Crypto to another option, then our vpn users will not be able to connect to vpn server?
-
Yup, it will use AES-NI anyway, or rather OpenSSL will.
Leave hardware crypto set to none in OpenVPN.
Steve
-
@emammadov said in Cryptographic Hardware:
And if in the future I change Hardware Crypto to another option, then our vpn users will not be able to connect to vpn server?
You can change the crypto back and forth, this will not have any negative effect for your users.
-Rico
-
Thank you for your replies. I will set hardware crypto to none in Openvpn. But, what will affect if I choose "Intel RDRAND engine - RAND"?
-
Probably no detectable difference.
