Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Cryptographic Hardware

    General pfSense Questions
    4
    7
    3078
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • emammadov
      emammadov last edited by

      Hello,

      We are installing new pfSense in our HP Proliant Dl320e Gen8 server. There is Cryptographic Hardware in System / Advanced / Miscellaneous with 3 options:

      0_1552395748262_1.jpg

      Which one is recommended to choose?

      Beside this, in OpenVPN setup, there is Hardware Crypto with sub menu "Intel RDRAND engine - RAND". Shoud I choose it? We will have this options (Crypto: AES-256-GCM/SHA256
      D-H Params: 2048 bits)

      0_1552395904008_2.jpg

      Elvin

      1 Reply Last reply Reply Quote 0
      • Grimson
        Grimson Banned last edited by

        RTFM:
        https://docs.netgate.com/pfsense/en/latest/book/config/advanced-misc.html#cryptographic-hardware
        https://docs.netgate.com/pfsense/en/latest/book/openvpn/openvpn-configuration-options.html#hardware-crypto
        and:
        https://forum.netgate.com/search

        1 Reply Last reply Reply Quote 0
        • emammadov
          emammadov last edited by

          Thank you for your reply. I choose AES-NI Cpu based acceleration and reboot. I read that Openvpn supports AES-NI automatically even if "No hardware crypto acceleration" is choosen in Openvpn setup. But I wonder then I don't need to choose "Intel RDRAND engine - RAND"?
          And if in the future I change Hardware Crypto to another option, then our vpn users will not be able to connect to vpn server?

          Elvin

          Rico 1 Reply Last reply Reply Quote 0
          • stephenw10
            stephenw10 Netgate Administrator last edited by

            Yup, it will use AES-NI anyway, or rather OpenSSL will.

            Leave hardware crypto set to none in OpenVPN.

            Steve

            1 Reply Last reply Reply Quote 0
            • Rico
              Rico LAYER 8 Rebel Alliance @emammadov last edited by

              @emammadov said in Cryptographic Hardware:

              And if in the future I change Hardware Crypto to another option, then our vpn users will not be able to connect to vpn server?

              You can change the crypto back and forth, this will not have any negative effect for your users.

              -Rico

              2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

              1 Reply Last reply Reply Quote 1
              • emammadov
                emammadov last edited by

                Thank you for your replies. I will set hardware crypto to none in Openvpn. But, what will affect if I choose "Intel RDRAND engine - RAND"?

                Elvin

                1 Reply Last reply Reply Quote 0
                • stephenw10
                  stephenw10 Netgate Administrator last edited by

                  Probably no detectable difference.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post