Cryptographic Hardware

emammadov

Hello,

We are installing new pfSense in our HP Proliant Dl320e Gen8 server. There is Cryptographic Hardware in System / Advanced / Miscellaneous with 3 options:

Which one is recommended to choose?

Beside this, in OpenVPN setup, there is Hardware Crypto with sub menu "Intel RDRAND engine - RAND". Shoud I choose it? We will have this options (Crypto: AES-256-GCM/SHA256
D-H Params: 2048 bits)

Grimson

RTFM:
https://docs.netgate.com/pfsense/en/latest/book/config/advanced-misc.html#cryptographic-hardware
https://docs.netgate.com/pfsense/en/latest/book/openvpn/openvpn-configuration-options.html#hardware-crypto
and:
https://forum.netgate.com/search

emammadov

Thank you for your reply. I choose AES-NI Cpu based acceleration and reboot. I read that Openvpn supports AES-NI automatically even if "No hardware crypto acceleration" is choosen in Openvpn setup. But I wonder then I don't need to choose "Intel RDRAND engine - RAND"?
And if in the future I change Hardware Crypto to another option, then our vpn users will not be able to connect to vpn server?

stephenw10

Yup, it will use AES-NI anyway, or rather OpenSSL will.

Leave hardware crypto set to none in OpenVPN.

Steve

Rico

@emammadov said in Cryptographic Hardware:

And if in the future I change Hardware Crypto to another option, then our vpn users will not be able to connect to vpn server?

You can change the crypto back and forth, this will not have any negative effect for your users.

-Rico

emammadov

Thank you for your replies. I will set hardware crypto to none in Openvpn. But, what will affect if I choose "Intel RDRAND engine - RAND"?

stephenw10

Probably no detectable difference.