• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Hardware support for encryption hinting?

Scheduled Pinned Locked Moved Development
8 Posts 3 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rcfa
    last edited by May 12, 2019, 4:23 AM

    So, finally I have a test platform with AES-NI support. Great.
    Now, when selecting anything that uses some sort of encryption, how do I know that I chose options that are accelerated in hardware? Or does everything become accelerated once a CPU with the required instruction set is present?
    If not, it would be really useful, if the there were an indication as to what can/will use hardware acceleration, and what doesn't.

    1 Reply Last reply Reply Quote 0
    • R
      rcfa
      last edited by May 31, 2019, 5:20 AM

      Bump...

      Anyone knows this? Is this somewhere in the doc? Maybe I'm blind, but I can't find that.

      1 Reply Last reply Reply Quote 0
      • K
        kiokoman LAYER 8
        last edited by kiokoman May 31, 2019, 7:41 AM May 31, 2019, 7:33 AM

        ? if you want to know where the option is, i think it's here System ->Advanced ->Miscellaneous -> Cryptographic Hardware, to check if it's loaded you can open a shell and with kldstat you shuld see
        aesni.ko loaded
        If AES-NI presence is detected it will be used automatecally by OpenSSL and OpenSSL is used by OpenVPN offloading the CPU from cryptographic tasks

        You can also do a speed test with and without the module to see the difference with

        openssl speed -evp aes-256-gcm

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        R 2 Replies Last reply May 31, 2019, 6:46 PM Reply Quote 0
        • R
          rcfa @kiokoman
          last edited by May 31, 2019, 6:46 PM

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • R
            rcfa @kiokoman
            last edited by May 31, 2019, 6:47 PM

            @kiokoman Thanks, but you misunderstood me, obviously I didn’t express myself well.

            I know the crypto instructions are used. What I don’t know, which settings use them?

            e.g. IPSec offers different hashes (md5, sha1-512, ARS-XCBC), different encryption algorithms (AES, AES-GCM, Blowfish, 3DES, CAST).

            Are all of these choices accelerated, or only some?
            If only some, which ones? All AES? AES-GCM?
            What PFS settings are/aren’t covered?

            1 Reply Last reply Reply Quote 0
            • K
              kiokoman LAYER 8
              last edited by May 31, 2019, 8:30 PM

              https://www.intel.com/content/dam/doc/white-paper/advanced-encryption-standard-new-instructions-set-paper.pdf
              i think all aes
              i don't think it work for md5/sha as it is an hashing algorithm and not an encryption algo
              maybe someone else know more about it

              ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
              Please do not use chat/PM to ask for help
              we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
              Don't forget to Upvote with the 👍 button for any post you find to be helpful.

              1 Reply Last reply Reply Quote 0
              • J
                JeGr LAYER 8 Moderator
                last edited by Jun 3, 2019, 1:57 PM

                @rcfa said in Hardware support for encryption hinting?:

                I know the crypto instructions are used. What I don’t know, which settings use them?

                Go to System>Advanced>Miscellaneous and setup AES-NI to use for crypto. If you do, check your dashboard.
                It should tell you sth like:

                AES-NI CPU Crypto: Yes (active)

                Directly below is (e.g.):

                AES-CBC,AES-XTS,AES-GCM,AES-ICM

                There you go. Those are to be accelerated if you choose them. Also one could generally say that if you can use AES-GCM, use it! But sadly many other "big firewall vendors" still doesn't support it in 2019 on brand new devices...

                Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                R 1 Reply Last reply Jun 3, 2019, 2:34 PM Reply Quote 1
                • R
                  rcfa @JeGr
                  last edited by Jun 3, 2019, 2:34 PM

                  @JeGr Thanks!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    [[user:consent.lead]]
                    [[user:consent.not_received]]