Hardware support for encryption hinting?



  • So, finally I have a test platform with AES-NI support. Great.
    Now, when selecting anything that uses some sort of encryption, how do I know that I chose options that are accelerated in hardware? Or does everything become accelerated once a CPU with the required instruction set is present?
    If not, it would be really useful, if the there were an indication as to what can/will use hardware acceleration, and what doesn't.



  • Bump...

    Anyone knows this? Is this somewhere in the doc? Maybe I'm blind, but I can't find that.



  • ? if you want to know where the option is, i think it's here System ->Advanced ->Miscellaneous -> Cryptographic Hardware, to check if it's loaded you can open a shell and with kldstat you shuld see
    aesni.ko loaded
    If AES-NI presence is detected it will be used automatecally by OpenSSL and OpenSSL is used by OpenVPN offloading the CPU from cryptographic tasks

    You can also do a speed test with and without the module to see the difference with

    openssl speed -evp aes-256-gcm
    


  • This post is deleted!


  • @kiokoman Thanks, but you misunderstood me, obviously I didn’t express myself well.

    I know the crypto instructions are used. What I don’t know, which settings use them?

    e.g. IPSec offers different hashes (md5, sha1-512, ARS-XCBC), different encryption algorithms (AES, AES-GCM, Blowfish, 3DES, CAST).

    Are all of these choices accelerated, or only some?
    If only some, which ones? All AES? AES-GCM?
    What PFS settings are/aren’t covered?



  • https://www.intel.com/content/dam/doc/white-paper/advanced-encryption-standard-new-instructions-set-paper.pdf
    i think all aes
    i don't think it work for md5/sha as it is an hashing algorithm and not an encryption algo
    maybe someone else know more about it


  • LAYER 8 Moderator

    @rcfa said in Hardware support for encryption hinting?:

    I know the crypto instructions are used. What I don’t know, which settings use them?

    Go to System>Advanced>Miscellaneous and setup AES-NI to use for crypto. If you do, check your dashboard.
    It should tell you sth like:

    AES-NI CPU Crypto: Yes (active)
    

    Directly below is (e.g.):

    AES-CBC,AES-XTS,AES-GCM,AES-ICM
    

    There you go. Those are to be accelerated if you choose them. Also one could generally say that if you can use AES-GCM, use it! But sadly many other "big firewall vendors" still doesn't support it in 2019 on brand new devices...



  • @JeGr Thanks!


Log in to reply