Hardware support for encryption hinting?
-
So, finally I have a test platform with AES-NI support. Great.
Now, when selecting anything that uses some sort of encryption, how do I know that I chose options that are accelerated in hardware? Or does everything become accelerated once a CPU with the required instruction set is present?
If not, it would be really useful, if the there were an indication as to what can/will use hardware acceleration, and what doesn't. -
Bump...
Anyone knows this? Is this somewhere in the doc? Maybe I'm blind, but I can't find that.
-
? if you want to know where the option is, i think it's here System ->Advanced ->Miscellaneous -> Cryptographic Hardware, to check if it's loaded you can open a shell and with kldstat you shuld see
aesni.ko loaded
If AES-NI presence is detected it will be used automatecally by OpenSSL and OpenSSL is used by OpenVPN offloading the CPU from cryptographic tasksYou can also do a speed test with and without the module to see the difference with
openssl speed -evp aes-256-gcm̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
Please do not use chat/PM to ask for help
we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
Don't forget to Upvote with the 👍 button for any post you find to be helpful. -
This post is deleted! -
@kiokoman Thanks, but you misunderstood me, obviously I didn’t express myself well.
I know the crypto instructions are used. What I don’t know, which settings use them?
e.g. IPSec offers different hashes (md5, sha1-512, ARS-XCBC), different encryption algorithms (AES, AES-GCM, Blowfish, 3DES, CAST).
Are all of these choices accelerated, or only some?
If only some, which ones? All AES? AES-GCM?
What PFS settings are/aren’t covered? -
https://www.intel.com/content/dam/doc/white-paper/advanced-encryption-standard-new-instructions-set-paper.pdf
i think all aes
i don't think it work for md5/sha as it is an hashing algorithm and not an encryption algo
maybe someone else know more about it -
@rcfa said in Hardware support for encryption hinting?:
I know the crypto instructions are used. What I don’t know, which settings use them?
Go to System>Advanced>Miscellaneous and setup AES-NI to use for crypto. If you do, check your dashboard.
It should tell you sth like:AES-NI CPU Crypto: Yes (active)Directly below is (e.g.):
AES-CBC,AES-XTS,AES-GCM,AES-ICMThere you go. Those are to be accelerated if you choose them. Also one could generally say that if you can use AES-GCM, use it! But sadly many other "big firewall vendors" still doesn't support it in 2019 on brand new devices...
-
@JeGr Thanks!
