openssl with aes-in or padlock
Jim Thompson
jim at netgate.com
Thu Sep 11 21:48:05 UTC 2014
We just fixed IPSEC to use AES-GCM (with support for AES-NI on hardware that supports it.)
OpenSSL / OpenVPN is probably next.
-- Jim
On Sep 11, 2014, at 14:33, Wojciech Puchar <wojtek at puchar.net> wrote:
>>> #openssl speed -evp aes-256-cbc
>>
>> First off, you won't get much speed up w/ CBC encrypt... Try testing
>> using aes-256-ctr instead... CBC can't process multiple blocks in
>> parallel like CTR can... if you measure the cbc _decrypt_ speed, you
>> should see a big improvement as CBC decrypt can be parallelized...
>>
>>> in the same time dd from geli encrypted ramdisk to /dev/null is 66MB/s
>>
>> geli uses a different framework for it's crypto processing.. for geli,
>> make sure you have the aesni kernel module loaded before you attach
>> to a geli disk... You should get kernel messages like the following:
>> GEOM_ELI: Device gpt/werner.eli created.
>> GEOM_ELI: Encryption: AES-XTS 256
>> GEOM_ELI: Crypto: hardware
>
> yes i have this. contrary to what you say - both AES-XTC and AES-CBC gets MUCH faster with AES-NI.
>
>> notice the Crypto: hardware line.. Also, make sure that your geli
>> sector size is 4k instead of 512... This reduces the loop overhead,
>
> as i already said - geli works fast and make use of AES-NI or padlock
>
> openssl does not
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
More information about the freebsd-hackers
mailing list