openssl with aes-in or padlock

Jim Thompson jim at netgate.com
Thu Sep 11 21:48:05 UTC 2014


We just fixed IPSEC to use AES-GCM (with support for AES-NI on hardware that supports it.)

OpenSSL / OpenVPN is probably next. 

-- Jim

On Sep 11, 2014, at 14:33, Wojciech Puchar <wojtek at puchar.net> wrote:

>>> #openssl speed -evp aes-256-cbc
>> 
>> First off, you won't get much speed up w/ CBC encrypt...  Try testing
>> using aes-256-ctr instead...  CBC can't process multiple blocks in
>> parallel like CTR can...  if you measure the cbc _decrypt_ speed, you
>> should see a big improvement as CBC decrypt can be parallelized...
>> 
>>> in the same time dd from geli encrypted ramdisk to /dev/null is 66MB/s
>> 
>> geli uses a different framework for it's crypto processing.. for geli,
>> make sure you have the aesni kernel module loaded before you attach
>> to a geli disk...  You should get kernel messages like the following:
>> GEOM_ELI: Device gpt/werner.eli created.
>> GEOM_ELI: Encryption: AES-XTS 256
>> GEOM_ELI:     Crypto: hardware
> 
> yes i have this. contrary to what you say - both AES-XTC and AES-CBC gets MUCH faster with AES-NI.
> 
>> notice the Crypto: hardware line..  Also, make sure that your geli
>> sector size is 4k instead of 512...  This reduces the loop overhead,
> 
> as i already said - geli works fast and make use of AES-NI or padlock
> 
> openssl does not
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"


More information about the freebsd-hackers mailing list