openssl with aes-in or padlock
Wojciech Puchar
wojtek at puchar.net
Sat Sep 13 07:35:22 UTC 2014
will it be available on FreeBSD 10 ?
On Thu, 11 Sep 2014, Jim Thompson wrote:
> We just fixed IPSEC to use AES-GCM (with support for AES-NI on hardware that supports it.)
>
> OpenSSL / OpenVPN is probably next.
>
> -- Jim
>
> On Sep 11, 2014, at 14:33, Wojciech Puchar <wojtek at puchar.net> wrote:
>
>>>> #openssl speed -evp aes-256-cbc
>>>
>>> First off, you won't get much speed up w/ CBC encrypt... Try testing
>>> using aes-256-ctr instead... CBC can't process multiple blocks in
>>> parallel like CTR can... if you measure the cbc _decrypt_ speed, you
>>> should see a big improvement as CBC decrypt can be parallelized...
>>>
>>>> in the same time dd from geli encrypted ramdisk to /dev/null is 66MB/s
>>>
>>> geli uses a different framework for it's crypto processing.. for geli,
>>> make sure you have the aesni kernel module loaded before you attach
>>> to a geli disk... You should get kernel messages like the following:
>>> GEOM_ELI: Device gpt/werner.eli created.
>>> GEOM_ELI: Encryption: AES-XTS 256
>>> GEOM_ELI: Crypto: hardware
>>
>> yes i have this. contrary to what you say - both AES-XTC and AES-CBC gets MUCH faster with AES-NI.
>>
>>> notice the Crypto: hardware line.. Also, make sure that your geli
>>> sector size is 4k instead of 512... This reduces the loop overhead,
>>
>> as i already said - geli works fast and make use of AES-NI or padlock
>>
>> openssl does not
>> _______________________________________________
>> freebsd-hackers at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
>
More information about the freebsd-hackers
mailing list