openssl with aes-in or padlock

John-Mark Gurney jmg at funkthat.com
Tue Sep 16 06:19:07 UTC 2014


Wojciech Puchar wrote this message on Sat, Sep 13, 2014 at 09:35 +0200:
> will it be available on FreeBSD 10 ?

It will eventually make it into 10, but it definately won't make it
into 10.1-R which is coming up soon.

> On Thu, 11 Sep 2014, Jim Thompson wrote:
> 
> >We just fixed IPSEC to use AES-GCM (with support for AES-NI on hardware 
> >that supports it.)
> >
> >OpenSSL / OpenVPN is probably next.
> >
> >-- Jim
> >
> >On Sep 11, 2014, at 14:33, Wojciech Puchar <wojtek at puchar.net> wrote:
> >
> >>>>#openssl speed -evp aes-256-cbc
> >>>
> >>>First off, you won't get much speed up w/ CBC encrypt...  Try testing
> >>>using aes-256-ctr instead...  CBC can't process multiple blocks in
> >>>parallel like CTR can...  if you measure the cbc _decrypt_ speed, you
> >>>should see a big improvement as CBC decrypt can be parallelized...
> >>>
> >>>>in the same time dd from geli encrypted ramdisk to /dev/null is 66MB/s
> >>>
> >>>geli uses a different framework for it's crypto processing.. for geli,
> >>>make sure you have the aesni kernel module loaded before you attach
> >>>to a geli disk...  You should get kernel messages like the following:
> >>>GEOM_ELI: Device gpt/werner.eli created.
> >>>GEOM_ELI: Encryption: AES-XTS 256
> >>>GEOM_ELI:     Crypto: hardware
> >>
> >>yes i have this. contrary to what you say - both AES-XTC and AES-CBC gets 
> >>MUCH faster with AES-NI.
> >>
> >>>notice the Crypto: hardware line..  Also, make sure that your geli
> >>>sector size is 4k instead of 512...  This reduces the loop overhead,
> >>
> >>as i already said - geli works fast and make use of AES-NI or padlock
> >>
> >>openssl does not

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."


More information about the freebsd-hackers mailing list