Date: Thu, 11 Sep 2014 14:47:54 -0700 From: Jim Thompson <jim@netgate.com> To: Wojciech Puchar <wojtek@puchar.net> Cc: John-Mark Gurney <jmg@funkthat.com>, "hackers@freebsd.org" <hackers@freebsd.org> Subject: Re: openssl with aes-in or padlock Message-ID: <62E8AD7E-346F-4F77-9628-6D5121D7AD6D@netgate.com> In-Reply-To: <alpine.BSF.2.00.1409112332160.2140@wojtek.dom> References: <alpine.BSF.2.00.1409111858470.1185@wojtek.dom> <20140911180258.GN82175@funkthat.com> <alpine.BSF.2.00.1409112332160.2140@wojtek.dom>
next in thread | previous in thread | raw e-mail | index | archive | help
We just fixed IPSEC to use AES-GCM (with support for AES-NI on hardware that= supports it.) OpenSSL / OpenVPN is probably next.=20 -- Jim On Sep 11, 2014, at 14:33, Wojciech Puchar <wojtek@puchar.net> wrote: >>> #openssl speed -evp aes-256-cbc >>=20 >> First off, you won't get much speed up w/ CBC encrypt... Try testing >> using aes-256-ctr instead... CBC can't process multiple blocks in >> parallel like CTR can... if you measure the cbc _decrypt_ speed, you >> should see a big improvement as CBC decrypt can be parallelized... >>=20 >>> in the same time dd from geli encrypted ramdisk to /dev/null is 66MB/s >>=20 >> geli uses a different framework for it's crypto processing.. for geli, >> make sure you have the aesni kernel module loaded before you attach >> to a geli disk... You should get kernel messages like the following: >> GEOM_ELI: Device gpt/werner.eli created. >> GEOM_ELI: Encryption: AES-XTS 256 >> GEOM_ELI: Crypto: hardware >=20 > yes i have this. contrary to what you say - both AES-XTC and AES-CBC gets M= UCH faster with AES-NI. >=20 >> notice the Crypto: hardware line.. Also, make sure that your geli >> sector size is 4k instead of 512... This reduces the loop overhead, >=20 > as i already said - geli works fast and make use of AES-NI or padlock >=20 > openssl does not > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?62E8AD7E-346F-4F77-9628-6D5121D7AD6D>