From owner-freebsd-hackers@FreeBSD.ORG Thu Sep 11 21:48:05 2014 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AE09EE6F for ; Thu, 11 Sep 2014 21:48:05 +0000 (UTC) Received: from mail-pa0-f43.google.com (mail-pa0-f43.google.com [209.85.220.43]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 81BE3A49 for ; Thu, 11 Sep 2014 21:48:05 +0000 (UTC) Received: by mail-pa0-f43.google.com with SMTP id fa1so10151797pad.2 for ; Thu, 11 Sep 2014 14:48:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=5Mg8pfaCYivDu5wB68yAeBqEc4bJDr5YRVXswp3+HR4=; b=Le32I5tMAR3cvqFNMYBiEVUvXQQ9iCHnaNLD+J03NFWUIlRPhIn/AZUkB3hDn7LDdL Vy7KfGLL/8ajk3/hwICyDytK0gCb4gGA4j/8h7i9Rq0LZR4ru0YSz89dBzqsm78C7GX3 hvOIWROgHDD7wwtfAszHJitQnVy4bLj1LJ9/g7zsW/UnCZZ0E121lVZIEsCvgPZd7a8l XkF6i0/7MG94mrXFxMLRtVE2Oihajct6cn9n/JbN0RrCjOvk+IhDYSzuirbGIlE+nqMe fTniFjhNU+jL551/jc7XfLET14AteY69ORMZlf6yXXP79jB+bU+JVl45lvOuw/qem+2v RUpQ== X-Gm-Message-State: ALoCoQm49ym8PKRthsJhFWWdacJBHrLoodTIP+Edi+ZXBqvFK++L7CaA+jSJPBHq8eVRfsjr6LBu X-Received: by 10.68.220.71 with SMTP id pu7mr5745360pbc.22.1410472084703; Thu, 11 Sep 2014 14:48:04 -0700 (PDT) Received: from [51.218.197.21] ([66.87.119.21]) by mx.google.com with ESMTPSA id cu3sm1954767pbb.48.2014.09.11.14.47.58 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 11 Sep 2014 14:48:03 -0700 (PDT) References: <20140911180258.GN82175@funkthat.com> Mime-Version: 1.0 (1.0) In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <62E8AD7E-346F-4F77-9628-6D5121D7AD6D@netgate.com> X-Mailer: iPhone Mail (11D257) From: Jim Thompson Subject: Re: openssl with aes-in or padlock Date: Thu, 11 Sep 2014 14:47:54 -0700 To: Wojciech Puchar Cc: John-Mark Gurney , "hackers@freebsd.org" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2014 21:48:05 -0000 We just fixed IPSEC to use AES-GCM (with support for AES-NI on hardware that= supports it.) OpenSSL / OpenVPN is probably next.=20 -- Jim On Sep 11, 2014, at 14:33, Wojciech Puchar wrote: >>> #openssl speed -evp aes-256-cbc >>=20 >> First off, you won't get much speed up w/ CBC encrypt... Try testing >> using aes-256-ctr instead... CBC can't process multiple blocks in >> parallel like CTR can... if you measure the cbc _decrypt_ speed, you >> should see a big improvement as CBC decrypt can be parallelized... >>=20 >>> in the same time dd from geli encrypted ramdisk to /dev/null is 66MB/s >>=20 >> geli uses a different framework for it's crypto processing.. for geli, >> make sure you have the aesni kernel module loaded before you attach >> to a geli disk... You should get kernel messages like the following: >> GEOM_ELI: Device gpt/werner.eli created. >> GEOM_ELI: Encryption: AES-XTS 256 >> GEOM_ELI: Crypto: hardware >=20 > yes i have this. contrary to what you say - both AES-XTC and AES-CBC gets M= UCH faster with AES-NI. >=20 >> notice the Crypto: hardware line.. Also, make sure that your geli >> sector size is 4k instead of 512... This reduces the loop overhead, >=20 > as i already said - geli works fast and make use of AES-NI or padlock >=20 > openssl does not > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"=