3.3. OpenSSL Intel AES-NI Engine
The Intel Advanced Encryption Standard (AES) New Instructions (AES-NI) engine is available for certain Intel processors, and allows for extremely fast hardware encryption and decryption.
Note
For a list of Intel processors that support the AES-NI engine, see: Intel's ARK.
The AES-NI engine is automatically enabled if the detected processor is among the supported ones. To check that the processor is supported, follow the steps below:
- Ensure that the processor has the AES instruction set:
~]#
grep -m1 -o aes /proc/cpuinfoaes - As root, run the following commands and compare their outputs. Significantly better performance of the latter command indicates that AES-NI is enabled. Note that the outputs below are shortened for brevity:
~]#
openssl speed aes-128-cbcThe 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128 cbc 99696.17k 107792.98k 109961.22k 110559.91k 110742.19k~]#
openssl speed -evp aes-128-cbcThe 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 800450.23k 873269.82k 896864.85k 903446.19k 902752.94k
To test the speed of OpenSSH you can run a command like the following:
~]# dd if=/dev/zero count=100 bs=1M | ssh -c aes128-cbc localhost "cat >/dev/null"
root@localhost's password:
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 4.81868 s, 21.8 MB/s
See Intel® Advanced Encryption Standard Instructions (AES-NI) for details about the AES-NI engine.
