Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

3.3. OpenSSL Intel AES-NI Engine

The Intel Advanced Encryption Standard (AES) New Instructions (AES-NI) engine is available for certain Intel processors, and allows for extremely fast hardware encryption and decryption.

Note

For a list of Intel processors that support the AES-NI engine, see: Intel's ARK.
The AES-NI engine is automatically enabled if the detected processor is among the supported ones. To check that the processor is supported, follow the steps below:
  1. Ensure that the processor has the AES instruction set:
    ~]# grep -m1 -o aes /proc/cpuinfo
    aes
    
  2. As root, run the following commands and compare their outputs. Significantly better performance of the latter command indicates that AES-NI is enabled. Note that the outputs below are shortened for brevity:
    ~]# openssl speed aes-128-cbc
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128 cbc      99696.17k   107792.98k   109961.22k   110559.91k   110742.19k
    
    ~]# openssl speed -evp aes-128-cbc
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-cbc     800450.23k   873269.82k   896864.85k   903446.19k   902752.94k
    
To test the speed of OpenSSH you can run a command like the following:
~]# dd if=/dev/zero count=100 bs=1M | ssh -c aes128-cbc localhost "cat >/dev/null"
root@localhost's password: 
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 4.81868 s, 21.8 MB/s
See Intel® Advanced Encryption Standard Instructions (AES-NI) for details about the AES-NI engine.