Show Table of Contents
3.3. OpenSSL Intel AES-NI Engine
The Intel Advanced Encryption Standard (AES) New Instructions (AES-NI) engine is available for certain Intel processors, and allows for extremely fast hardware encryption and decryption.
For a list of Intel processors that support the AES-NI engine, see: Intel's ARK.
The AES-NI engine is automatically enabled if the detected processor is among the supported ones. To check that the processor is supported, follow the steps below:
- Ensure that the processor has the AES instruction set:
grep -m1 -o aes /proc/cpuinfoaes
- As root, run the following commands and compare their outputs. Significantly better performance of the latter command indicates that AES-NI is enabled. Note that the outputs below are shortened for brevity:
openssl speed aes-128-cbcThe 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128 cbc 99696.17k 107792.98k 109961.22k 110559.91k 110742.19k
openssl speed -evp aes-128-cbcThe 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 800450.23k 873269.82k 896864.85k 903446.19k 902752.94k
To test the speed of OpenSSH you can run a command like the following:
dd if=/dev/zero count=100 bs=1M | ssh -c aes128-cbc localhost "cat >/dev/null"root@localhost's password: 100+0 records in 100+0 records out 104857600 bytes (105 MB) copied, 4.81868 s, 21.8 MB/s
See Intel® Advanced Encryption Standard Instructions (AES-NI) for details about the AES-NI engine.