How to force Hardware AES De-/Encryption?

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
limone
OpenVpn Newbie
Posts: 2
Joined: Thu Dec 07, 2017 11:18 am

How to force Hardware AES De-/Encryption?

Post by limone » Wed Dec 13, 2017 7:36 pm

Hi guys,

I've got a KVM server whos host doesn't pass the aes flag to the vm.
So my server is hardware aes capable, but openssl doesn't know that without specifically telling it to do so.

Code: Select all

# openssl speed -elapsed -evp aes-128-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      61211.46k    60594.33k    60892.50k   163162.11k   182031.70k

Code: Select all

# OPENSSL_ia32cap="+0x200000200000000" openssl speed -elapsed -evp aes-128-cbc
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc     461871.00k   484265.41k   510874.11k   504460.29k   544361.13k
So, anyone got an idea how to do that?

dazo
OpenVPN Technologies
Posts: 124
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ irc.freenode.net

Re: How to force Hardware AES De-/Encryption?

Post by dazo » Fri Dec 15, 2017 11:13 am

Have you tried adding the OPENSSL_ia32cap variable before starting the OpenVPN process? If you're using a systemd based distro, you can do that with systemctl edit openvpn-{client,serve}@CONFIGNAME .... then add:

Code: Select all

[Service]
Environment="OPENSSL_ia32cap='+0x200000200000000'"
Then do a systemctl restart openvpn-{client,server}@CONFIGNAME

Post Reply