Your Intel processor very likely has a features called AES-NI that allows greatly increased speed for processing AES encryption and decryption, while also reducing system load in the process. Check out Intel’s website for your specific processor, or just Google for it.

By default this function is not enabled after installation, but you can enable it manually. To check if your CPU supports AES-NI and if it is enabled or not:

$ dmesg | grep -i aes

If the CPU doesn’t have this function, the command should return nothing. If it is supported but not enabled, you should see one line showing the features of your processor. This is an example from Intel Core i5-4200U:

$ dmesg | grep -i aes
Features2=0x7fdafbbf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,SDBG,FMA,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND>

FreeBSD now has the function available as kernel modules, at least starting from version 10.3. Note that in version 10.3, only AES-CBC and AES-XTS get the improvement, and version 11.0 starts supporting AES-GCM and AES-ICM as well. In order to load the modules:

$ sudo kldload aesni
$ sudo kldload geom_eli
$ sudo kldload geom_zero

The required kernel modules are now loaded. You should see the names of the modules above listed in kldstat to verify that they are loaded. dmesg | grep -i aes now also shows that the AES modules have been added, with the supported types of AES also displayed.

$ kldstat
Id Refs Address            Size     Name
 1   38 0xffffffff80200000 1fa7c38  kernel
 2    1 0xffffffff821a9000 30aec0   zfs.ko
 3    2 0xffffffff824b4000 adc0     opensolaris.ko
 4    1 0xffffffff824bf000 21bd0    geom_eli.ko
 5    1 0xffffffff824e1000 b3e8     aesni.ko
 6    1 0xffffffff82a19000 587b     fdescfs.ko
 7    1 0xffffffff82a1f000 4fac     ng_ubt.ko
 8    5 0xffffffff82a24000 befc     netgraph.ko
 9    1 0xffffffff82a30000 a58f     ng_hci.ko
10    3 0xffffffff82a3b000 107c     ng_bluetooth.ko
11    1 0xffffffff82a3d000 2a05     uhid.ko
12    1 0xffffffff82a40000 d57d     ng_l2cap.ko
13    1 0xffffffff82a4e000 1b187    ng_btsocket.ko
14    1 0xffffffff82a6a000 393d     ng_socket.ko
15    1 0xffffffff82a6e000 2322b    ipfw.ko

But for now they’re not loaded on startup. You need to make the changes permanent by making changes in /boot/loader.conf:

$ echo aesni_load="YES" | sudo tee -a /boot/loader.conf
$ echo geom_eli_load="YES" | sudo tee -a /boot/loader.conf
$ echo geom_zero_load="YES" | sudo tee -a /boot/loader.conf

You can also do a speed test using openssl and the final results show now exceed 1,000MB/s (compared to ~200MB/s without AES-NI on this Core i5-4200U), in this case using AES-GCM 256-bit:

$ openssl speed -evp aes-256-gcm
Doing aes-256-gcm for 3s on 16 size blocks: 39678682 aes-256-gcm's in 3.00s
Doing aes-256-gcm for 3s on 64 size blocks: 28685912 aes-256-gcm's in 3.00s
Doing aes-256-gcm for 3s on 256 size blocks: 15976500 aes-256-gcm's in 3.00s
Doing aes-256-gcm for 3s on 1024 size blocks: 4400015 aes-256-gcm's in 3.00s
Doing aes-256-gcm for 3s on 8192 size blocks: 640688 aes-256-gcm's in 3.00s
OpenSSL 1.0.2j-freebsd  26 Sep 2016
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-gcm     211619.64k   611966.12k  1363328.00k  1501871.79k  1749505.37k

Leave a Reply

Your email address will not be published. Required fields are marked *