Your Intel processor very likely has a features called AES-NI that allows greatly increased speed for processing AES encryption and decryption, while also reducing system load in the process. Check out Intel’s website for your specific processor, or just Google for it.
By default this function is not enabled after installation, but you can enable it manually. To check if your CPU supports AES-NI and if it is enabled or not:
$ dmesg | grep -i aes
If the CPU doesn’t have this function, the command should return nothing. If it is supported but not enabled, you should see one line showing the features of your processor. This is an example from Intel Core i5-4200U:
$ dmesg | grep -i aes Features2=0x7fdafbbf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,SDBG,FMA,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND>
FreeBSD now has the function available as kernel modules, at least starting from version 10.3. Note that in version 10.3, only AES-CBC and AES-XTS get the improvement, and version 11.0 starts supporting AES-GCM and AES-ICM as well. In order to load the modules:
$ sudo kldload aesni $ sudo kldload geom_eli $ sudo kldload geom_zero
The required kernel modules are now loaded. You should see the names of the modules above listed in kldstat to verify that they are loaded. dmesg | grep -i aes now also shows that the AES modules have been added, with the supported types of AES also displayed.
$ kldstat Id Refs Address Size Name 1 38 0xffffffff80200000 1fa7c38 kernel 2 1 0xffffffff821a9000 30aec0 zfs.ko 3 2 0xffffffff824b4000 adc0 opensolaris.ko 4 1 0xffffffff824bf000 21bd0 geom_eli.ko 5 1 0xffffffff824e1000 b3e8 aesni.ko 6 1 0xffffffff82a19000 587b fdescfs.ko 7 1 0xffffffff82a1f000 4fac ng_ubt.ko 8 5 0xffffffff82a24000 befc netgraph.ko 9 1 0xffffffff82a30000 a58f ng_hci.ko 10 3 0xffffffff82a3b000 107c ng_bluetooth.ko 11 1 0xffffffff82a3d000 2a05 uhid.ko 12 1 0xffffffff82a40000 d57d ng_l2cap.ko 13 1 0xffffffff82a4e000 1b187 ng_btsocket.ko 14 1 0xffffffff82a6a000 393d ng_socket.ko 15 1 0xffffffff82a6e000 2322b ipfw.ko
But for now they’re not loaded on startup. You need to make the changes permanent by making changes in /boot/loader.conf:
$ echo aesni_load="YES" | sudo tee -a /boot/loader.conf $ echo geom_eli_load="YES" | sudo tee -a /boot/loader.conf $ echo geom_zero_load="YES" | sudo tee -a /boot/loader.conf
You can also do a speed test using openssl and the final results show now exceed 1,000MB/s (compared to ~200MB/s without AES-NI on this Core i5-4200U), in this case using AES-GCM 256-bit:
$ openssl speed -evp aes-256-gcm Doing aes-256-gcm for 3s on 16 size blocks: 39678682 aes-256-gcm's in 3.00s Doing aes-256-gcm for 3s on 64 size blocks: 28685912 aes-256-gcm's in 3.00s Doing aes-256-gcm for 3s on 256 size blocks: 15976500 aes-256-gcm's in 3.00s Doing aes-256-gcm for 3s on 1024 size blocks: 4400015 aes-256-gcm's in 3.00s Doing aes-256-gcm for 3s on 8192 size blocks: 640688 aes-256-gcm's in 3.00s OpenSSL 1.0.2j-freebsd 26 Sep 2016 built on: date not available options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-gcm 211619.64k 611966.12k 1363328.00k 1501871.79k 1749505.37k