Accelerating crypto09. Jul '14

Crypto API is generic cryptography library API introduced in Linux kernel. Kernel already contains software implementations for major symmetric ciphers. The API allows plugging in implementations which take advantage of hardware components such as Geode AES engine 2, Kirkwood CESA engine 3 that can accelerate encryption.

OpenSSL acceleration

Crypto API backend modules transparently accelerate kernelspace crypto such as IPsec. Accelerating userspace applications Apache, OpenSSH, OpenVPN and others using OpenSSL is currently possible via two methods. Note that crypto hardware that has been implemented as instructions such as VIA Padlock 4 and Intel AES-NI 5 does not need any special mechanism to be used from userspace.

OpenSSL can take of advantage of Padlock if the respective engines are present. AES-NI support seems to have been fully integrated 1:

openssl speed -elapsed -evp aes-128-cbc

Resulting following on Thinkpad T420's i5:

aes-128-cbc     501615.36k   539707.75k   549787.56k   554413.40k   554825.05k

Compared to a run where AES-NI capability was turned off explicitly:

OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc

Resulting in roughly twice less throughput:

aes-128-cbc     249055.09k   282151.70k   287307.43k   292073.13k   292874.92k

Userspace access via Cryptodev

Cryptodev-linux module 6 has to be compiled. It's compatible with OpenBSD's cryptodev userspace API (/dev/crypto) and it's GPLv2 licensed which means that one day it could be included in the upstream kernel. It enables userspace application access to Crypto API backend modules already present in the kernel.

Since such API is not available by default on Linux distributions, the OpenSSL has to be recompiled with additional flags:

sudo make install

Note that for Ubuntu/Debian machines it is preferred to download source package, modify debian/rules and recompile the package:

apt-get source openssl
cd openssl-*/
dch -i "Enabled cryptodev support"
sudo dpkg -i ../openssl*.deb

You can test the performance by:

openssl speed -evp aes-128-cbc -engine cryptodev -elapsed

Using Geode's AES engine on ALIX.3D3


Hardware Accelerated SSL on SheevaPlug


VIA PadLock Security Engine


Intel® Advanced Encryption Standard Instructions (AES-NI)


Cryptodev-linux module

Userspace access via AF_ALG

AF_ALG plugin for OpenSSL 7 takes advantage of the new AF_ALG interface present in kernels since 2.6.38. It is very much like cryptodev method sans compiling special kernel module. Isnstalling the plugin is pretty easy, note that you might need to adjust engine lookup path:

git clone
cd af_alg/
sudo cp /usr/lib/arm-linux-gnueabi/openssl-1.0.0/engines/
sudo chmod 644 /usr/lib/arm-linux-gnueabi/openssl-1.0.0/engines/

Make sure modules are loaded:

echo af_alg >> /etc/modules
echo algif_hash >> /etc/modules
echo algif_skcipher >> /etc/modules
modprobe af_alg algif_hash algif_skcipher

You can test the performance by:

openssl speed -evp aes-128-cbc -engine af_alg -elapsed

OpenSSL AF_ALG plugin

Cryptodev Crypto API OpenSSL