AES-NI Support in Linode Kernel?
I'm trying to determine if I can up the throughput on my OpenVPN server instance, hosted on a 4GB Linode. I'm running Ubuntu 18.04.2 LTS, with Linode kernel 4.18.16-x86_64-linode118.
When I run 'cpuinfo', I can see that 'aes' is listed, indicating processor support for aes-ni. When I run 'sort -u /proc/crypto | grep module' however, I only see kernel listed, no mention of aes-ni. When running 'openssl engine', I also do not see a mention of aes-ni.
I'm hoping someone can explain to me how I can ensure that aes-ni is being used by my Ubuntu install. It seems that it isn't.
Thanks in advance.
3 Replies
If you're using our stock kernel then the necessary modules or drivers may not be available to Ubuntu. I'd recommend using the Ubuntu-supplied kernel by booting your Linode with GRUB 2. We have a full guide on changing the kernel your Linode boots with here.
You don't need kernel crypto support for AES-NI if all you're using is OpenVPN. (The only time kernel crypto support for AES-NI matters is if you're using full disk encryption or in-kernel TLS.) OpenSSL uses AES-NI when it detects that it's available; there's no special engine for AES-NI. You can compare the speeds output by the following two commands to determine if OpenSSL is using AES-NI (the first one should be faster):
openssl speed -elapsed -evp aes-128-cbc
OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-cbc
@mjones & @dwfreed Thanks to both of you for the explanations. I went ahead and moved to the Ubuntu kernel, since that seems to be the standard for newer Linodes anyway. Mine has been around for quite a while.
The 'sort -u /proc/crypto | grep module' is now listing aesni, so that's good. But using @dwfreed's test, it seems that OpenSSL was already using it. Anyway, I can check this off the list and see about other ways of improving throughput. Maybe switching to IPSEC…