Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Cryptographic Accelerator Support

Cryptographic acceleration is available on some platforms, typically on hardware that has it available in the CPU like AES-NI, or built into the board such as the ones used on Netgate ARM-based systems. Most cryptographic accelerator hardware supported by FreeBSD will work, provided the drivers are in the kernel or available as loadable modules.

Activating the Hardware

Some hardware acceleration is active at all times and there is no way to disable it short of removing the crypto card if it is a hardware add-on. For example, CESA acceleration cannot be disabled because it’s an integrated feature of the system and the drivers are present the kernel.

Others, such as AES-NI, or SafeXcel require choosing the appropriate module under System > Advanced on the Miscellaneous tab. Choose the appropriate module to match the hardware for Cryptographic Hardware and then Save. The module will be loaded and available immediately.

Note

Some modules and hardware are only supported by the Netgate Factory Edition of pfSense software.

To deactivate a loaded module, select None for Cryptographic Hardware, Save, and then reboot the system.

Verifying Support

To see a list of engines and associated transforms supported by the hardware and active modules though OpenSSL, run:

/usr/bin/openssl engine -t -c

Note

That is only for support via OpenSSL. Other areas such as IPsec may support additional methods not listed.

Practical Use

IPsec

IPsec will take advantage of cryptodev automatically when a supported cipher is chosen. For AES-NI, the optimal cipher choice is AES-GCM.

OpenVPN

To take advantage of acceleration in OpenVPN, choose a supported cipher on each end of a given tunnel.

Nothing needs selected for OpenVPN to utilize AES-NI. The OpenSSL engine has its own code for handling AES-NI that works well without using the BSD Cryptodev Engine.