Netgate is offering COVID-19 aid for pfSense software users, learn more.

Cryptographic Accelerator Support

Cryptographic acceleration is available on some platforms, typically on hardware that has it available in the CPU like AES-NI, or built into the board such as the ones used on Netgate ARM-based systems. Most crypto accelerator hardware supported by FreeBSD will work, provided the drivers are in the kernel.

Activating the Hardware

Some hardware, such as CESA, is active at all times and there is no way to disable it short of removing the crypto card.

Others, such as AES-NI or SafeXcel require choosing the appropriate module under System > Advanced on the Miscellaneous tab. Choose the appropriate module to match the hardware for Cryptographic Hardware and then Save. The module will be loaded and available immediately.

To deactivate a loaded module, select None for Cryptographic Hardware, Save, and then reboot the system.

Verifying Support

To see a list of engines and associated transforms supported by the hardware and active modules though OpenSSL, run:

/usr/bin/openssl engine -t -c


That is only for support via OpenSSL. Other areas such as IPsec may support additional methods not listed.

Practical Use


IPsec will take advantage of cryptodev automatically when a supported cipher is chosen. For AES-NI, the optimal cipher choice is AES-GCM.


To take advantage of acceleration in OpenVPN, choose a supported cipher on each end of a given tunnel.

Nothing needs selected for OpenVPN to utilize AES-NI. The OpenSSL engine has its own code for handling AES-NI that works well without using the BSD Cryptodev Engine.