This is a continuation on my previous post on the VIA ARTiGO A2000.

The other cool thing with the A2000 is the VIA PadLock technology on the VIA C7 processor.  One of the features is hardware support of AES encryption (which they call “ACE”, for “Advanced Cryptography Engine”).  (Use “cat /proc/cpuinfo | grep ace” to verify that your VIA processor supports this feature.)

On Linux, the padlock_aes module must be loaded by the kernel. Use lsmod | grep -i aes to see the AES-related modules. If you do have a VIA processor that supports VIA PadLock ACE, then you can use modprobe padlock-aes to load that kernel module, if available on your distribution.

Once the padlock_aes module is loaded, it can be used by programs such as OpenSSL. First, run openssl engine, and you should see output such as (padlock) VIA PadLock: RNG ACE2 PHE(8192) PMM that indicates that the VIA PadLock engine support has been compiled in. To see the difference with and without hardware encryption, for example, try running openssl speed -evp aes256. This tests the speed of using AES (256-bit key, cipher-block chaining mode) on different sizes. For example, my A2000 produced the following output:

The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      13803.13k    15889.66k    16591.13k    16856.27k    16793.60k

On the other hand, openssl speed -evp aes256 -engine padlock uses the hardware engine and produces the following results:

The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      74431.32k   231672.78k   494996.57k   692618.38k   782983.17k

Note the speedup of 45x under the last column! Using only the CPU, the rate of processing remains constant with larger blocks, but with hardware encryption, the CPU doesn’t need to do the encryption, so it is much faster.

To enable hardware encryption all of the time, change the openssl.cnf configuration file (for example, on Ubuntu and Debian, it is usually in /etc/ssl) by adding the following right before [new_oids] section:

# Padlock
#enable padlock engine by default:
openssl_conf = openssl_def

engines = openssl_engines

padlock = padlock_engine

default_algorithms = ALL

Then, openssl should use the padlock engine by default.

If you are running a webserver with SSL encryption (https:), Apache can also take advantage of hardware encryption. In the Apache configuration file, use SSLCryptoDevice padlock along with your other SSL directives to enable hardware encryption.

The ab (Apache Benchmark) program that usually comes with apache2 packages) can be used to benchmark the hardware encryption. Although a bit of an extreme example, a 400 KB file was used with 1000 requests and a concurrency level of 10 (10 requests at a time for a 400 KB file with a total of 1000 requests). Without using the padlock engine, the mean number of requests per second was 25.70. With the padlock engine, the mean requests per second increased to 48.44. Hence, if encryption is used on web servers, enabling hardware encryption helps performance.