The Advanced Encryption Standard Instruction Set and the Intel Advanced Encryption Standard New Instructions allows specific Intel/AMD and other CPUs to do extremely fast hardware encryption and decryption.
Please note that the AES-NI support is automatically enabled if the detected processor is among the supported list as above. For a list of processors that support the AES-NI engine, see Intel ARK/AMD/ARM (vendor)/VIA padlock site and documentation. The AES-NI is an extension to the x86 instruction set architecture for microprocessors from Intel and AMD. It increases the speed of apps performing encryption and decryption using the AES. Several server and laptop vendors have shipped BIOS configurations with the AES-NI extension disabled. This page shows you how to check that your CPU supports AES-NI on Linux. You may need a BIOS update to enable AES/AES-NI or change the BIOS settings. The following CPUs are supported:
- nixCraft is a one-person operation. I create all the content myself, with no help from AI or ML. I keep the content accurate and up-to-date.
- Your privacy is my top priority. I don’t track you, show you ads, or spam you with emails. Just pure content in the true spirit of Linux and FLOSS.
- Fast and clean browsing experience. nixCraft is designed to be fast and easy to use. You won’t have to deal with pop-ups, ads, cookie banners, or other distractions.
- Support independent content creators. nixCraft is a labor of love, and it’s only possible thanks to the support of our readers. If you enjoy the content, please support us on Patreon or share this page on social media or your blog. Every bit helps.
- Intel Westmere/Westmere-EP (Xeon 56xx)/Clarkdale (except Core i3, Pentium and Celeron)/Arrandale(except Celeron, Pentium, Core i3, Core i5-4XXM).
- Intel Sandy Bridge cpus (except Pentium, Celeron, Core i3).
- Intel mobile Core i7 and Core i5.
- Intel Ivy Bridge processors All i5, i7, Xeon and i3-2115C only.
- Intel Haswell processors (all except i3-4000m, Pentium and Celeron).
- Intel Coffee Lake/Kaby Lake and so on
- AMD Bulldozer/Piledriver/Steamroller/Jaguar/Puma/Ryzen-based processors.
- AMD Geode LX processors.
- VIA PadLock (a different instruction set than Intel AES-NI but does the same thing at the end of the day).
- ARM – selected Allwinner and Broadcom using security processor. There are few more ARM based processor.
- Many latest Intel CPU supports AES-NI (Advanced Encryption) and enabled using BIO option.
| Tutorial details | |
|---|---|
| Difficulty level | Easy |
| Root privileges | Yes |
| Requirements | Linux terminal |
| Category | System Management |
| OS compatibility | AlmaLinux • Alpine • Arch • CentOS • Debian • Fedora • Linux • Mint • openSUSE • Pop!_OS • RHEL • Rocky • Stream • SUSE • Ubuntu |
| Est. reading time | 4 minutes |
How to find out AES-NI (Advanced Encryption) Enabled on Linux System
One can find out that the processor has the AES/AES-NI instruction set using the lscpu command:
# lscpu
Type the following grep command or egrep command to make sure that the processor has the AES instruction set and enabled in the BIOS:
# grep -o aes /proc/cpuinfo
OR
# grep -m1 -o aes /proc/cpuinfo
Fig.01: Linux Verify That Processor/CPU Has the AES-NI Instruction
Check if AES-NI is enabled on Linux with cpuid
Another option is to use the cpuid command as follows:
# cpuid | grep -i aes | sort | uniq
Here is what I see:
AES instruction = true
Finding out if Intel AES-NI instructions optimized kernel driver loaded or not
Run the lsmod command as follows:
# lsmod
# grep module /proc/crypto | grep -v kernel | sort | uniq
# lsmod | grep aes
aesni_intel 376832 12 crypto_simd 16384 1 aesni_intel
Here is how to display info about the aesni_intel module using the modinfo command:
# modinfo aesni_intel
Outputs:
filename: /lib/modules/5.15.0-76-generic/kernel/arch/x86/crypto/aesni-intel.ko alias: crypto-aes alias: aes license: GPL description: Rijndael (AES) Cipher Algorithm, Intel AES-NI instructions optimized srcversion: 486C3F2BBEC77B53BC642D6 alias: cpu:type:x86,ven*fam*mod*:feature:*0099* depends: crypto_simd retpoline: Y intree: Y name: aesni_intel vermagic: 5.15.0-76-generic SMP mod_unload modversions sig_id: PKCS#7 signer: Build time autogenerated kernel key sig_key: 3A:19:0A:D5:DA:BD:CA:AA:89:E6:3C:9F:C0:07:D0:ED:6D:FD:3C:22 sig_hashalgo: sha512 signature: 48:1F:C6:15:53:A0:32:B0:7B:16:0D:C1:E1:B2:05:3E:7A:55:77:15: 9C:63:6B:1C:16:52:64:B0:EC:7B:43:91:15:07:26:A8:44:19:19:A9: 46:D5:FC:DF:0C:20:34:47:40:B3:01:6C:91:62:75:C6:DE:E8:DA:86: 60:88:B4:DA:CF:F9:B3:01:DD:5B:1E:92:B5:C7:71:A0:C5:35:6C:D9: B4:CD:8D:FA:B4:1F:E3:69:D8:40:0B:97:FF:5C:99:7D:96:7C:DD:93: 5C:30:DE:29:6D:39:33:F8:31:26:3F:B6:FE:76:55:22:80:C3:2A:68: 80:66:0E:0E:14:80:BF:2C:01:99:E4:55:BF:51:18:B9:CE:85:AD:0E: 20:1F:31:46:9E:6E:40:70:F5:38:4C:56:EA:5E:DC:EF:CB:3A:6A:68: 95:85:C7:75:54:10:BA:53:73:3B:E8:EC:98:73:B4:76:56:E8:99:0E: AF:6C:34:49:7B:D2:04:F5:A9:85:AC:D2:6A:FF:35:EC:57:35:84:BC: 3E:AA:65:68:86:06:F5:0F:6E:D3:99:56:28:FA:EB:39:17:A0:18:E6: D2:29:3A:7E:A3:C6:90:66:35:E7:C7:E3:C4:7C:0B:5D:D6:D2:63:3E: 55:6B:D5:5F:0B:0B:DB:CD:21:BB:C6:B4:70:E2:44:6B:56:F1:77:C2: 72:D8:E6:5C:05:ED:E7:28:DC:4D:B8:94:09:AA:73:91:02:62:B8:C5: 0A:4D:FB:17:9F:D4:6A:64:1E:2B:6C:4C:60:96:F3:44:8D:84:EF:96: 5B:64:02:E9:92:34:B2:7E:56:F5:11:91:50:E5:CB:6B:C1:3F:46:88: 66:0D:BF:E5:F3:8F:39:90:CC:EF:20:9C:3C:C2:86:74:05:0E:A9:2F: 68:11:B5:2A:76:16:6A:5E:E6:B6:62:ED:CD:B5:04:37:52:9B:4D:8D: 12:89:36:74:AC:C6:60:1D:38:04:51:53:F3:2B:78:89:71:C7:37:C2: 15:0B:F1:60:D9:EE:CD:C5:EB:3F:D4:B0:99:6A:37:3C:98:27:D6:3E: 25:BA:24:BE:89:2F:BA:F5:1E:87:17:DB:D0:59:BA:8F:53:6F:33:4F: 80:14:D1:C6:BA:D6:7C:C1:72:4F:D6:A0:14:DE:0E:B4:66:E6:8F:24: A8:E1:0C:97:D0:E9:74:D4:68:AA:B6:99:1D:45:46:E9:30:86:85:99: 7E:B6:15:CD:CF:B2:11:F5:88:27:BB:39:1A:D7:1A:78:9E:74:85:17: 1C:9F:44:DD:58:23:62:92:E7:2E:8B:F4:BB:97:6F:A7:65:44:F8:DE: B3:A4:47:BF:89:CD:97:6F:B4:1C:16:86
How do I verify that all my CPU supports AES NI?
The output of the following two commands should be same:
# lscpu | grep '^CPU(s):'
32
And:
# grep -o aes /proc/cpuinfo | wc -l
32
Is Intel AES-NI instructions optimized driver loaded for my Linux server/laptop/desktop?
Type the following command to check for AES-NI support on your processor:
# sort -u /proc/crypto | grep module
Sample outputs:
module : aesni_intel
module : aes_x86_64
module : crc32_pclmul
module : crct10dif_pclmul
module : ghash_clmulni_intel
module : kernel
Is Intel AES-NI enabled for openssl enabled?
Now that we have verified support, it’s time to test it. Is my AES-NI/VIA padlock engine supported?
$ openssl engine
Sample outputs from VIA based cpu that supports the AES:
(padlock) VIA PadLock (no-RNG, no-ACE)
(dynamic) Dynamic engine loading support
Another output from Intel based system that support the AES-NI:
$ openssl engine
(aesni) Intel AES-NI engine
(dynamic) Dynamic engine loading support
Test: AES-NI CPU vs Normal CPU without the AES-NI/Packlock support
In this example, serverA has the AES-NI and serverB has no support for hardware encryption:
$ dd if=/dev/zero count=1000 bs=1M | ssh -l vivek -c aes128-cbc serverA "cat >/dev/null"
Password:
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB) copied, 10.6691 s, 98.3 MB/s
And:
$ dd if=/dev/zero count=1000 bs=1M | ssh -l vivek -c aes128-cbc serverB "cat >/dev/null"
vivek@localhost's password:
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB) copied, 31.6675 s, 33.1 MB/s
Test: How do I benchmark my openssl performance?
Again run the following commands on both the systems:
$ openssl speed
OR
$ openssl speed aes-128-cbc
For latest version of openssl, try the following two commands (the 2nd command should have higher ‘numbers’ than first (thanks EntropyZer0):
$ openssl speed aes-256-cbc
$ openssl speed -evp aes-256-cbc
Popular Linux or Unix/BSD applications that can benefit from the AES-NI from high speed ecryption/decryption
- dm-crypt for full-disk encryption on Linux.
- 7-Zip app.
- Google chrome and firefox browsers
- FreeBSD’s OpenCrypto API i.e aesni driver for zfs and other file systems.
- OpenSSL 1.0.1 and above.
- TrueCrypt 7.0 and above or VeraCrypt.
- Citrix XenClient 1.0 and above.
- Compilers such as GCC 4.4+, Intel C/C++ compiler 11.1+, Clang 3.3+ and more.
- Libraries for golang, java, NSS, openssl and more.
- Linux and BSD firewalls and vpn especially easy to use pfsense, ipcop and more.
- Operating system based on Linux, *BSD, Unix, Microsoft, Android, iOS, Apple OS X and more.
References
- Intel page about the Advanced Encryption Standard Instructions (AES-NI).
- Wikipedia page about the AES instruction set.
- For a list of Intel processors that support the AES-NI engine.
- For a list of AMD processors that support the AES-NI engine.
It seems like you’re running an outdated version of openssl:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1001424
Apparently, since 1.0.1 openssl doesn’t need a specific engine anymore to use the AES-NI-instructions; it has native support via evp
To test for AES-NI support in openssl 1.0.1 and newer, simply compare the output of these commands:
$ openssl speed aes-256-cbc$ openssl speed -evp aes-256-cbc
Second one should have considerably higher ‘numbers’ than first (for me it’s around x3 for larger blocks and up to nearly x6 for the smaller ones)
What’s -evp? Can’t find it in the man page…
Very helpfull article! Very clear! This is very important because if you have an processor with AES Instruction set but doesn’t benefit from it is wastefull…
i use:
#without AES-NI
OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp aes-128-ecb
# with AES-NI (if supported)
openssl speed -elapsed -evp aes-128-ecb
Thanks for all your work, Vivek. While prepping a template of a Ubuntu 22.04 LTS server I’m making heavy use of your content.