#aesni — Public Fediverse posts

@marcan @lanodan the only cases where one would need even more Power are setups like High-Bandwith #VPN Gateways like some huge #pfSense if one needs 40+ GBit/s throughput on #OpenVPN or #WireGuard.

Mind you that #LUKS - aside from the encryption of the key in the header, uses #AES256 by default for a long time and is pretty efficient even prior to #AESni.

So no, in most cases the impact is purely synthetic and not really of any impact...

@marcan @lanodan depends.

#AESni will give you at least 2GByte/s per thread & core so unless you put a pair of PCIe 5.0 x4 NVMe|s on a board with only a CPU that has 4C/8T, you shoudln't be able to measure much of a performance loss.

Espechally since that worst-case doesn't even exist AFAIK nor would it make sense.

It would be a different story if #LUKS were to use something like #RSA or other public/private asymetric crypto for the actual data encryption.

Why on earth did #intel remove the constant time property of an cryptographic instruction? #aesni should protect against side channel attacks and as it’s primarily built for the cryptographic algorithm #aes it should respect the needs of #cryptography . Otherwise it could be possible to exfiltrate keys by measuring the execution time. I hope most cryptographic engineers are aware of this change in the latest microarchitectures.
https://www.phoronix.com/review/intel-doitm-linux

@lcruggeri @DosFox pretty nifty SoC.

I built a custom #pfSense with that in 2017.

Sadly shortly after, #AESni became necessary for #pfSense 2.4 which sadly obsolieted it.

Needless to say if you just need a little #Linux #Box to "fuck around and find out" and tinker with as a "server" to learn on or use some lightweight distro like #BunsenLabs or #RaspberryPiOS that should be still usefill for most people.