Setting the ssh management parameters, Configuring crypto engines, Overview – H3C Technologies H3C S12500-X Series Switches User Manual

239

13B

Configuring crypto engines

146B

Overview

Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following

types:

•

Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or
hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed,

which improves device processing efficiency. You can enable or disable hardware crypto engines

globally as needed.

•

Software crypto engines—A software crypto engine is a set of software encryption algorithms. The
device uses software crypto engines to encrypt and decrypt data for service modules. They are

always enabled. You cannot enable or disable software crypto engines.

If you disable hardware crypto engines, the device uses only software crypto engines for data

encryption/decryption. If you enable hardware crypto engines, the device preferentially uses hardware

crypto engines. If the device does not support hardware crypto engines, or if the hardware crypto

engines do not support the required encryption algorithm, the device uses software crypto engines for
data encryption/decryption.
Crypto engines provide encryption/decryption services for service modules, for example, the IPsec

module. When a service module requires data encryption/decryption, it sends the desired data to a

crypto engine. After the crypto engine completes data encryption/decryption, it sends the data back to
the service module.

147B

Configuring hardware crypto engines

By default, hardware crypto engines are enabled. You can use the crypto-engine accelerator disable

command to disable them globally. However, disabling hardware crypto engines can degrade the
encryption or decryption performance. H3C recommends not disabling hardware crypto engines except

for testing, debugging, or troubleshooting purposes.
Enabling or disabling hardware crypto engines affects different service modules differently.
For example, for IPsec services, enabling or disabling hardware crypto engines affects only newly
established IPsec SAs. The existing IPsec SAs still use the previously selected crypto engine for data

encryption. H3C recommends using the reset ipsec sa command to delete all existing IPsec SAs before

you enable or disable hardware crypto engines.
To configure hardware crypto engines:

Step Command

1.

Enter system view.

system-view

2.

Disable or enable hardware crypto engines.

•

To disable hardware crypto engines:
crypto-engine accelerator disable

•

To enable hardware crypto engines:

undo crypto-engine accelerator disable