Setting the ssh management parameters, Configuring crypto engines, Overview – H3C Technologies H3C S12500-X Series Switches User Manual
Page 251: Configuring hardware crypto engines
239
13B
Configuring crypto engines
146B
Overview
Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following
types:
•
Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or
hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed,
which improves device processing efficiency. You can enable or disable hardware crypto engines
globally as needed.
•
Software crypto engines—A software crypto engine is a set of software encryption algorithms. The
device uses software crypto engines to encrypt and decrypt data for service modules. They are
always enabled. You cannot enable or disable software crypto engines.
If you disable hardware crypto engines, the device uses only software crypto engines for data
encryption/decryption. If you enable hardware crypto engines, the device preferentially uses hardware
crypto engines. If the device does not support hardware crypto engines, or if the hardware crypto
engines do not support the required encryption algorithm, the device uses software crypto engines for
data encryption/decryption.
Crypto engines provide encryption/decryption services for service modules, for example, the IPsec
module. When a service module requires data encryption/decryption, it sends the desired data to a
crypto engine. After the crypto engine completes data encryption/decryption, it sends the data back to
the service module.
147B
Configuring hardware crypto engines
By default, hardware crypto engines are enabled. You can use the crypto-engine accelerator disable
command to disable them globally. However, disabling hardware crypto engines can degrade the
encryption or decryption performance. H3C recommends not disabling hardware crypto engines except
for testing, debugging, or troubleshooting purposes.
Enabling or disabling hardware crypto engines affects different service modules differently.
For example, for IPsec services, enabling or disabling hardware crypto engines affects only newly
established IPsec SAs. The existing IPsec SAs still use the previously selected crypto engine for data
encryption. H3C recommends using the reset ipsec sa command to delete all existing IPsec SAs before
you enable or disable hardware crypto engines.
To configure hardware crypto engines:
Step Command
1.
Enter system view.
system-view
2.
Disable or enable hardware crypto engines.
•
To disable hardware crypto engines:
crypto-engine accelerator disable
•
To enable hardware crypto engines:
undo crypto-engine accelerator disable