4000 Router Series Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

301

302

303

304

305

306

307

308

309

310

291

Configuring crypto engines

Overview

Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following

types:

• Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU.

Hardware crypto engines can accelerate encryption/decryption speed, improving device

processing efficiency. You can enable or disable hardware crypto engines globally as required.

• Software crypto engines—A software crypto engine is a set of software encryption algorithms. The

device uses software crypto engines to encrypt and decrypt data for service modules. You cannot

enable or disable software crypto engines. They are always enabled.

If you disable hardware crypto engines, the device uses only software crypto engines for data

encryption/decryption. If you enable hardware crypto engines, the device preferentially uses hardware

crypto engines. If the device does not support hardware crypto engines, or the hardware crypto engines

do not support the required encryption algorithm, the device uses software crypto engines for data

encryption/decryption.

Crypto engines provide encryption/decryption services for service modules. When a service module

requires data encryption/decryption, it sends the desired data to a crypto engine. After the crypto

engine completes data encryption/decryption, it sends the data back to the service module.

Configuring hardware crypto engines

By default, hardware crypto engines are enabled. You can use the crypto-engine accelerator disable

command to disable them globally. However, disabling hardware crypto engines might degrade the

encryption/decryption performance. HP recommends not disabling hardware crypto engines unless you

do it for test, debugging, or troubleshooting purposes.

It is subject to service modules how enabling/disabling hardware crypto engines affects the service

modules. For example, for IPsec services, enabling or disabling hardware crypto engines affects only

newly established IPsec SAs. The existing IPsec SAs still use the previously selected crypto engine for data

encryption. In this case, HP recommends that you use the reset ipsec sa command to delete all existing

IPsec SAs before you enable or disable hardware crypto engines, so the newly established IPsec SAs can

use the newly selected crypto engine.

To configure hardware crypto engines:

Ste

Command

1. Enter system view.

system-view

2. Disable or enable hardware crypto engines.

• To disable hardware crypto engines:

crypto-engine accelerator disable

• To enable hardware crypto engines:

undo crypto-engine accelerator disable