R0106-HP MSR Router Series Security Configuration Guide(V7)
434
Configuring crypto engines
In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024,
MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080.
Overview
Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following
types:
• Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or
hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed,
which improves device processing efficiency. You can enable or disable hardware crypto engines
globally as needed.
• Software crypto engines—A software crypto engine is a set of software encryption algorithms. The
device uses software crypto engines to encrypt and decrypt data for service modules. They are
always enabled. You cannot enable or disable software crypto engines.
If you disable hardware crypto engines, the device uses only software crypto engines for data
encryption/decryption. If you enable hardware crypto engines, the device preferentially uses hardware
crypto engines. If the device does not support hardware crypto engines, or if the hardware crypto
engines do not support the required encryption algorithm, the device uses software crypto engines for
data encryption/decryption.
Crypto engines provide encryption/decryption services for service modules, for example, the IPsec
module. When a service module requires data encryption/decryption, it sends the desired data to a
crypto engine. After the crypto engine completes data encryption/decryption, it sends the data back to
the service module.
Configuring hardware crypto engines
By default, hardware crypto engines are enabled. You can use the crypto-engine accelerator disable
command to disable them globally. However, disabling hardware crypto engines can degrade the
encryption or decryption performance. HP recommends not disabling hardware crypto engines except
for testing, debugging, or troubleshooting purposes.
Enabling or disabling hardware crypto engines affects different service modules differently. For example,
for IPsec services, enabling or disabling hardware crypto engines affects only newly established IPsec
SAs. The existing IPsec SAs still use the previously selected crypto engine for data encryption. HP
recommends that you use the reset ipsec sa command to delete all existing IPsec SAs before you enable
or disable hardware crypto engines.
To configure hardware crypto engines:
Ste
p
Command
1. Enter system view.
system-view