Leveraging Built-in Processor Instruction Sets

Learn about the built-in processor instruction sets including AES-NI and Intel RDRAND.

AES-NI

The Advanced Encryption Standard New Instructions (AES-NI) instruction set is designed to improve the speed of encryption and decryption using AES. Some newer processors come with AES-NI, which can be enabled on a per-server basis. If you are uncertain whether AES-NI is available on a device, run the following command to verify:
grep -o aes /proc/cpuinfo
To determine whether the AES-NI kernel module is loaded, run the following command:
sudo lsmod | grep aesni

If the CPU supports AES-NI but the kernel module is not loaded, see your operating system documentation for instructions on installing the aesni-intel module.

Intel RDRAND

The Intel RDRAND instruction set, along with its underlying Digital Random Number Generator (DRNG), is useful for generating keys for cryptographic protocols without using haveged.

To determine whether the CPU supports RDRAND, run the following command:
grep -o rdrand /proc/cpuinfo
To enable RDRAND, install rng-tools version 4 or higher:
  1. Download the source code:
    sudo wget http://downloads.sourceforge.net/project/gkernel/rng-tools/4/rng-tools-4.tar.gz
  2. Extract the source code:
    tar xvfz rng-tools-4.tar.gz
  3. Enter the rng-tools-4 directory:
    cd rng-tools-4
  4. Run ./configure.
  5. Run make.
  6. Run make install.
Start rngd with the following command:
sudo rngd --no-tpm=1 -o /dev/random