Configuring Crypto Engines; Overview; Command And Hardware Compatibility; Configuring Hardware Crypto Engines - HP MSR Series Configuration Manual

Configuring crypto engines

Overview

Crypto engines encrypt and decrypt data for service modules. Crypto engines include the following
types:
•
Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU
or hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed,
which improves device processing efficiency. You can enable or disable hardware crypto
engines globally as needed.
•
Software crypto engines—A software crypto engine is a set of software encryption algorithms.
The device uses software crypto engines to encrypt and decrypt data for service modules. They
are always enabled. You cannot enable or disable software crypto engines.
If you disable hardware crypto engines, the device uses only software crypto engines for data
encryption/decryption. If you enable hardware crypto engines, the device preferentially uses
hardware crypto engines. If the device does not support hardware crypto engines, or if the hardware
crypto engines do not support the required encryption algorithm, the device uses software crypto
engines for data encryption/decryption.
Crypto engines provide encryption/decryption services for service modules, for example, the IPsec
module. When a service module requires data encryption/decryption, it sends the desired data to a
crypto engine. After the crypto engine completes data encryption/decryption, it sends the data back
to the service module.

Command and hardware compatibility

Commands and descriptions for centralized devices apply to the following routers:
•
MSR1002-4/1003-8S.
•
MSR2003.
•
MSR2004-24/2004-48.
•
MSR3012/3024/3044/3064.
•
MSR954(JH296A/JH297A/JH299A)
Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers.

Configuring hardware crypto engines

By default, hardware crypto engines are enabled. You can use the crypto-engine accelerator
disable command to disable them globally. However, disabling hardware crypto engines can
degrade the encryption or decryption performance. Hewlett Packard Enterprise recommends not
disabling hardware crypto engines except for testing, debugging, or troubleshooting purposes.
Enabling or disabling hardware crypto engines affects different service modules differently. For
example, for IPsec services, enabling or disabling hardware crypto engines affects only newly
established IPsec SAs. The existing IPsec SAs still use the previously selected crypto engine for
data encryption. Hewlett Packard Enterprise recommends that you use the reset ipsec sa
command to delete all existing IPsec SAs before you enable or disable hardware crypto engines.
To configure hardware crypto engines:
555