Login
- Table of Contents
-
- 12-Security Configuration Guide
- 00-Preface
- 01-Security zone configuration
- 02-AAA configuration
- 03-802.1X configuration
- 04-MAC authentication configuration
- 05-Portal configuration
- 06-Port security configuration
- 07-User profile configuration
- 08-Password control configuration
- 09-Keychain configuration
- 10-Public key management
- 11-PKI configuration
- 12-IPsec configuration
- 13-Group domain VPN configuration
- 14-SSH configuration
- 15-SSL configuration
- 16-SSL VPN configuration
- 17-ASPF configuration
- 18-APR configuration
- 19-mGRE configuration
- 20-Session management
- 21-Connection limit configuration
- 22-Object group configuration
- 23-Object policy configuration
- 24-Security policy configuration
- 25-Attack detection and prevention configuration
- 26-IP source guard configuration
- 27-ARP attack protection configuration
- 28-ND attack defense configuration
- 29-uRPF configuration
- 30-SAVA configuration
- 31-Crypto engine configuration
- 32-FIPS configuration
- 33-MACsec configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 31-Crypto engine configuration | 72.29 KB |
Crypto engine processing mechanism
Enabling the GM-capable hardware crypto engine for GM algorithms
Restrictions: Hardware compatibility with crypto engines
Display and maintenance commands for crypto engines
Configuring crypto engines
About crypto engines
Crypto engines encrypt and decrypt data for service modules.
Crypto engine types
Crypto engines include the following types:
· Hardware crypto engines—A hardware crypto engine is a coprocessor integrated on a CPU or hardware crypto card. Hardware crypto engines can accelerate encryption/decryption speed, which improves device processing efficiency. You can enable or disable hardware crypto engines globally as needed. By default, hardware crypto engines are enabled.
· Software crypto engines—A software crypto engine is a set of software encryption algorithms. The device uses software crypto engines to encrypt and decrypt data for service modules. They are always enabled. You cannot enable or disable software crypto engines.
Crypto engine processing mechanism
If you disable hardware crypto engines, the device uses only software crypto engines for data encryption/decryption. If you enable hardware crypto engines, the device preferentially uses hardware crypto engines. If the device does not support hardware crypto engines, or if the hardware crypto engines do not support the required encryption algorithm, the device uses software crypto engines for data encryption/decryption.
Crypto engines provide encryption/decryption services for service modules, for example, the IPsec module. When a service module requires data encryption/decryption, it sends the desired data to a crypto engine. After the crypto engine completes data encryption/decryption, it sends the data back to the service module.
Enabling the GM-capable hardware crypto engine for GM algorithms
About this task
By default, the device uses software crypto engines for data encryption/decryption by GM algorithms, including SM2, SM3, and SM4 algorithms. That is, the system uses its own software algorithms for data encryption/decryption. This consumes system resources and is less efficient. When the device is installed with the GM-capable hardware crypto engine, you can perform this task to enable the hardware crypto engine for a specific GM algorithm. Then, data encryption/decryption by that GM algorithm will not consume system resources, which improves device processing efficiency.
Procedure
1. Enter system view.
system-view
2. Enable the GM-capable hardware crypto engine for GM algorithms.
crypto-engine accelerator enable gm-algorithm { sm2 | sm3 | sm4 } *
By default, the GM-capable hardware crypto engine is disabled for GM algorithms.
Restrictions: Hardware compatibility with crypto engines
|
Hardware |
Crypto engine compatibility |
|
MSR610 |
Yes |
|
MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-CNDE-SJK, MSR810-EI, MSR810-LM-EA, MSR810-LM-EI |
Yes |
|
MSR810-LMS, MSR810-LUS |
Yes |
|
MSR810-SI, MSR810-LM-SI |
Yes |
|
MSR810-LMS-EA, MSR810-LME |
Yes |
|
MSR1004S-5G, MSR1004S-5G-CN |
Yes |
|
MSR1104S-W, MSR1104S-W-CAT6, MSR1104S-5G-CN, MSR1104S-W-5G-CN, MSR1104S-W-5GGL |
Yes |
|
MSR2600-6-X1, MSR2600-15-X1, MSR2600-15-X1-T, MSR2600-15-X1-XS |
Yes |
|
MSR2600-10-X1 |
Yes |
|
MSR2630-G-X1 |
Yes |
|
MSR2630 |
Yes |
|
MSR3600-28, MSR3600-51 |
Yes |
|
MSR3600-28-SI, MSR3600-51-SI |
Yes |
|
MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP |
Yes |
|
MSR3600-28-G-DP, MSR3600-51-G-DP |
Yes |
|
MSR3600-28-G-X1-DP, MSR3600-51-G-X1-DP |
Yes |
|
MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-ES, MSR3610-IE-EAD, MSR-EAD-AK770, MSR3610-I-IG, MSR3610-IE-IG |
Yes |
|
MSR-iMC |
Yes |
|
MSR3610-X1, MSR3610-X1-DP, MSR3610-X1-DC, MSR3610-X1-DP-DC, MSR3620-X1, MSR3640-X1 |
Yes |
|
MSR3610, MSR3620, MSR3620-DP, MSR3640, MSR3660 |
Yes |
|
MSR3610-G, MSR3620-G |
No |
|
MSR3640-G |
Yes |
|
MSR3640-X1-HI |
Yes |
|
Hardware |
Crypto engine compatibility |
|
MSR810-W-WiNet, MSR810-LM-WiNet |
Yes |
|
MSR830-4LM-WiNet |
Yes |
|
MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet |
Yes |
|
MSR830-6BHI-WiNet, MSR830-10BHI-WiNet |
Yes |
|
MSR2600-6-WiNet |
Yes |
|
MSR2600-10-X1-WiNet |
Yes |
|
MSR2630-WiNet |
Yes |
|
MSR3600-28-WiNet |
Yes |
|
MSR3610-X1-WiNet |
Yes |
|
MSR3620-X1-WiNet |
Yes |
|
MSR3610-WiNet, MSR3620-10-WiNet, MSR3620-DP-WiNet, MSR3620-WiNet, MSR3660-WiNet |
Yes |
|
Hardware |
Crypto engine compatibility |
|
MSR860-6EI-XS |
Yes |
|
MSR860-6HI-XS |
Yes |
|
MSR2630-XS |
Yes |
|
MSR3600-28-XS |
Yes |
|
MSR3610-XS |
Yes |
|
MSR3620-XS |
Yes |
|
MSR3610-I-XS |
Yes |
|
MSR3610-IE-XS |
Yes |
|
MSR3620-X1-XS |
Yes |
|
MSR3640-XS |
Yes |
|
MSR3660-XS |
Yes |
|
Hardware |
Crypto engine compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR1004S-5G-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
Display and maintenance commands for crypto engines
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display crypto engine information. |
display crypto-engine |
|
Display the enabling status of the GM-capable hardware crypto engine for GM algorithms. |
display crypto-engine accelerator gm-algorithm status |
|
Display crypto engine statistics. |
In standalone mode: display crypto-engine statistics [ engine-id engine-id ] In IRF mode: display crypto-engine statistics [ engine-id engine-id slot slot-number ] |
|
Clear crypto engine statistics. |
In standalone mode: reset crypto-engine statistics [ engine-id engine-id ] In IRF mode: reset crypto-engine statistics [ engine-id engine-id slot slot-number ] |