What is AES Hardware Encryption Acceleration on NAS Servers

AES Hardware Encryption Acceleration on NAS Servers

Hardware encryption acceleration is a very important feature in NAS servers and in our PCs, thanks to this feature the encryption and decryption process with the AES symmetric encryption algorithm is carried out through instructions in the processor, allowing greater performance than if you did it directly at the software operating system level. AES (Advanced Encryption Standard) is currently the most widely used symmetric encryption, for this reason, all processors incorporate this encryption acceleration. Today in this article we are going to explain in detail what hardware encryption acceleration is, how it works and how it improves the performance of our NAS server.

What is AES and what does AES-NI stand for?

AES (Advanced Encryption Standard) is a block encryption scheme that is currently the encryption standard throughout the world, since 2006 it has established itself as the most widely used symmetric encryption algorithm in the world. This symmetric encryption algorithm has a fixed block size of 128 bits, and key length sizes of 128, 192, and 256 bits. Currently, AES is considered a secure symmetric encryption algorithm, although there are AES encryption modes that are more secure than others, in addition to providing additional characteristics to confidentiality, such as authenticity (integrity) if we use GCM (Galois Counter Mode) already which is AEAD (Authenticated Encryption with Associated Data). In addition, the GCM encryption mode in AES enables higher performance by allowing data to be managed in parallel.

Processor manufacturers such as Intel, AMD or ARM have integrated the AES instruction set within their processors, with the aim of greatly improving performance in data encryption and decryption work, making the speed of reading and writing is clearly very high compared to another processor that does not have this feature. This set of AES instructions is popularly called AES-NI (Advanced Encryption Standard New Instructions) or simply hardware encryption acceleration, to indicate that a specific processor supports this technology.

Intel and AMD processors compatible with AES-NI

AES-NI is an extension of the instruction set in X86 architectures that allows us to greatly increase the speed of data encryption and decryption. In most cases this functionality is enabled by default in the computer’s BIOS, however, it is advisable to check if we have this functionality enabled in the BIOS. In some cases with older computers, the BIOS does not support this option, so it is advisable to review our version and update it whenever possible.

Currently all the new processors that come out on the market, except the lowest-end ARM-based ones, are compatible with AES-NI, however, it is always advisable to visit the official website of the different manufacturers to know first-hand if a processor in Specifically supports hardware encryption acceleration. For example, for many years now, all Intel and AMD processors have this technology that is so important today, and it is that we can greatly accelerate the performance in reading and writing when we are dealing with data encrypted with AES, in addition, the load of CPU for performing this operation is really low compared to a processor that does not support this function.

How can I tell if my NAS server supports hardware encryption acceleration?

When we buy a NAS server, normally on the official website of the manufacturer it indicates whether it supports hardware encryption acceleration or not, however, it would always be advisable to look at which processor this NAS server has, and enter the official website of the processor manufacturer and verify reliably if it really supports AES-NI or hardware encryption acceleration, to clear any doubt about it. We are going to give you two clear examples of NAS servers that support hardware encryption acceleration, one with an Intel processor and the other with an AMD processor.

If we go to the official website of the QNAP TVS-h1288X model, we can see that this NAS server does incorporate AES-NI encryption engine, therefore, we have hardware encryption acceleration.

This NAS server incorporates an Intel Xeon W-1250 processor, if we go to the official Intel website we can verify that it effectively supports the “New instructions from AES Intel”, therefore, we can affirm that this processor does support hardware encryption acceleration .

In the case of the QNAP TS-473A NAS server, which is lower-end than the previous one, it incorporates an AMD Ryzen V1500B processor, according to the official QNAP website we will also have AES-NI hardware encryption acceleration, therefore, we will achieve a great performance when encrypting and decrypting information.

If we go to the official website of the AMD Ryzen V1500 processor family, we can see in the security section that it has different features related to data encryption and security, however, it does not clearly indicate that it has AES-NI.

If we go to any processor comparison website, we can see that it does support AES-NI, as you can see below:

Today all Intel and AMD processors that come out on the market, even if they are entry-level, have AES-NI hardware encryption acceleration, because it is a very necessary functionality today, so we will explain below.

Why do I need a NAS server with hardware encryption acceleration?

NAS servers allow us to store all the information in them, if we want to take security measures to have confidentiality, it is essential to encrypt all the data, either encrypted once it is on the hard drive, or encrypted in communications with the NAS server . In this way, we can be sure that our data cannot be read without the master password that decrypts that data.

Volume and folder encryption

NAS servers through their operating systems allow you to configure encryption of volumes and also folders , for example, in the case of QNAP we can encrypt (encrypt) an entire volume, in order to protect the information as much as possible in the event that it is remove the hard drive or have the NAS physically stolen. In this way, all the data that we copy to that volume will be encrypted and decrypted on the fly, making the processor take care of this task. If we have a processor with AES-NI we will notice that everything is going perfectly and we do not have any type of bottleneck, in addition, we will be able to see that the CPU use does not go up to values of 90% or 100% when we are transferring files. If we did not have this feature, we would see the main processor of the NAS server explode at 100% use, and the read and write performance is clearly lower, because we will have a bottleneck due to this data encryption / decryption.

At any time we can block access to this encrypted volume, change the password and other encrypted volume management options:

Another interesting feature is that we can encrypt a folder only, it is not necessary to encrypt the entire volume. In this case, we will also make use of the popular AES symmetric encryption algorithm for the encryption and decryption task of the data. If we have a processor with AES-NI, we can have the same performance as if the folder were not encrypted, in this way, it will always be advisable to encrypt all the content.

As you can see, we have the ability to encrypt only one folder, however, our recommendation is to use volume encryption directly.

SMB 3.0 – Encrypted Local Network Transfers

The latest SMB 3.0 protocol not only allows us to perform secure authentication using encryption, but all data transfer from a source to a destination can be encrypted, making use of the symmetric AES encryption algorithm. If the NAS server supports the hardware encryption acceleration feature, we can see that the performance we will get is the same or almost the same as if we used SMB 2.0 that does not use data encryption.

Thanks to the incorporation of AES-NI, we will be able to protect all our communications in the local network, with the objective that, if someone is able to capture the information, they cannot decrypt it, maintaining our privacy.

FTPES: FTP protocol with data encryption

The secure FTP protocol, or also known as FTPES, also clearly benefits from this very important feature of NAS servers. FTPES makes use of the TLS 1.2 or TLS 1.3 protocols for the control channel, however, for the data channel where we are going to transfer all the information it generally uses AES-GCM, although depending on the configuration of the FTPES server this could change. Configuration on a QNAP NAS server is as simple as clicking “FTP with SSL / TLD (Explicit)” to activate this important functionality.

When we go to connect to the FTPES server with programs like FileZilla, we can see that the communication is fully encrypted. It will show us the digital certificate that we have had to configure, or that the NAS server has automatically configured for us. We can see that a 2048-bit RSA public key algorithm has been used with SHA256 as the signature. It will indicate that the communication session has been carried out using TLS 1.2 with a specific cryptographic suite, and that the data encryption for the exchange of information is AES-128-GCM, therefore, we have AEAD as we have explained previously.

In FileZilla a padlock will appear at the bottom right, indicating that the connection is encrypted and secure.

SFTP – SSH-based protocol with encryption

The SFTP protocol is based on SSH, it will allow us to exchange files to authenticate ourselves with the server in a secure way using all the cryptographic protocols of SSH. This protocol is widely used because it is only necessary to open one port, through which all communication flows. In this case, the SFTP server configuration must be done through the SSH section, as you can see below:

By connecting with a program like FileZilla to this SFTP server, it will tell us the different algorithms it has used. For example, the key exchange has been done with ECDH with Curve25519, using a SHA-256 hash. The server key is RSA 3072 bits, and the data encryption is done through AES-256-GCM, which will allow us to transfer data at a very high speed.

At the bottom right of FileZilla you can also see a padlock indicating that the communication is secure.

Highest performance VPN server

Most NAS servers have VPN servers to connect us securely and remotely to the local network. If our NAS incorporates AES-NI and we use protocols such as OpenVPN which is based on TLS, we can achieve greater bandwidth for downloading or uploading files. In our tests we have verified that a NAS with hardware encryption acceleration such as the QNAP TS-1277 is capable of providing up to 500Mbps of symmetric speed, however, if it did not have hardware encryption acceleration the performance would be approximately 100Mbps, such and as is currently the case with routers that integrate a VPN and do not have hardware encryption acceleration. If your NAS server does not support AES-NI, a good alternative may be to use WireGuard, this secure VPN protocol is much faster than OpenVPN or IPsec IKEv2, so it is highly recommended.

As you can see, today it is essential that a NAS server has hardware encryption acceleration, in addition, it is also highly recommended that our PCs incorporate this important functionality, in order to take full advantage of the speed of local networks that today they are already Multigigabit (2.5G onwards).