[SERVER-21620] Add startup warning if ESE at-rest encryption enabled but CPU lacks hardware AES-NI support Created: 23/Nov/15  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Security
Affects Version/s: 3.2.0-rc3
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Kevin Pulo Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: rp-c
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to DOCS-6635 Add AES-NI requirement for 3.2 at-res... Closed
Assigned Teams:
Server Security
Participants:

 Description   

The ESE at-rest encryption feature takes advantage of OpenSSL's ability to use hardware AES acceleration ("AES-NI"), if available. However, this means that if AES-NI is not available, a software fallback will be used which will likely have noticably large impact on performance. Therefore, if the server is started with ESE at-rest encryption enabled, and the CPU lacks support for AES-NI instructions, then the server should alert the user with a startup warning.

Unfortunately checking CPU capabilities may require platform specific code. OpenSSL may have an abstraction that can do this, and return if AES-NI will be used. Otherwise, this will need to be checked manually, eg. checking /proc/cpuinfo on Linux.


Generated at Thu Feb 08 03:57:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.