Checking Whether AES-NI Is Supported by the CPU in Linux

Last updated: March 18, 2024

Reviewed by: Korbin Brown

1. Overview

In today’s digital age, data security is paramount. One of the main techniques for protecting data from unauthorized access is encrypting sensitive information. The Advanced Encryption Standard (AES) is a widely adopted encryption algorithm, known for its robust security.

To enhance the performance of AES encryption and decryption operations, modern CPUs come equipped with a feature known as AES-NI (Advanced Encryption Standard New Instructions).

In this tutorial, we’ll explore how to determine if AES-NI is supported by the CPU in a Linux environment.

2. Understanding AES-NI

Before we dive into the process of checking for AES-NI support, it’s essential to understand what AES-NI is and why it matters.

AES-NI is an extension to the x86 instruction set architecture that was first introduced by Intel in 2010 with the Westmere microarchitecture. Later, AMD incorporated support for AES-NI in its processors as well. These instructions provide hardware acceleration for the AES algorithm, which is used in various encryption and decryption operations.

The AES-NI significantly speeds up cryptographic tasks by offloading the work to dedicated hardware instructions, thereby reducing the CPU load and improving performance. This is particularly valuable in scenarios where encryption and decryption are frequent, such as secure communications and data storage.

3. Checking for AES-NI Support

To check whether the CPU supports AES-NI in a Linux environment, we can use various methods and command-line tools. We’ll examine a few of them in this section.

3.1. Using cpuid

cpuid is a specialized command-line tool for querying CPU information. The cpuid command extracts information about the CPU’s features and capabilities, including AES-NI support.

To use cpuid, we may need to install it first if it’s not already available on our system:

$ sudo apt-get install cpuid

Once installed, we can use cpuid along with grep -i aes to search for aes in a case-insensitive manner for checking AES-NI support:

$ cpuid | grep -i aes
      AES instruction                         = true
      VAES instructions                        = false

The command output indicates that the CPU supports AES instructions, which are hardware instructions for accelerating AES encryption and decryption operations, but the CPU does not support VAES instructions.

3.2. Using grep in /proc/cpuinfo

Another way to check for AES-NI support is by utilizing grep in  /proc/cpuinfo file. This file is a rich source of CPU-related information.

Let’s use grep along with -o to filter a matched part (aes) for AES-NI support identification:

$ grep -o aes /proc/cpuinfo
aes
aes
aes
aes

In the above command, grep scans the /proc/cpuinfo file for instances of the aes keyword and outputs them. If AES-NI is not supported, there will be no output.

3.3. Using lscpu

The lscpu command provides detailed information about the CPU, including its features and capabilities.

Let’s check if the CPU supports AES-NI using lscpu along with grep:

$ lscpu | grep -i aes
Flags:                           ... sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad ...

Seeing the aes flag in the Flags section indicates support for AES-NI from the command output.

4. What to Do if the CPU Doesn’t Support AES-NI

If the methods mentioned above do not reveal AES-NI support on the CPU, it means the processor lacks a specific hardware acceleration feature. While AES-NI can provide substantial performance benefits in certain scenarios, many modern CPUs can still handle encryption and decryption tasks without it. In such cases, the CPU will rely on software-based encryption methods, which may be slightly slower but still secure.

5. Conclusion

In this article, we explored various Linux command-line methods for checking whether our CPU supports AES-NI.

We explored multiple methods, including using tools like cpuid, using grep in /proc/cpuinfo file, and lscpu, to check for AES-NI support. These methods can help us identify whether the CPU benefits from hardware acceleration for AES operations and also empower us to make informed decisions regarding data security and performance.

If our CPU does not support AES-NI, there’s no need to worry about it. Modern CPUs can still handle encryption and decryption via software, ensuring data security without dedicated hardware.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.