This project has moved. For the latest updates, please go here.

Workaround for Hardware AES on Server with Hyper-V

Topics: Feature Requests
Jul 11, 2016 at 12:18 PM
It seems that when Hyper-V is enabled on older versions of Windows Server (i.e. 2008 R2), the AES-NI capability gets masked out for all applications, even running on the host. However, it is apparently still possible to use them if the detection is bypassed or worked around. It seems that Diskcryptor managed to do it in the following way:
https://diskcryptor.net/forum/index.php?topic=4820.0

I can confirm this works on my Server 2008 R2 system, and as expected, the speed difference is very large. I know that this isn't a perfect solution, but I would love it if something like this could be implemented in Veracrypt. It's what I use on all my computers, including my server, and I would like to be able to use the hardware AES on my server to speed things up.

Thanks!
Jul 24, 2016 at 7:35 AM
If you don't want to implement this workaround, I understand. It is a bit kludgy. However, would you consider adding an advanced option to force enable AES instructions? That would solve my issue as well.

Unfortunately, doing this and compiling it myself isn't really an option due to the required driver signing for Windows.
Developer
Jul 24, 2016 at 3:13 PM
Interesting info.

Probably hardware AES has to be tested via user level application and VeraCrypt driver will have IOCTL to enable hardware AES.

Need code of hardware AES test. IOCTL to force AES is not a problem to add.

Do you need to use hardware AES for system encryption?
Jul 24, 2016 at 9:53 PM
Unfortunately, how to actually do the testing for AES is beyond my level of knowledge; I am not a programmer. However, it seems that Diskcryptor is open source, so perhaps you could take a look at the code to see how they do it, or contact them? I'm really not sure the proper method for handling these types of things in the open source community.

But, I'd be happy with the simple option to force enable it, and it should solve my issue.

I'm using Veracrypt to decrypt and share certain data on my server; not the system drive. However, I am trying to keep CPU load down.
Coordinator
Jul 24, 2016 at 10:28 PM
Thank you for reporting this.

I have implemented a workaround inspired by the description in your link above: https://veracrypt.codeplex.com/SourceControl/changeset/15699c1c64859815f096460467f4b3188403ee09

I will try to publish tomorrow a beta version that contains this workaround so that you can validate that it is indeed working.
Jul 24, 2016 at 10:31 PM
Awesome, that's great to hear!

I will keep an eye out for the beta version so I can give it a try and report back.
Coordinator
Jul 25, 2016 at 11:03 PM
I have uploaded an installer for 1.18-BETA that contains the fix at https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/
Get the file "VeraCrypt Setup 1.18-BETA.exe".

Can you please that now AES-NI is detected correctly?

Thank you.
Jul 27, 2016 at 10:17 AM
Sorry for the delay in responding, but my server was in the process of doing something so I was unable to update it immediately.

I have installed the newer version and tested. It still shows No under "Processor (CPU) in this computer supports hardware acceleration for AES" in performance and driver options, as well as n/a for "Hardware-accelerated AES" in the benchmark dialog. However, the benchmark speeds indicate it is working.

In addition, the "Accelerate AES encryption/decryption by using the AES instructions of the processor (if available)" works as expected to enable and disable it, with appropriate benchmark speeds for each (~750MB/s vs ~3.5GB/s).

Like I said, the acceleration seems to be working, but the program just isn't showing the support appropriately.

Thanks for working on this!
Coordinator
Jul 27, 2016 at 2:53 PM
Thank you for your tests.
Indeed, I forgot to update VeraCrypt GUI code to use the new workaround!
This doesn't affect AES-NI support as you noticed but I will fix this UI display issue to avoid any confusion.
Aug 21, 2016 at 12:10 PM
idrassi wrote:
Thank you for your tests.
Indeed, I forgot to update VeraCrypt GUI code to use the new workaround!
This doesn't affect AES-NI support as you noticed but I will fix this UI display issue to avoid any confusion.
I installed the final version of 1.18 tonight and can confirm that the GUI works as expected. Thanks again!