The Linux Crypto API for user applications

The Linux kernel has its own crypto API that can be used to perform encryption and decryption operations directly within the kernel space. This is useful for applications requiring high performance and low latency, as it minimizes the number of expensive context switches between user space and kernel space. In this post, we reviewed the Linux Kernel Crypto API and its user space interface. We reiterated some security benefits of doing encryption through the Kernel vs using some sort of cryptographic library. We also measured the performance overhead of doing data encryption/decryption through the Kernel Crypto API, confirmed that in-kernel crypto is likely as good as in OpenSSL, but a better user space interface is needed to make Kernel Crypto API as fast as using a cryptographic library. We implemented AES-CTR with both the kernel's crypto API and OpenSSL for comparison. We found that while the Kernel Crypto API is slower than OpenSSL, the difference can be attributed largely to system call overhead rather than the actual encryption process itself. Using Crypto API is a subjective decision depending on your circumstances, it’s a trade-off in speed vs. security.