The Linux crypto kernel subsystem is part of the Linux kernel architecture responsible for providing cryptographic primitives and services to kernel components and userspace interfaces. The Linux crypto framework implements a unified API that allows kernel modules and subsystems to request cryptographic algorithms such as AES, ChaCha20, SHA256, and authenticated encryption modes like AES-GCM or ChaCha20-Poly1305.
Inside the Linux architecture the crypto subsystem works as a modular framework. Kernel clients such as kTLS, WireGuard, dm-crypt, fscrypt, IPsec and AF_ALG request cryptographic operations through the kernel crypto API. The subsystem then performs algorithm lookup, implementation selection, and transform allocation (tfm objects) before executing the operation using software or hardware accelerated implementations.
One of the key mechanisms of the Linux crypto kernel subsystem is algorithm competition. Multiple implementations of the same algorithm may be registered in the kernel. For example AES can exist as generic software AES, AES-NI CPU instructions, or SIMD optimized implementations. The crypto framework selects the best implementation using priority values and hardware capability checks.
The Linux crypto subsystem can automatically use hardware acceleration features available on modern CPUs. Examples include AES-NI instructions, ARM crypto extensions, AVX vector acceleration, and dedicated crypto accelerators. If hardware support is unavailable the subsystem automatically falls back to software drivers.
This page visualizes how the Linux crypto kernel subsystem works internally. It shows the request origin process, protocol usage such as TLS or SSH, crypto API interaction, transform lookup, algorithm competition, implementation selection, and hardware offload status inside the Linux kernel architecture.