Skip to main content

Prerequisites

Before installing the QAT Engine, ensure you have:

Hardware

An Intel platform with QAT hardware support or 3rd Gen Xeon+ for software acceleration

Operating System

Linux distribution (Fedora 34+, RHEL 8.4+, Ubuntu 24.04+, or SUSE SLES15 SP3+)

OpenSSL

OpenSSL 1.1.1 or 3.0.x installed (system package or from source)

Root Access

Sudo or root privileges for driver and package installation

Quick Installation

The fastest way to get started is using your distribution’s package manager.
1

Install QAT Engine Package

Install the pre-built qatengine package from your distribution’s repositories:
sudo dnf install qatengine
These packages include QAT_HW support using the qatlib in-tree driver for 4xxx devices only. For other QAT hardware or QAT_SW, see the installation guide.
2

Set Environment Variable

Configure OpenSSL to find the QAT engine library:
export OPENSSL_ENGINES=/usr/lib64/engines-3
Add this to your ~/.bashrc or ~/.profile to make it permanent.
The exact path may vary by distribution. Use openssl version -a | grep ENGINESDIR to find your engines directory.
3

Verify Installation

Test that the QAT Engine is loaded correctly:
openssl engine -t -c -v qatengine
You should see output similar to:
(qatengine) Reference implementation of QAT crypto engine(qat_hw) v2.0.0
 [RSA, DSA, DH, AES-128-CBC-HMAC-SHA1, AES-128-CBC-HMAC-SHA256,
  AES-256-CBC-HMAC-SHA1, AES-256-CBC-HMAC-SHA256, TLS1-PRF, 
  HKDF, X25519, X448]
     [ available ]
     ENABLE_EXTERNAL_POLLING, POLL, SET_INSTANCE_FOR_THREAD,
     GET_NUM_OP_RETRIES, SET_MAX_RETRY_COUNT, ...
The [ available ] status confirms the engine is ready to use.
4

Run Performance Tests

Benchmark RSA operations with hardware acceleration:
# QAT Hardware acceleration (requires QAT device)
openssl speed -engine qatengine -elapsed -async_jobs 72 rsa2048

# Compare with software-only (no engine)
openssl speed -elapsed rsa2048
The QAT-accelerated test should show significantly higher throughput (signs/verifications per second) compared to the software-only baseline. Typical improvements:
  • RSA 2048: 10-50x improvement
  • ECDSA P-256: 5-20x improvement
  • AES-128-GCM: 2-5x improvement
If performance is similar to baseline, ensure:
  • QAT hardware drivers are installed and running
  • You’re using sufficient async_jobs (try 32-128 for QAT_HW)
  • The algorithm is supported by your QAT hardware

Test Additional Algorithms

Try these commands to test different cryptographic operations: 
# Elliptic Curve Diffie-Hellman
openssl speed -engine qatengine -elapsed -async_jobs 72 ecdh
Different algorithms have different optimal async_jobs values. For QAT_HW, try 32-128. For QAT_SW, try 8-32. See async operations for tuning guidance.

Configure Automatic Loading

To automatically load the QAT Engine for all OpenSSL applications, create an OpenSSL configuration file:
1

Create Configuration File

Create /etc/ssl/openssl-qat.cnf:
openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
qatengine = qatengine_section

[qatengine_section]
engine_id = qatengine
dynamic_path = /usr/lib64/engines-3/qatengine.so
default_algorithms = ALL
init = 1
2

Set Environment Variable

Point OpenSSL to your configuration file:
export OPENSSL_CONF=/etc/ssl/openssl-qat.cnf
Add this to your shell profile for persistence.
3

Verify Automatic Loading

Test that the engine loads without the -engine flag:
# This should now use QAT acceleration automatically
openssl speed rsa2048

Next Steps

Build from Source

Install from source for QAT_SW support or custom builds

QAT Hardware Concepts

Learn how QAT hardware acceleration works

Configure Your Application

Integrate with NGINX, HAProxy, or your own application

Troubleshooting

Resolve common installation and runtime issues

Getting Help

  • Verify OPENSSL_ENGINES path is correct
  • Check file permissions on qatengine.so
  • Ensure no conflicts with other engines
  • See common issues for detailed troubleshooting
  • Verify QAT hardware drivers are running: lsmod | grep qat
  • Check QAT device status: adf_ctl status
  • Increase async_jobs parameter
  • Ensure the algorithm is hardware-accelerated (not all are enabled by default)

Build docs developers (and LLMs) love

Get started for freeTalk to us