Kernel level TLS

Kernel level TLS

From The Backend Engineering Show with Hussein Nasser by Hussein Nasser

June 13, 2025 · 23 min

About this episode

This episode discusses kernel-level TLS and its implications for encryption and decryption in operating systems.

Fundamentals of Operating Systems Course https://oscourse.winktls is brilliant.TLS encryption/decryption often happens in userland. While TCP lives in the kernel. With ktls, userland can hand the keys to the kernel and the kernel does crypto. When calling write, the kernel encrypts the packet and send it to the NIC.When calling read, the kernel decrypts the packet and handed it to the userspace. This mode still taxes the host’s CPU of course, so there is another mode where the kernel offloads the crypto to the NIC device! Host CPU becomes free. Incoming packets to the NIC are decrypted in device before they are DMAed to the kernel. outgoing packets are encrypted before they leave the NIC to the network.ktls still need handshake to happen in userspace. There is also enabling zerocopy in some cases (now that kernel has context) Deserves a video. So much good stuff.0:00 Intro2:00 Userspace SSL Libraries 3:00 ktls 6:00 Kernel Encrypts/Decrypts (TLS_SW)8:20 NIC offload mode (TLS_HW)10:15 NIC does it all (TLS_HW_RECORD)12:00 Write TX Example13:50 Read RX Example17:00 Zero copy (sendfile)https://docs.kernel.org/networking/tls-offload.html

People in this episode

Host: Hussein Nasser

Topics covered

  • Operating Systems
  • TLS encryption
  • Kernel cryptography
  • Userland vs Kernel
  • NIC offload
  • Zero copy

Keywords

  • Kernel level TLS
  • Operating Systems
  • Encryption
  • Decryption
  • Userland
  • NIC offload
  • TCP
  • Zero copy

Mentioned in this episode

Organizations: WinkTLS, kernel, NIC, TCP, TLS, TLS_SW, TLS_HW, TLS_HW_RECORD, sendfile, kernel.org

More episodes of The Backend Engineering Show with Hussein Nasser

Explore listener stats, chart rankings, contacts and more on the The Backend Engineering Show with Hussein Nasser podcast page.