diff --git a/Makefile b/Makefile
index ac1176f3c0b0..d00a2fe52521 100644
--- a/Makefile
+++ b/Makefile
@@ -558,12 +558,17 @@ $(CGO_FLAGS_FILES): Makefile
 # only rebuild the affected objects, but in practice dependencies on configure
 # flags are not tracked correctly, and these stale artifacts can cause
 # particularly hard-to-debug errors.
+#
+# Flags needed to make cryptopp to runtime detection of AES cpu instruction sets.
+# pclmul and ssse3 need to be defined for the overall AES switch but are only used
+# in GCM mode (not currently in use by cockroach).
+AES_FLAGS := -maes -mpclmul -mssse3
 $(CRYPTOPP_DIR)/Makefile: $(C_DEPS_DIR)/cryptopp-rebuild | bin/.submodules-initialized
 	rm -rf $(CRYPTOPP_DIR)
 	mkdir -p $(CRYPTOPP_DIR)
 	@# NOTE: If you change the CMake flags below, bump the version in
 	@# $(C_DEPS_DIR)/cryptopp-rebuild. See above for rationale.
-	cd $(CRYPTOPP_DIR) && cmake $(XCMAKE_FLAGS) $(CRYPTOPP_SRC_DIR) \
+	cd $(CRYPTOPP_DIR) && CFLAGS+=" $(AES_FLAGS)" && CXXFLAGS+=" $(AES_FLAGS)" cmake $(XCMAKE_FLAGS) $(CRYPTOPP_SRC_DIR) \
 	  -DCMAKE_BUILD_TYPE=Release
 
 $(JEMALLOC_SRC_DIR)/configure.ac: | bin/.submodules-initialized
diff --git a/build/variables.mk b/build/variables.mk
index 55864d1bdc9a..09894bb759fc 100644
--- a/build/variables.mk
+++ b/build/variables.mk
@@ -3,6 +3,7 @@
 define VALID_VARS
   .DEFAULT_GOAL
   ACCEPTANCETIMEOUT
+  AES_FLAGS
   ARCHIVE
   ARCHIVE_BASE
   ARCHIVE_EXTRAS
diff --git a/c-deps/cryptopp b/c-deps/cryptopp
index c621ce053298..64070a0f521e 160000
--- a/c-deps/cryptopp
+++ b/c-deps/cryptopp
@@ -1 +1 @@
-Subproject commit c621ce053298fafc1e59191079c33acd76045c26
+Subproject commit 64070a0f521ecb5bef53d9fd1c621dec5d6168f4
diff --git a/c-deps/libroach/CMakeLists.txt b/c-deps/libroach/CMakeLists.txt
index 5e3cb3c644ec..fa6cc86aedef 100644
--- a/c-deps/libroach/CMakeLists.txt
+++ b/c-deps/libroach/CMakeLists.txt
@@ -92,6 +92,7 @@ set(tests
   encoding_test.cc
   file_registry_test.cc
   merge_test.cc
+  ccl/crypto_utils_test.cc
   ccl/db_test.cc
   ccl/encrypted_env_test.cc
   ccl/key_manager_test.cc
diff --git a/c-deps/libroach/ccl/crypto_utils.cc b/c-deps/libroach/ccl/crypto_utils.cc
index dc6f83ef07db..b536142bec7f 100644
--- a/c-deps/libroach/ccl/crypto_utils.cc
+++ b/c-deps/libroach/ccl/crypto_utils.cc
@@ -59,3 +59,5 @@ class AESEncryptCipher : public rocksdb_utils::BlockCipher {
 rocksdb_utils::BlockCipher* NewAESEncryptCipher(const enginepbccl::SecretKey* key) {
   return new AESEncryptCipher(key->key());
 }
+
+bool UsesAESNI() { return CryptoPP::UsesAESNI(); }
diff --git a/c-deps/libroach/ccl/crypto_utils.h b/c-deps/libroach/ccl/crypto_utils.h
index 8c6d65594dae..9a385c94cbb8 100644
--- a/c-deps/libroach/ccl/crypto_utils.h
+++ b/c-deps/libroach/ccl/crypto_utils.h
@@ -29,3 +29,6 @@ std::string RandomBytes(size_t length);
 // Create a new AES cipher using the passed-in key.
 // Suitable for encryption only, Decrypt is not implemented.
 rocksdb_utils::BlockCipher* NewAESEncryptCipher(const enginepbccl::SecretKey* key);
+
+// Returns true if CryptoPP is using AES-NI.
+bool UsesAESNI();
diff --git a/c-deps/libroach/ccl/crypto_utils_test.cc b/c-deps/libroach/ccl/crypto_utils_test.cc
new file mode 100644
index 000000000000..e8ad5ea36810
--- /dev/null
+++ b/c-deps/libroach/ccl/crypto_utils_test.cc
@@ -0,0 +1,12 @@
+// Copyright 2017 The Cockroach Authors.
+//
+// Licensed as a CockroachDB Enterprise file under the Cockroach Community
+// License (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+//     https://github.com/cockroachdb/cockroach/blob/master/licenses/CCL.txt
+
+#include "../testutils.h"
+#include "crypto_utils.h"
+
+TEST(CryptoUtils, HasAESNI) { EXPECT_TRUE(UsesAESNI()); }
diff --git a/c-deps/libroach/ccl/db.cc b/c-deps/libroach/ccl/db.cc
index 72e2a9e68b05..8fb4f27bc441 100644
--- a/c-deps/libroach/ccl/db.cc
+++ b/c-deps/libroach/ccl/db.cc
@@ -22,6 +22,7 @@
 #include "../status.h"
 #include "ccl/baseccl/encryption_options.pb.h"
 #include "ccl/storageccl/engineccl/enginepbccl/stats.pb.h"
+#include "crypto_utils.h"
 #include "ctr_stream.h"
 #include "key_manager.h"
 
@@ -78,6 +79,16 @@ rocksdb::Status DBOpenHook(std::shared_ptr<rocksdb::Logger> info_log, const std:
     return rocksdb::Status::OK();
   }
 
+  // We have encryption options. Check whether the AES instruction set is supported.
+  if (!UsesAESNI()) {
+    // Shout loudly on standard out.
+    std::cout << std::endl
+              << "*** WARNING ***" << std::endl
+              << "Encryption requested, but no AES instruction set detected" << std::endl
+              << "Expect significant performance degradation!" << std::endl
+              << std::endl;
+  }
+
   // The Go code sets the "file_registry" storage version if we specified encryption flags,
   // but let's double check anyway.
   if (!db_opts.use_file_registry) {