diff --git a/src/crypto/axtls_aes.c b/src/crypto/axtls_aes.c
new file mode 100644
index 00000000..a587c5cb
--- /dev/null
+++ b/src/crypto/axtls_aes.c
@@ -0,0 +1,53 @@
+#include "crypto/axtls/crypto.h"
+#include <string.h>
+#include <gpxe/crypto.h>
+#include <gpxe/aes.h>
+
+static int aes_setkey ( void *ctx, const void *key, size_t keylen ) {
+	AES_CTX *aesctx = ctx;
+	AES_MODE mode;
+
+	switch ( keylen ) {
+	case ( 128 / 8 ):
+		mode = AES_MODE_128;
+		break;
+	case ( 256 / 8 ):
+		mode = AES_MODE_256;
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	AES_set_key ( aesctx, key, aesctx->iv, mode );
+	return 0;
+}
+
+static void aes_setiv ( void *ctx, const void *iv ) {
+	AES_CTX *aesctx = ctx;
+
+	memcpy ( aesctx->iv, iv, sizeof ( aesctx->iv ) );
+}
+
+static void aes_encrypt ( void *ctx, const void *data, void *dst,
+			  size_t len ) {
+	AES_CTX *aesctx = ctx;
+
+	AES_cbc_encrypt ( aesctx, data, dst, len );
+}
+
+static void aes_decrypt ( void *ctx, const void *data, void *dst,
+			  size_t len ) {
+	AES_CTX *aesctx = ctx;
+
+	AES_cbc_decrypt ( aesctx, data, dst, len );
+}
+
+struct crypto_algorithm aes_algorithm = {
+	.name		= "aes",
+	.ctxsize	= sizeof ( AES_CTX ),
+	.blocksize	= 16,
+	.setkey		= aes_setkey,
+	.setiv		= aes_setiv,
+	.encode		= aes_encrypt,
+	.decode		= aes_decrypt,
+};
diff --git a/src/include/gpxe/aes.h b/src/include/gpxe/aes.h
new file mode 100644
index 00000000..75cb4c44
--- /dev/null
+++ b/src/include/gpxe/aes.h
@@ -0,0 +1,8 @@
+#ifndef _GPXE_AES_H
+#define _GPXE_AES_H
+
+struct crypto_algorithm;
+
+extern struct crypto_algorithm aes_algorithm;
+
+#endif /* _GPXE_AES_H */