Nitrokey HSM2 RSA key 4096 too long to load


I’m currently using some Nitrokey HSM2 (last firmare updated) with my company for IPsec VPN connection with Strongswan.

We’re having issues with 4096 RSA keys because they take too long time to load, and the process charon cannot start (timeout delay is 10s and cannot be changed) :

00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 5.3.0-28-generic, x86_64)
charon too long to start… - kill kill
child 4029 (charon) has been killed by sig 9

charon has died – restart scheduled (5sec)

Depending on the Nitrokey, I was able to load 4096 RSA keys, and for another device, only 2 RSA keys.
The workaround is to reduce the key to 3072 or 2048 but it’s not the best solution…

Would you have any ideas please ?

Hi Nico!

I am sorry, but I do not see anything that could be improved on the hardware side. Could you precise how much keys you need to load?
I would try changing the loading timeout, even if seemingly impossible. Is it hard-coded, or driven by the other connection party?
If you are using OpenSC, you could take the debug log and see, whether this is really the hardware fault, or perhaps there is some redundant operation done, which increases the time.

Thanks for your answer.
After trying a lot of possibilities to stay below the 10s delay (2 RSA key 4096 + 1 key 2048 / 3 RSA key 3072 etc…),
I managed to solve this issue by switching on Stronswan from ipsec-starter to systemd-charon, which allow to select a specific key on the token and also does not have a timeout.

On the hardware side there are no possibilities to improve the speed ?
Or I suppose that will require another kind of hardware :slight_smile:

1 Like