Caused by a bug in the GENERATE SYMMETRIC KEY command, the SmartCard-HSM
(aka Nitrokey HSM2) in versions 3.1 and 3.2 generates weak AES keys with
little to no entropy.
AES keys generated that way must be considered broken and users relying on the
AES key generation are strongly encouraged to update to the latest 3.3 firmware
available at the PKI-as-a-Service Portal.
We apologize for the inconvenience. We use an elaborate automated test system, trying
to achieve 100% test coverage. That bug, however, was well hidden and was only
discovered by one of the regular code reviews.
Please note, that RSA and ECC keys and other security mechanisms are not affected by this bug. The DKEK mechanism that uses AES keys is not affected as well.