[strongSwan] "ipsec pki --gen > caKey.der" very slow

Martin Willi martin at strongswan.org
Wed Jun 30 11:08:41 CEST 2010


> ipsec pki --gen > caKey.der" on my device(PPC architecture), it takes
> about 15mins to generate out the RSA private key

In the default configuration, the key is generated with random data
from /dev/random. If your kernel does not have enough entropy, the read
blocks.
If you prefer to generate your keys without real entropy, you can use
the non-blocking /dev/urandom device. Add
--with-random-device=/dev/urandom to ./configure.

As alternative to the libgmp based key generation, you can use our other
crypto plugins, such as OpenSSL:
  --disable-gmp --enable-opensssl
or libgcrypt:
  --disable-gmp --enable-gcrypt

OpenSSL should generate the keys faster, but with less entropy.
Libgcrypt by default reads from /dev/random and blocks, too.

Regards
Martin





More information about the Users mailing list