[strongSwan] "ipsec pki --gen > caKey.der" very slow
Martin Willi
martin at strongswan.org
Wed Jun 30 11:08:41 CEST 2010
> ipsec pki --gen > caKey.der" on my device(PPC architecture), it takes
> about 15mins to generate out the RSA private key
In the default configuration, the key is generated with random data
from /dev/random. If your kernel does not have enough entropy, the read
blocks.
If you prefer to generate your keys without real entropy, you can use
the non-blocking /dev/urandom device. Add
--with-random-device=/dev/urandom to ./configure.
As alternative to the libgmp based key generation, you can use our other
crypto plugins, such as OpenSSL:
--disable-gmp --enable-opensssl
or libgcrypt:
--disable-gmp --enable-gcrypt
OpenSSL should generate the keys faster, but with less entropy.
Libgcrypt by default reads from /dev/random and blocks, too.
Regards
Martin
More information about the Users
mailing list