[strongSwan] "ipsec pki --gen > caKey.der" very slow

MingM Xia macguffin.xia at gmail.com
Wed Jun 30 12:17:07 CEST 2010

Got it, thanks a lot.

On Wed, Jun 30, 2010 at 5:08 PM, Martin Willi <martin at strongswan.org> wrote:

> > ipsec pki --gen > caKey.der" on my device(PPC architecture), it takes
> > about 15mins to generate out the RSA private key
> In the default configuration, the key is generated with random data
> from /dev/random. If your kernel does not have enough entropy, the read
> blocks.
> If you prefer to generate your keys without real entropy, you can use
> the non-blocking /dev/urandom device. Add
> --with-random-device=/dev/urandom to ./configure.
> As alternative to the libgmp based key generation, you can use our other
> crypto plugins, such as OpenSSL:
>  --disable-gmp --enable-opensssl
> or libgcrypt:
>  --disable-gmp --enable-gcrypt
> OpenSSL should generate the keys faster, but with less entropy.
> Libgcrypt by default reads from /dev/random and blocks, too.
> Regards
> Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100630/0270167d/attachment.html>

More information about the Users mailing list