In a previous post I wrote about my experience setting up a DNS signed zone using OpenDNSSEC with an USB “Aladdin eToken Pro 64k” HSM.

This time I run some tests in the eToken to try the storage capacity with keys.

Executive summary: 21 keys of 2048 bits, or 25 keys of 1024 bits.

The eToken can be formatted with a special option  ”Load 2048-bit RSA key support” (in Advanced Settings while initializing eToken). But also you need to manually set the number of reserved RSA keys in the same option screen, with a number more than 21 of 2048-bit keys (otherwise it only allows you to create 4 keys!)

With this options, the eToken is created with 31,155 bytes of card free space, out of 65,536 bytes of total memory capacity. Every 2048 bit RSA key takes 1,352 bytes of capacity, giving a maximum of 21 keys.

The test suite that comes with OpenDNSSEC (ods-hsmutil) gives OK creating keys with 512, 768, 1024, 1536 and 2048 bits. All these keys works with RSA/SHA1 and RSA/SHA256 signatures, and the 1024, 1536 and 2048 keys also work with RSA/SHA512 signatures. The tests are also OK with random bits generation in 1024 bytes, 32-bit and 64-bit.

There’s no support for 4096 bits keys.

If you format the eToken without 2048 bits support, you can create up to 25 keys, taking care of “manually reserve the number of keys” at initialization time.