Caused by a bug in the GENERATE SYMMETRIC KEY command, the SmartCard-HSM (aka Nitrokey HSM2) in versions 3.1 and 3.2 generates weak AES keys with little to no entropy.
AES keys generated that way must be considered broken and users relying on the AES key generation are strongly encouraged to update to the latest 3.3 firmware available at the PKI-as-a-Service Portal.
We apologize for the inconvenience. We use an elaborate automated test system, trying to achieve 100% test coverage. That bug, however, was well hidden and was only discovered by one of the regular code reviews.
The bug was introduced in the 3.1 version, when the memory layout was revised in order conserve RAM, to support JCOP 3 devices with DESFire enabled.
Please note, that RSA and ECC keys are not affected by this bug. The DKEK mechanism that uses AES keys is not affected as well.