diff --git a/rust/crates/mxaccess-asb-nettcp/src/auth.rs b/rust/crates/mxaccess-asb-nettcp/src/auth.rs
index b193b30..879bca2 100644
--- a/rust/crates/mxaccess-asb-nettcp/src/auth.rs
+++ b/rust/crates/mxaccess-asb-nettcp/src/auth.rs
@@ -331,6 +331,14 @@ impl AsbAuthenticator {
             PBKDF2_ITERATIONS,
             out.as_mut_slice(),
         );
+        if std::env::var("MX_ASB_TRACE_DERIVE").ok().is_some() {
+            eprintln!("asb.derive.crypto_key.len={}", crypto_key.len());
+            let hex: String = crypto_key.iter().map(|b| format!("{b:02X}")).collect();
+            eprintln!("asb.derive.crypto_key.hex={hex}");
+            eprintln!("asb.derive.crypto_key.b64={password_b64}");
+            let aes_hex: String = out.iter().map(|b| format!("{b:02X}")).collect();
+            eprintln!("asb.derive.aes_key.hex={aes_hex}");
+        }
         Ok(out)
     }
 
diff --git a/src/MxAsbClient/AsbSystemAuthenticator.cs b/src/MxAsbClient/AsbSystemAuthenticator.cs
index f306f1f..c335781 100644
--- a/src/MxAsbClient/AsbSystemAuthenticator.cs
+++ b/src/MxAsbClient/AsbSystemAuthenticator.cs
@@ -150,12 +150,18 @@ internal sealed class AsbSystemAuthenticator
 
     private byte[] DeriveAesKey()
     {
-        return Rfc2898DeriveBytes.Pbkdf2(
-            Convert.ToBase64String(CryptoKey),
+        byte[] cryptoKey = CryptoKey;
+        byte[] aesKey = Rfc2898DeriveBytes.Pbkdf2(
+            Convert.ToBase64String(cryptoKey),
             PasswordSalt,
             iterations: 1000,
             HashAlgorithmName.SHA1,
             outputLength: 16);
+        sharedTrace?.Invoke($"asb.derive.crypto_key.len={cryptoKey.Length}");
+        sharedTrace?.Invoke($"asb.derive.crypto_key.hex={Convert.ToHexString(cryptoKey)}");
+        sharedTrace?.Invoke($"asb.derive.crypto_key.b64={Convert.ToBase64String(cryptoKey)}");
+        sharedTrace?.Invoke($"asb.derive.aes_key.hex={Convert.ToHexString(aesKey)}");
+        return aesKey;
     }
 
     private byte[] CryptoKey