Our Aruba 5406R ZL2 switches require a CKN of 32 characters, while VyOS requires 64 chars.
This makes it impossible to create a working MACsec link between the two.

To test this anyway, I edited the CLI template file to allow this configuration. This seems to work just fine, with encrypted traffic flowing between the Aruba and VyOS devices.

The relevant Aruba documentation can be found here:
https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8150_access_security_guide/content/v32677644.html

Enter the CKN as a string of hexadecimal digits up to 32 characters long.

I see that smaller keys are also mentioned in the wpa_supplicant.conf template, which explains why it would work.

# mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string
# (2..64 hex-digits)

This is the first time I'm configuring MACsec, but it looks like this might be just a validation bug.
We won't be running this in production, but I just wanted to report this.