diff --git a/beacon_chain/keystore_management.nim b/beacon_chain/keystore_management.nim
index 06ae18d52..658b58da7 100644
--- a/beacon_chain/keystore_management.nim
+++ b/beacon_chain/keystore_management.nim
@@ -11,6 +11,7 @@ export
   keystore
 
 {.push raises: [Defect].}
+{.localPassC: "-fno-lto".} # no LTO for crypto
 
 const
   keystoreFileName* = "keystore.json"
diff --git a/beacon_chain/spec/keystore.nim b/beacon_chain/spec/keystore.nim
index eb05f7108..c44f78a47 100644
--- a/beacon_chain/spec/keystore.nim
+++ b/beacon_chain/spec/keystore.nim
@@ -23,6 +23,7 @@ export
   results, burnMem, writeValue, readValue
 
 {.push raises: [Defect].}
+{.localPassC: "-fno-lto".} # no LTO for crypto
 
 type
   ChecksumFunctionKind* = enum
diff --git a/nim.cfg b/nim.cfg
new file mode 100644
index 000000000..1dc5a0007
--- /dev/null
+++ b/nim.cfg
@@ -0,0 +1,35 @@
+# ############################################################
+#
+#                    No LTO for crypto
+#
+# ############################################################
+
+# This applies per-file compiler flags to C files
+# which do not support {.localPassC: "-fno-lto".}
+# Unfortunately this is filename based instead of path-based
+# Assumes GCC
+
+# BLST
+server.always = "-fno-lto"
+assembly.always = "-fno-lto"
+
+# Secp256k1
+secp256k1.always = "-fno-lto"
+
+# BearSSL - only RNGs
+aesctr_drbg.always = "-fno-lto"
+hmac_drbg.always = "-fno-lto"
+sysrng.always = "-fno-lto"
+
+# Miracl - only ECP to derive public key from private key
+ecp_BLS12381.always = "-fno-lto"
+
+# ############################################################
+#
+#                    Spurious warnings
+#
+# ############################################################
+
+# sqlite3.c: In function ‘sqlite3SelectNew’:
+# vendor/nim-sqlite3-abi/sqlite3.c:124500: warning: function may return address of local variable [-Wreturn-local-addr]
+sqlite3.always = "-fno-lto" # -Wno-return-local-addr