I’ve been using a nitrokey pro with the heads version from the nitrokey repos(v1.3.1) on an x230 for a while now,
the nitrokey still confirms the integrity of the TPM and i can access the gpg card in the recovery shell,
however when i try to update the boot partition checksums and confirm the presence of the nitrokey,
i get the following error message:
61998411: 00ebaddecaf000005ac
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
/boot: Unable to sign kexec hashes
Failed to sign default config; press Enter to continue.
does anyone know what the problem could be?
Hi @Discordia !
It looks for me like the stub for the private key got removed. Can you run the gpg --card-status
and describe or make a photo of the output?
honestly not sure what you can do with it so i just removed the stuff that was described as some kind of key.
Reader …: 20A0:4108:00000000000xxxxxx:0
Application ID …: D2760001240xxxxxx
Application type .: OpenPGP
Version …: 3.3
Manufacturer …: ZeitControl
Serial number …: xxxxxx
Name of cardholder: [not set]
Language prefs …: de
Salutation …:
URL of public key : [not set]
Login data …: [not set]
Signature PIN …: not forced
Key attributes …: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 15
KDF setting …: off
Signature key …: [redacted]
created …: 2020-11-12 16:18:24
Encryption key…: [redacted]
created …: 2020-11-12 16:18:24
Authentication key: [redacted]
created …: 2020-11-12 16:18:24
General key info…: pub rsa2048/A7FCE51B5D5A3A76 2020-11-12 Discordia (alias: xxxxxx)
sec> rsa2048/A7FCE51B5D5A3A76 created: 2020-11-12 expires: 2021-05-11
card-no: 0005 0000xxxxxx
ssb> rsa2048/54B0A5A55F908A3B created: 2020-11-12 expires: 2021-05-11
card-no: 0005 0000xxxxxx
ssb> rsa2048/33925FBBBD090F18 created: 2020-11-12 expires: 2021-05-11
card-no: 0005 0000xxxxxx
Thank you. It looks like I have found the cause:
expires: 2021-05-11
GPG claims it cannot find any usable key. The key on the Nitrokey is expired by almost a month, hence it is not taken into account most probably.
You need to:
Scenario A
- Extend your key for the further period using GnuPG on any available moderately safe setup (ideally in the recovery console of the Nitropad)
- Export the public key with updated metadata to USB drive
- Import the public key to the Heads in the Nitropad
Scenario B
(only in case you do not care about the PGP key stored on the Nitrokey and other of its content)
- Run a Factory Reset in Heads
Let me ask my colleague for elaboration.
@simon: Can you provide the exact guide?
1 Like
thank you,
it works now.
i thought i had already extended the expiration date, but apparently i have not.