I was testing it today, and it seems indeed that the private DO’s are not supported on the Nitrokey Start. I have confirmed this solution works on the Nitrokey Storage / OpenPGP v2.1.
I could not take a detailed logs, so it will probably take longer to develop the exact solution.
I am searching for a workaround.
My impression is, that the actual issue is within the OpenSC implementation.
Sorry for that. We will update the documentation in the meantime to mark, that Nitrokey Start is not cooperating with Veracrypt at this moment.
@nitroalex Please update the doc with this remark, thank you!
Details:
- Windows 10 1909 / 18363
- Used driver:
pkcs11-spy.dll(same as regular, but with logs) - Veracrypt 1.24-Update2
- Nitrokey Start (RTM.7/GNUK 1.2.14)
- Timeout set to 60 seconds (via registry modification per Windows docs from references)
- Followed linked below Nitrokey documentation for setting up Veracrypt
References
References:
- https://www.nitrokey.com/documentation/applications#p:nitrokey-start&os:windows&a:hard-disk-encryption
- Unable to store Private Data Object 3 on NitroKey Pro
- https://github.com/OpenSC/OpenSC/pull/150
- https://github.com/Nitrokey/nitrokey-start-firmware/blob/gnuk1.2-regnual-fix/README
- https://github.com/Nitrokey/nitrokey-start-firmware/blob/gnuk1.2-regnual-fix/NEWS
- https://github.com/Nitrokey/nitrokey-start-firmware
- https://github.com/OpenSC/OpenSC/wiki/Windows-Quick-Start
- https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff404287(v=ws.10)?redirectedfrom=MSDN
- Nitrokey Start - Herausforderung mit Veracrypt (same issue reported by other user)
Edit:
Reproduced as well on Linux:
- Fedora 30
- OpenSC 0.19
- Veracrypt as before
- Nitrokey Start (RTM.7/GNUK 1.2.14)
- default driver:
/usr/lib64/opensc-pkcs11.so
with a detailed log:
log's content
$ env OPENSC_DEBUG=9 ./veracrypt
<cut>
0x7f31b2010e80 16:13:30.625 [opensc-pkcs11] reader-pcsc.c:284:pcsc_transmit: reader 'Nitrokey Nitrokey Start (FSIJ-1.2.14-43144852) 00 00'
0x7f31b2010e80 16:13:30.625 [opensc-pkcs11] reader-pcsc.c:285:pcsc_transmit:
Outgoing APDU (69 bytes):
00 DA 01 01 40 31 32 33 34 35 36 37 38 39 30 31 ....@12345678901
32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 2345678901234567
38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 8901234567890123
34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 4567890123456789
30 31 32 33 34 01234
0x7f31b2010e80 16:13:30.625 [opensc-pkcs11] reader-pcsc.c:213:pcsc_internal_transmit: called
0x7f31b2010e80 16:13:30.626 [opensc-pkcs11] reader-pcsc.c:294:pcsc_transmit:
Incoming APDU (2 bytes):
6A 88 j.
0x7f31b2010e80 16:13:30.626 [opensc-pkcs11] apdu.c:390:sc_single_transmit: returning with: 0 (Success)
0x7f31b2010e80 16:13:30.626 [opensc-pkcs11] apdu.c:543:sc_transmit: returning with: 0 (Success)
0x7f31b2010e80 16:13:30.626 [opensc-pkcs11] card.c:465:sc_unlock: called
0x7f31b2010e80 16:13:30.626 [opensc-pkcs11] iso7816.c:128:iso7816_check_sw: Referenced data not found
0x7f31b2010e80 16:13:30.626 [opensc-pkcs11] card-openpgp.c:1695:pgp_put_data_plain: returning with: -1216 (Data object not found)
0x7f31b2010e80 16:13:30.626 [opensc-pkcs11] card-openpgp.c:1757:pgp_put_data: PUT DATA returned error: -1216 (Data object not found)
0x7f31b2010e80 16:13:30.626 [opensc-pkcs11] card-openpgp.c:3138:pgp_update_binary: returning with: -1216 (Data object not found)
0x7f31b2010e80 16:13:30.626 [opensc-pkcs11] card.c:712:sc_update_binary: returning with: -1216 (Data object not found)
0x7f31b2010e80 16:13:30.626 [opensc-pkcs11] pkcs15-openpgp.c:328:openpgp_store_data: returning with: -1216 (Data object not found)
0x7f31b2010e80 16:13:30.626 [opensc-pkcs11] pkcs15-lib.c:2225:sc_pkcs15init_store_data: returning with: -1216 (Data object not found)
0x7f31b2010e80 16:13:30.626 [opensc-pkcs11] pkcs15-lib.c:2117:sc_pkcs15init_store_data_object: Store 'DATA' object error: -1216 (Data object not found)
0x7f31b2010e80 16:13:30.626 [opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: -1216 (Data object not found)