Factory Reset before selling NK's

I would like to sell my NK’s , but of course with factory settings.

For NKProV1/2, Storage and HSMV1/2 I found some hints in te FAQ’s .
I assume the default setting for HSM SO is 3537363231383830 and the pin should be 648219 - correct ?

What about FIDO U2F and FIDO2 ? Is there a way to do a factory reset ?

Doing a device initialization with the SO-PIN is not a factory reset. It just removes all user objects (key, certificates, authentication objects and meta-data) from memory.

Once you set a SO-PIN you break the electronic seal that protects the device between production and first use. There no way to revert this.

Thanks for the hint. I anyhow won’t sell them as new. I just want to ensure that the buyer could follow all instructions here on the web-site or the OpenSC.
BTW: when I remember right, the update of the HSM has total reset the key inc. a new serial number . Maybe I just could re-do the update ? What do you think ?

Nitrokey FIDO2 could be reset by:

  • pynitrokey tool: nitropy fido2 reset
  • Windows 10 system settings (Security devices)
  • Google Chrome Manage security keys - direct link (Chrome only):
    chrome://settings/securityKeys

Nitrokey FIDO U2F supports custom reset AFAIR with the below tool:

I was doing update recently, and indeed after that the HSM was in uninitialized state in my observation. I do not know, whether this is the same as the factory settings.

Thanks ! Sounds great !
Maybe Something you want to integrate in your FAQ section about (factory)reset of the keys ?!

1 Like

Hmm, For FIDO2 neither Windows 10 nor pynitrokey have been able to reset the key - Windows was running into a device error, pyn… was telling me the device is busy. Saying that, I did both inside virtual machines, which is normally no issue. Is there a critical HW timing ?
I checked all keys with the yubicon test portal and they worked successfull ( beside that they are no Y-keys :smiley: )

BTW: what will the reset do ?
Normally I would say you could re-use the key by registering just new , nor ?

Indeed, the timing is critical. According to the latest FIDO2 specification, the reset request can occur only during the first 10 seconds after the device being powered up, otherwise it has to be rejected.
Doing this through the VM is possible, but requires time precision. See docs at:

pynitrokey should have mentioned that - I wonder why you had the “busy” error - if you had done that under Windows 10, then it probably was caused by OS locking the device from other applications, including pynitrokey. AFAIR running that within a terminal started with Admin rights solves the problem.
Forgot to mention that probably from the same reason the Google Chrome browser does not allow to run FIDO2 reset from itself on Windows 10, nor managing its content.

Reset operation for the FIDO2 replaces the key used for signing with a new one, and removes all FIDO2 Resident Keys (RK).

Regarding the docs, we are migrating to a new platform now so updates might be delayed.

Thanks for the hint. Ok, will try to be inside the 10 sec. The pynitrokey was executed in a different VM with FreeBSD12.x

But I missed the answer: what will the rest do ? When I hand the key over to somebody, this person could re-register the key and just use it , nor ?

(Of course the person could also just use the key and my logins ( if I still had one using FIDO1/2 ))

Factory reset regenerates the secret material stored on the Nitrokey FIDO U2F / Nitrokey FIDO2, which makes it a completely new key logic-side (or removes it as in the case of FIDO2 Resident Keys). New owner cannot use it to login to account of the previous one.

I see. In case you would have a stack trace / error message under hand, please paste it.

Thanks ! BTW: a very nice documentation website (with a lot of javascript :smiley: ) I think it is a good approach …

Thank you! We need Javascript to remove the access complexity and for the visuals. If you prefer clear text, you can download it directly from the Github repository at https://github.com/Nitrokey/nitrokey-documentation/, e.g.:

Contributions are welcomed! :slight_smile: