I would like to sell my NK’s , but of course with factory settings.
For NKProV1/2, Storage and HSMV1/2 I found some hints in te FAQ’s .
I assume the default setting for HSM SO is 3537363231383830 and the pin should be 648219 - correct ?
What about FIDO U2F and FIDO2 ? Is there a way to do a factory reset ?
Doing a device initialization with the SO-PIN is not a factory reset. It just removes all user objects (key, certificates, authentication objects and meta-data) from memory.
Once you set a SO-PIN you break the electronic seal that protects the device between production and first use. There no way to revert this.
Thanks for the hint. I anyhow won’t sell them as new. I just want to ensure that the buyer could follow all instructions here on the web-site or the OpenSC.
BTW: when I remember right, the update of the HSM has total reset the key inc. a new serial number . Maybe I just could re-do the update ? What do you think ?
Nitrokey FIDO2 could be reset by:
nitropy fido2 resetSecurity devices)Manage security keys - direct link (Chrome only):Nitrokey FIDO U2F supports custom reset AFAIR with the below tool:
I was doing update recently, and indeed after that the HSM was in uninitialized state in my observation. I do not know, whether this is the same as the factory settings.
Thanks ! Sounds great !
Maybe Something you want to integrate in your FAQ section about (factory)reset of the keys ?!
Hmm, For FIDO2 neither Windows 10 nor pynitrokey have been able to reset the key - Windows was running into a device error, pyn… was telling me the device is busy. Saying that, I did both inside virtual machines, which is normally no issue. Is there a critical HW timing ?
I checked all keys with the yubicon test portal and they worked successfull ( beside that they are no Y-keys 
)
BTW: what will the reset do ?
Normally I would say you could re-use the key by registering just new , nor ?
Indeed, the timing is critical. According to the latest FIDO2 specification, the reset request can occur only during the first 10 seconds after the device being powered up, otherwise it has to be rejected.
Doing this through the VM is possible, but requires time precision. See docs at:
pynitrokey should have mentioned that - I wonder why you had the “busy” error - if you had done that under Windows 10, then it probably was caused by OS locking the device from other applications, including pynitrokey. AFAIR running that within a terminal started with Admin rights solves the problem.
Forgot to mention that probably from the same reason the Google Chrome browser does not allow to run FIDO2 reset from itself on Windows 10, nor managing its content.
Reset operation for the FIDO2 replaces the key used for signing with a new one, and removes all FIDO2 Resident Keys (RK).
Regarding the docs, we are migrating to a new platform now so updates might be delayed.
Thanks for the hint. Ok, will try to be inside the 10 sec. The pynitrokey was executed in a different VM with FreeBSD12.x
But I missed the answer: what will the rest do ? When I hand the key over to somebody, this person could re-register the key and just use it , nor ?
(Of course the person could also just use the key and my logins ( if I still had one using FIDO1/2 ))
Factory reset regenerates the secret material stored on the Nitrokey FIDO U2F / Nitrokey FIDO2, which makes it a completely new key logic-side (or removes it as in the case of FIDO2 Resident Keys). New owner cannot use it to login to account of the previous one.
I see. In case you would have a stack trace / error message under hand, please paste it.
Thanks ! BTW: a very nice documentation website (with a lot of javascript ) I think it is a good approach …
Thank you! We need Javascript to remove the access complexity and for the visuals. If you prefer clear text, you can download it directly from the Github repository at https://github.com/Nitrokey/nitrokey-documentation/, e.g.:
Contributions are welcomed! 
Ah, you are using Vue as a SSG. I am using HUGO - I need to have a look on Vue, HUGO could use JS without a need. Anyhow, very nice ! I see this as a step in the right direction.
Ah, I had also a look on Spinx which is very mature and powerful.
For my use-cases it is too powerful, but for yours it could be the right stuff: write once - create multiple documentation formats. Overall regardless which tool, availability speed/actuallity, doc coverage and doc accuracy would be the most important criteria to make the doc’s available for the user.
(Remember : a fool with a tool is still a fool )
Just as a final feedback for the FIDO2: pynitrokey worked - my gut feeling is, that it is less than 10 sec If you do it on the console of the VM, you will have multiple pop-ups to answer:
nitropy - a yes
VM - sort out the USB connection ( not host, guest system)
VM - Allow access to the USB connection, after it has thrown on the console the match of the usb allignment
nitropy - a key as second confirmation
it worked only the second try, but it worked !
I was not able to compile the pyton script for Nitrokey FIDO U2F . A) python2 is now obsolete and replaced by py37; B) the famous hidapi ( and the underlaying libusb & udevlib ) is not available under FreeBSD
Just another update on the FIDO U2F:
I created a VM with Debian/Linux and did all the setup with Python2.
Overall the script ony runs as root user. Then I could wink and list. Also a factory-reset has started, but the final line sounds not like a success. (on both devices) Any suggestions ?
Nitrokey FIDO U2F client application
Opened device with SN: 0000000000000000
FF FF FF FF C3 00 39 EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE
C3 00 39 EE EE EE
EE EE EE EE EE EE EE EE
EE EE EE EE EE EE EE EE
EE EE EE EE EE EE EE EE
EE EE EE EE
EE EE EE EE
Wipe failedIt needs Udev rules for the normal user to connect, hence probably why it runs only on root for you.
Regarding the error, it indeed looks like it failed - will check it on the next working day.
In general we want to integrate it with pynitrokey, so no such time-requiring setup would be required, and will be more user friendly too.
The UDev Rules are in place. I think it is more that I have used pip also under root ( pip3 always remind you to use --user for installation ) As it was “a throw-away VM” that’s not a tragedy.
To support you a bit, find attached more logs from the other client.py functions:
(let me know , if you needs something different )
#
# Output client.py version
#
Nitrokey FIDO U2F client application
Opened device with SN: 0000000000000000
Firmware Git version: nk-v1.1
#
# Output client.py list
#
Nitrokey FIDO U2F client application
interface_number : 0
manufacturer_string : Nitrokey
path : 0003:0004:00
product_id : 17031
product_string : Nitrokey FIDO U2F
release_number : 256
serial_number : 0000000000000000
usage : 0
usage_page : 0
vendor_id : 8352
#
# Output client.py sanity check
#
Nitrokey FIDO U2F client application
Opened device with SN: 0000000000000000
Asking device for sanity check status: sanity check PASSED.
Details:
constants set: 1
read protection active: 1
fake touch active: 0
disabled watchdog: 0
is it setup firmware: 0
#
# Output client.py fingerprints
#
Nitrokey FIDO U2F client application
Opened device with SN: 0000000000000000
Get data slots fingerprints
SETUP firmware only
64 8D FF FF FF C6 00 39 01 03 EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE EE
status 8D FF
Invalid statusHi!
Thank you for the additional debug info.
Turned out the Nitrokey FIDO U2F button has to be pressed during the execution of the factory reset (for about 12 seconds). I have updated the client accordingly - please download it, or just start the factory-reset command with the button pressed on the device.
Changes:
I downloaded it again, followed the instructions and received a Wipeout successful !
What I missed was the counting hex-bytes as last time. Was a good progress bar. Anyhow the result counts !
Thank you for your support !
PS: still was only able to do this with sudo - but I have used the former environment.
PS2: How can I check the factory-reset ? ( Only the HSM is showing a message like " … has never been initialized … )