Hello All!
I want to destroy keys on nitrokey, I do factory-reset by using following commands:
gpg --card-edit
admin
factory-reset
but it shows error:
sending card command select AID failed: bad secret key
i am not familiar with the gpg functions of the nk3 , but if you use the nitropy cli programm there is an option to reset “all” nitropy nk3 factory-reset . i am not 100% if this function also destroys gpg keys , going by description it should.
You can either select a specific app running on the key or do a full reset:
PS C:\windows\system32> & "C:\Program Files\Nitrokey\Nitropy\nitropy.exe" nk3 factory-reset --help
Command line tool to interact with Nitrokey devices 0.4.47
Usage: nitropy.exe nk3 factory-reset [OPTIONS]
Factory reset all functionality of the device
Options:
-h, --help Show this message and exit.
PS C:\windows\system32> & "C:\Program Files\Nitrokey\Nitropy\nitropy.exe" nk3 factory-reset-app --help
Command line tool to interact with Nitrokey devices 0.4.47
Usage: nitropy.exe nk3 factory-reset-app [OPTIONS]
{fido|opcard|secrets|piv|webcrypt}
Factory reset all functionality of an application
Options:
-h, --help Show this message and exit.
It is a recent feature according to the changelog:
v1.7.0 (2024-04-24)
Does factory reset destroys all data on device including smartcard data?
the firmware version for my device is v1.6.0.
i have tested for v1.5.0 and still it gave the same error.
i have tried factory-reset but it aborted
You need to upgrade first to the version that actually supports this factory reset.
Which version supported factory reset ? I have even upgrade nitropy version i.e. 0.4.47 now, and firmware version of device is now v1.7.1.
That version should work. Is the device detected before reset with nk3 list? Do you run in a shell with Administrator privileges?
yes, device has been detected and also start a shell with administrative privileges.
I have tried wink command, and device gives response against wink command
@sosthene-nitrokey As this feature is quite new, it should work with all Nk3 variants, right?
Yes, factory-reset is available with all NK3 variants with firmware 1.7.0 or newer.
@engr what are the results of nitropy nk3 status and nitropy nk3 test?
@sosthene-nitrokey , @nku
what would be the solution for it? how to reset nitrokey3A devices?
one has firmware version v1.5. while other has v1.7.1
Did you touch the device? Did the error occur then in the next step or did it perhaps time out?
i think you might also need to reinsert the key , and then input the nitropy nk3 factory-reset command within 10 seconds of inserting the key , for the command to be successful. This condition is probably put as a secure measure.
Did you check that despite the failure there is no data remaining on the device?
It could be that the command failed because the devices automatically reboots after a factory-reset.
Normally this is handled properly but there might be some edge-case that we haven’t handled properly.
What data are you trying to erase?
In the worst case, each app has its own factory-reset mechanism that should work.
It prompts for touch the device, error displays after touching in the device having firmware v1.7.1.
While in the device having firmware v1.5, it shows critical error without prompt for touching the device.
I want to remove any data left on device like certificates or any type of keys.
I want to get a fresh new state of the device.
you can see with nitropy commands if any secrets or fido2 credentials are stored with “list” command. If you see no credentials then probably the factory reset was successful.
