Hi,
I use to unlock my encrypted devices via systemd-cryptsetup
and FIDO2-Tokens. Today I was not able to unlock my partitions using the NK3. After utilizing a backup token and starting the system I found that the FIDO2-PIN was not set anymore. The HMAC-Secret I used to unlock my KeePassXC-Database with was also gone.
nitropy nk3 test
reports 4× Success and 1× Failure:
Found 1 NK3 device(s):
- Nitrokey 3 at /dev/hidraw4
Running tests for Nitrokey 3 at /dev/hidraw4
[1/5] uuid UUID query SUCCESS A1D353[redacted]
[2/5] version Firmware version query SUCCESS v1.8.1
[3/5] status Device status SUCCESS Status(init_status=<InitStatus: 0>, ifs_blocks=64, efs_blocks=467, variant=<Variant.LPC55: 1>)
Running SE050 test: |
[4/5] se050 SE050 SUCCESS SE050 firmware version: 3.1.1 - 1.11, (persistent: (29132,), transient_deselect: (607,), transient_reset: (592,))
Please press the touch button on the device ...
[5/5] fido2 FIDO2 FAILURE 'x5c'
5 tests, 4 successful, 0 skipped, 1 failed
Summary: 1 device(s) tested, 0 successful, 1 failed
Critical error:
Test failed for 1 device(s)
I did update to v1.8.1 after the first test, and I did a factory reset on both options in the nitrokey2-app. After restoring the HMAC-Secret unlocking my KeePassXC-Database does work again; FIDO2 also seems to work fine after enrolling the resetted token, but undoubtedly the stored things should not have been gone in the first place, and there should be no error while testing with nitropy
. I am out of ideas at this point, maybe someone could give me a hint what went wrong and what to do now?