Failure of a NK3 – how to investigate?

Hi,

I use to unlock my encrypted devices via systemd-cryptsetup and FIDO2-Tokens. Today I was not able to unlock my partitions using the NK3. After utilizing a backup token and starting the system I found that the FIDO2-PIN was not set anymore. The HMAC-Secret I used to unlock my KeePassXC-Database with was also gone.

nitropy nk3 test reports 4× Success and 1× Failure:

 Found 1 NK3 device(s):
- Nitrokey 3 at /dev/hidraw4

Running tests for Nitrokey 3 at /dev/hidraw4

[1/5]   uuid            UUID query                      SUCCESS         A1D353[redacted]
[2/5]   version         Firmware version query          SUCCESS         v1.8.1
[3/5]   status          Device status                   SUCCESS         Status(init_status=<InitStatus: 0>, ifs_blocks=64, efs_blocks=467, variant=<Variant.LPC55: 1>)
Running SE050 test: |                                                                                                                                                                    
[4/5]   se050           SE050                           SUCCESS         SE050 firmware version: 3.1.1 - 1.11, (persistent: (29132,), transient_deselect: (607,), transient_reset: (592,))
Please press the touch button on the device ...
[5/5]   fido2           FIDO2                           FAILURE         'x5c'

5 tests, 4 successful, 0 skipped, 1 failed

Summary: 1 device(s) tested, 0 successful, 1 failed

Critical error:
Test failed for 1 device(s)

I did update to v1.8.1 after the first test, and I did a factory reset on both options in the nitrokey2-app. After restoring the HMAC-Secret unlocking my KeePassXC-Database does work again; FIDO2 also seems to work fine after enrolling the resetted token, but undoubtedly the stored things should not have been gone in the first place, and there should be no error while testing with nitropy. I am out of ideas at this point, maybe someone could give me a hint what went wrong and what to do now?

What is the first test you refer to? You imply you ran the nitropy test, then updated firmware and ran factory reset, and then ran the nitropy test a second time?

First test was the same (nitropy nk3 test) but with firmware 1.7.x (did not write that down – my bad). Output was exactly the same, except the version string.

Please contact Nitrokey at shop@nitrokey.com they will most likely send you a replacement key.

Looks like it’s a hardware fault: Now it’s entirely dead. No LED when plugging in, no corresponding entries in the journal. I’ll create a ticket since I bought it only a little more than a year ago.

Replacement arrived yesterday – that’s a good customer service :slight_smile:

3 Likes