HSM Key with GnuPG V 2.2 working?

Peacekeeper · October 29, 2018, 11:59am

On your website you are announcing under HSM->Applications->General that the HSM Key is supported since Version Gnu 2.1.

I have my doubts after spending my Sunday to get it up and running - now saying that it could be that I make something wrong. While the card works very well under OpenSC with sm-hsm-tool, pkcs15-tool and pkcs11-tool , it doesn’t work with the openpgp-tool from OpenSC nor does it work with gpgv1/2. I always receive the answer the card doesn’t support OpenPGP.

Here is a log of the scdaemon:

2018-10-29 12:51:56 scdaemon[40080] DBG: chan_7 <- GETINFO version

2018-10-29 12:51:56 scdaemon[40080] DBG: chan_7 -> D 2.2.10

2018-10-29 12:51:56 scdaemon[40080] DBG: chan_7 -> OK

2018-10-29 12:51:56 scdaemon[40080] DBG: chan_7 <- SERIALNO openpgp

2018-10-29 12:51:56 scdaemon[40080] detected reader ‘Nitrokey Nitrokey HSM (010000000000000000000000) 00 00’

2018-10-29 12:51:56 scdaemon[40080] detected reader ‘’

2018-10-29 12:51:56 scdaemon[40080] reader slot 0: not connected

2018-10-29 12:51:57 scdaemon[40080] DBG: feature: code=12, len=4, v=42330012

2018-10-29 12:51:57 scdaemon[40080] DBG: TLV properties: tag=01, len=2, v=00000000

2018-10-29 12:51:57 scdaemon[40080] DBG: TLV properties: tag=03, len=1, v=00000000

2018-10-29 12:51:57 scdaemon[40080] DBG: TLV properties: tag=09, len=1, v=00000000

2018-10-29 12:51:57 scdaemon[40080] DBG: TLV properties: tag=0B, len=2, v=000020A0

2018-10-29 12:51:57 scdaemon[40080] DBG: TLV properties: tag=0C, len=2, v=00004230

2018-10-29 12:51:57 scdaemon[40080] DBG: TLV properties: tag=0A, len=4, v=00010000

2018-10-29 12:51:57 scdaemon[40080] reader slot 0: active protocol: T1

2018-10-29 12:51:57 scdaemon[40080] slot 0: ATR=3B FE 18 00 00 81 31 FE 45 80 31 81 54 48 53 4D 31 73 80 21 40 81 07 FA

2018-10-29 12:51:57 scdaemon[40080] DBG: pcsc_get_status_change: changed present inuse

2018-10-29 12:51:57 scdaemon[40080] DBG: send apdu: c=00 i=A4 p1=00 p2=0C lc=2 le=-1 em=0

2018-10-29 12:51:57 scdaemon[40080] DBG: PCSC_data: 00 A4 00 0C 02 3F 00

2018-10-29 12:51:57 scdaemon[40080] DBG: response: sw=6A86 datalen=0

2018-10-29 12:51:57 scdaemon[40080] can’t select application ‘openpgp’: Nicht unterstützt

2018-10-29 12:51:57 scdaemon[40080] DBG: chan_7 -> ERR 100696144 Operation not supported by device <SCD>

2018-10-29 12:51:57 scdaemon[40080] DBG: chan_7 <- RESTART

2018-10-29 12:51:57 scdaemon[40080] DBG: chan_7 -> OK

2018-10-29 12:51:57 gpg-agent[39839] Handhabungsroutine 0x801c17e00 für den fd 8 beendet

I was able to tell scdaemon not to use the internal ccid driver and also denied using the openpgp applications with the pcsc-driver ( as the driver should use sc-hsm-driver - which would be possible ) . Now it looks like pgp --card-status always wants the openpgp application and doesn’t leave the selection of the driver to scdaemon ?

Or I am lost in the wrong way inside the maze ?

PS: is it possible to simple change the card inside the HSM to a newer card ?
PS2: The above scenario works well with NK ProV1 - so I assume it is not my driver setup

jan · October 30, 2018, 12:44am

Nitrokey HSM works with gpgsm from the GnuPG suite. Our documentation was misleading and I just fixed it. It doesn’t work with gpg directly neither with openpgp-tool.

Technically you could replace the smart card but we don’t support this and you would loose any warranty.

Peacekeeper · October 30, 2018, 9:09am

Hmm, I have my doubts that even
is working with that card: gpgsm --learn-card also fails ( is also using the gpg-agent and scdeamon and will only return something if scdaemon could use the internal ccid driver) either with a card is removed or with a continued reading of the card until you stop pcscd. I think the GnuGP usage with my current HSM is not possible and it is better to stay completely on the OpenSC side/sw.

Has the new HSM still the same old card ?

nitroalex · November 2, 2018, 8:21am

Hey,

I never found the time to test it myself, but a user wrote as a mail once and told us, that it is possible to use the HSM with this additional software and GnuPG. At least existing keys ought to be usable.

Kind regards

Peacekeeper · November 2, 2018, 10:14am

Thanks - I might try this. Problem with patching is, that it might be a “never-ending-story” during OS/Ports/Pkg upgrades ( You always have to remember that and do some extra work ). So a support out-of-the-box would of course be better. But if I don’t get my use-casess covered with OpenSC, I will give it a try. So thanks again for the information.

Is one requirement for the upcoming HSM v2 that it will be fully supported by GnuPG ?

jan · November 2, 2018, 10:32am

No. The reason is that GnuPG project only wants to support the OpenPGP Card and no other smart card.

Peacekeeper · November 2, 2018, 10:46am

Oh, ok - thanks for the update ! As it works well with NK Pro, I don’t see this as an issue long-term. Looks also that OpenSC does support what I need with pkcs#11.

Patazerty · July 3, 2023, 10:01am

It is possible to use a Nitrokey HSM 2 with GPG using gnupg-pkcs11-scd, I’ve written a quick guide on how to setup things:

gist.github.com

https://gist.github.com/Patazerty/48b50e82cbfbc033a836797c8d0a47f2

hsmghpg.rst

======================
Nitrokey HSM GPG setup
======================

I was investigating the use of Hardware Security Modules (HSMs) to better secure some stuff at work. Our choice was a Nitrokey HSM 2
for its convenient price, features and open approach, including hardware. Unfortunately Nitrokeys's documentation is sparse at
best and there is not much available documentation online to guide new users to get HSMs to work with GnuPG (GPG): it's
even the opposite with some forum posts indicating that the Nitrokey HSM 2 is not compatible with GPG.

From what seems to be the current state of things, GPG works out of the box with OpenPGP cards (which are

This file has been truncated. show original