Linux Nitrekey Storage Opensc

Hey everybody,

I have just bought an Nitrokey Storage and would like to store OpenPGP and S/Mime certificates. I have initialized the stick with GPA and have successfully created keys on the stick first (as suggested as it will not work the other way round). But when I issue “opensc-tool -l” it just returns a “No smart card readers found.”
I’m completly unsure if I have to initialise opencs as well (I suspect not) or if I’m in a dead end here.
Some clarification and tips would be really appreciated.


Hi @holger !

Both GnuPG’s scdaemon and OpenSC’s pcscd wants to hold Storage’s smartcard exclusively. In your case the former probably took it and one needs to kill it before opensc-tool could connect to it via pcscd. This conflict was even discussed on OpenSC issue #953 (just found it).
The following snippet should help (assuming OS is Linux):

sudo killall scdaemon pcscd
sudo pcscd
opensc-tool -l

If not, please provide OS, OpenSC and GnuPG versions.

Hi szszszsz,
(I hope I never have to pronounce your user name;-)
Thank you for your quick answer. You are absolutely right. scdaemon exclusively blocks the card(reader).

Killing the daemon makes opensc work. But that does mean, both certificates can both stored on the stick but I can only acces the one or the other - depending on which of both programs is currently running. Right?

Sorry for not mentioning os etc: Linux (Ubuntu xenial), pcscd 1.8.14,scdaemenon 2.1.11, gnupg 1.4.20.


Right, I should add that to my profile page :wink: This is actually a Polish sound-like word, resembling of the white noise, with an extra attribute of the two letters being my name’s initials. Pronouncing: [1] [2 (click the speaker on the left)].

Regarding the case, you might be right. I am not sure GnuPG cares about anything other, than its keys, so for the certificates you might need the OpenSC. Perhaps @nitroalex could add something.

Hi Holger,

unfortunately what you try to achieve will not work anyway. So you don’t have to bother for the GnuPG/OpenSC issue (though I can try to help to fix this, if you like).

The point is, that the underlying OpenPGP Card v2 (OPC2) of your Nitrokey Storage is not able to make use of both methods at the same time. The newer OpenPGP Card v3 probably is able to do this, but isn’t widely used yet (especially not yet for NK).

Problem is the fact that OPC2 can not read the key to the S/MIME certificate from slot 3 (where it has to be saved) and thus needs the key situated on slot 2 (see third note here). Therefore the S/MIME encryption does occupy two slots. GnuPG on the other hand expects to have three keys – one main and two subkeys, thus wants to use all three slots. While it probably wouldn’t do much harm not using slot 3 for GnuPG (authentication) it surely is a problem if slot 2 (encryption) can’t be used…

I never tried to copy a main key with added encryption (“SCE” then) capability to slot 1, but I guess GnuPG won’t work like this anyway.

Bottom line is that you probably can’t do what you try to do and you should consider just using the one or the other method… I am sorry.

Kind regards

Hi Alex,
thank you for your answer - even if it is not what I wanted to hear;-) This whole encryption/signing thing really seems very complex and after a weekend with reading / trying / testing s/mime and GnuPG I am not surprised anymore why so few use these techniques. So clear statements are probably all the more important and if both GnuPG and S/MIME are mentioned as optional and not alternative in the “start” instructions, this might lead something into the wrong. (As it does with me).
Maybe you can add a statement, that is is not possible to use both certificates together.



Good point! I’ll try to make this more clear!

When I use “gpg2 --card-status” and it says “Version: 3.3” => can I use PGP und pkcs together?

In theory, yes. Until now the problem is, that the driver mostly used (that is OpenSC), is not aware of this functionality yet.

If you are running Windows you can use the OpenPGP-CSP driver (which is in development as well, thus it is not stable yet) in combination with Outlook. This is where I tested the idea as a proof-of-concept. I was able to sign und decrypt messages by only using the Authentication key slot, which would not work on a OpenPGP Card v2.

I didn’t found time to write instructions or to further test this. You can write me a message, if you like to be a tester though :wink:

Kind regards

Thx but I use MacOS :wink:

Then you have to wait a bit, I am afraid… sorry!