Hi!
Wow, that is a lot of questions indeed! I am mostly Pro/Storage user (with planned switch to HSM as well), so I will reply from that perspective.
Pro and HSM devices share the same hardware but contain different smart cards (OpenPGP v2.1/v3.3 vs HSM smartcard), hence they work slightly different.
The most significant difference between the two is (omitting keys and certificate capacity; from life-cycle management perspective) that Pro’s smartcard could be reset (with special commands) when it would lock after 3 tries and HSM’s is (AFAIK) locked forever after 15 trials.
- As far as I remember, OpenSC is not making GnuPG-compatible data structure on initialization - hence, to use both solutions, initialization with GnuPG is recommended.
- Initialization depends on used smartcard. It could be key generation, setting PIN or creating structures. Could you paste the link to the guide, which you use?
- HSM does not contain HID interface, hence it cannot communicate with Nitrokey App and have PIN changed there. You can do so with Pro/Storage.
- As for the question, what the initialization means and what are the commands to make it through GnuPG and OpenSC - I will ask to reply @nitroalex, as he worked in this topic heavily.
- OpenSC way will be appropriate for HSM. For Pro device it is best to use GnuPG to generate keys, as OpenPGP is designed to work with it (e.g. generates 3 keys, whereas OpenSC makes 1 key at a time).
- SO PIN (= Super-Operator PIN) and Admin PIN should be equivalent terms.
- About bricking:
a) Pro’s smartcard should always reset to its starting state after using reset sequence. I believe this is not the case for HSM’s.
b) The reset sequence for Pro could ‘brick’ HSM smartcard - never send it to the latter.
c) HSM could be ‘bricked’ by using all 15 retries for SO-PIN. I believe there is no way to make it working again after that.
This should work on HSM and Pro as well, but the latter will have issues later when used with GnuPG (as explained earlier).
I have not ‘bricked’ my Pro yet. I thought I had once actually, but then I have used another ‘reset’ sequence. GnuPG has changed the sequence recently.
Perhaps @nitroalex knows some interesting stories.
This refers mostly to applications having exclusive access to the device. If it would not be that way, they might execute contradicting commands, interfering with each others work.
From the user perspective this will be mostly apparent by error messages, in which applications might complain that no smartcard is connected. On such case one needs to close other applications.
On Linux this might be frequent in case, where pcscd and gpg are used. gpg uses scdaemon to communicate with smartcard in exclusive mode and pcscd is a gateway to PKCS##. Both daemons are left running after use and might block each other. I have (perhaps unhealthy) habit that when I see that smartcard is not detected I just kill both and then execute the app I am interested in.
@nitroalex Could you check please?
OpenSC installer should contain the pkcs11 library.
The mentioned 3 slots on Pro device are for RSA keys (OpenPGP v2.1).
@nitroalex Could you help?
I think you could work with Pro as hard as you want - I have not bricked it yet and I think I have tried hard 
. As for HSM, you have to watch out for initialization (where the first SO/Admin PIN is set, so you would not set a random bytes as a PIN - I think someone did this with OpenSC) and for not exhausting your Admin PIN trials. It should work otherwise.
All tutorials are welcomed! There is never enough of them. This topic is not easy and there are still some non-intuitive caveats.
I am glad you like it!
If you are planning to use OpenSC on Windows 8+ please be aware of this ‘time-out’ bug.
Additional resources you might like to read:
- OpenSC: Nitrokey related issues
- GnuPG mailing list
- OpenSC mailing list
In case you have missed any pages from Support submenu: