Nitrokey HSM 2 not recognized on OpenSUSE Tumbleweed

Hello there,

strange phenomenon on openSUSE Tumbleweed. As prequisites I installed the following packages for using the Nitrokey HSM 2:

sudo zypper install opensc gnutls pcsc-tools

The versions of the software packages are currently:


“pcscd.service” is enabled and started. After having inserted the Nitrokey HSM 2 into a free USB port the device shows up as a proper USB device:

    Bus 003 Device 003: ID 20a0:4230 Clay Logic Nitrokey HSM

    T:  Bus=03 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#=  3 Spd=12   MxCh= 0
    D:  Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=20a0 ProdID=4230 Rev=01.01
    S:  Manufacturer=Nitrokey

    [    4.258758] usb 3-1.2: New USB device found, idVendor=20a0, idProduct=4230, bcdDevice= 1.01
    [    4.258773] usb 3-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
    [    4.258776] usb 3-1.2: Product: Nitrokey HSM
    [    4.258779] usb 3-1.2: Manufacturer: Nitrokey

However, “pkcs11-tool” and “pkcs15-tool” do not recognize the HSM:

pkcs15-tool -D
    No smart card readers found.

pkcs11-tool --module /usr/lib64/ -L
    Available slots:
    No slots.

pkcs11-tool --module /usr/lib64/ -O
    No slots.

I added the “41-nitrokey.rules” udev rules from the “GitHub - Nitrokey/libnitrokey: Communicate with Nitrokey devices in a clean and easy manner” project and rebooted the machine - but to no avail. When I try “gpg2 --card-status” at least I get some kind of response:

gpg2 --card-status
    Reader ...........: 20A0:4230:DENKxxxxxxxxxxx         :0
    Application ID ...: xxxxxxxxxxxxxxxxxxxxxx
    Application type .: Unknown

I have other machines running Mint Linux 21.2 as well as Windows 10 22H2 which do work with the Nitrokey HSM 2 without problems (OK, on Windows I had to fiddle around with “libp11” a bit and the hint in the documentation towards “p11tool” is not usable - but nevertheless I got it running). Only openSUSE Tumbleweed shows this strange behaviour. Any ideas are welcome (maybe some additional udev rule?).

Best regards

What probably happens: your PC/SC daemon has Policy Kit integration enabled and one has to enable the smartcard usage for the particular user:

1 Like


thanks for the prompt reply and the suggestion. I edited the configuration file “/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy”, set all the <allow_xxx> directives to “yes” and rebooted the machine. Sadly, this would not work. I stopped the pcscd service and started it in debug mode in the foreground:

sudo systemctl stop pcscd.service
sudo pcscd --foreground --debug

Now when I execute “pkcs11-tool -L” as a regular user I see the following errors on the pcscd console ALTHOUGH I made the polkit-related changes:

    00006119 [139677926102720] auth.c:143:IsClientAuthorized() Process 6151 (user: 1000) is NOT authorized for action: access_pcsc
    00000191 [139677926102720] winscard_svc.c:336:ContextThread() Rejected unauthorized PC/SC client

OK, I can sort this out later. So I tried “sudo pkcs11-tool -L”. No the pcscd console shows no error:

    00004245 [139677926102720] winscard_svc.c:341:ContextThread() Authorized PC/SC client
    00000013 [139677926102720] winscard_svc.c:344:ContextThread() Thread is started: dwClientID=7, threadContext @0x5642177ae720
    00000013 [139677926102720] winscard_svc.c:362:ContextThread() Received command: CMD_VERSION from client 7
    00000010 [139677926102720] winscard_svc.c:374:ContextThread() Client is protocol version 4:4
    00000005 [139677926102720] winscard_svc.c:397:ContextThread() CMD_VERSION for client 7, rv=SCARD_S_SUCCESS
    00000047 [139677926102720] winscard_svc.c:362:ContextThread() Received command: ESTABLISH_CONTEXT from client 7
    00000016 [139677926102720] winscard.c:210:SCardEstablishContext() Establishing Context: 0x4AC14B07
    00000006 [139677926102720] winscard_svc.c:466:ContextThread() ESTABLISH_CONTEXT for client 7, rv=SCARD_S_SUCCESS
    00000031 [139677926102720] winscard_svc.c:362:ContextThread() Received command: CMD_GET_READERS_STATE from client 7
    00000063 [139677926102720] winscard_svc.c:362:ContextThread() Received command: CMD_GET_READERS_STATE from client 7
    00000109 [139677926102720] winscard_svc.c:362:ContextThread() Received command: RELEASE_CONTEXT from client 7
    00000034 [139677926102720] winscard.c:224:SCardReleaseContext() Releasing Context: 0x4AC14B07
    00000016 [139677926102720] winscard_svc.c:481:ContextThread() RELEASE_CONTEXT for client 7, rv=SCARD_S_SUCCESS
    00000285 [139677926102720] winscard_svc.c:355:ContextThread() Client die: 7
    00000028 [139677926102720] winscard_svc.c:1072:MSGCleanupClient() Thread is stopping: dwClientID=7, threadContext @0x5642177ae720
    00000008 [139677926102720] winscard_svc.c:1080:MSGCleanupClient() Freeing SCONTEXT @0x5642177ae720

but pkcs11-tool still shows “No slots”. I tried two more utilities:

sudo opensc-tool --list-readers
    No smart card readers found.

and “sudo pcsc_scan” hangs indefinitely with a rotating status indicator. Very, very strange…

Best regards

Does pcscd detect and configure the Nitrokey ?

My guess is, that the GPG stuff tries to talk to the token directly via CCID and that this blocks pcscd from configuring the token.


the Nitrokey is detected by “pcscd” but it seems that the device is not configured. I unplugged the Nitrokey then startes “pcscd” in foreground. When I plugged in the Nitrokey the console showed that a USB device was added and that it was looking for a driver - nothing else:

sudo systemctl stop pcscd.service
sudo pcscd --foreground --debug
    # when plugging in Nitrokey HSM 2 on OpenSUSE Tumbleweed
    31478721 [140124075656896] hotplug_libudev.c:645:HPEstablishUSBNotifications() USB Device add
    00000217 [140124075656896] hotplug_libudev.c:298:get_driver() Looking for a driver for VID: 0x20A0, PID: 0x4230, path: /dev/bus/usb/002/004

I tried all this on a Mint Linux 21.1 system which works like a charm with the same Nitrokey and on this system the output reads as follows:

sudo systemctl stop pcscd.service
sudo pcscd --foreground --debug
    # when plugging in Nitrokey HSM 2 on Minit Linux 21.1
    32953536 [139636184102464] hotplug_libudev.c:667:HPEstablishUSBNotifications() USB Device add
    00000408 [139636184102464] hotplug_libudev.c:300:get_driver() Looking for a driver for VID: 0x20A0, PID: 0x4230, path: /dev/bus/usb/001/004
    00000026 [139636184102464] hotplug_libudev.c:441:HPAddDevice() Adding USB device: Nitrokey Nitrokey HSM
    00000137 [139636184102464] readerfactory.c:1097:RFInitializeReader() Attempting startup of Nitrokey Nitrokey HSM (xxxxxxxxxxxxxxx) 00 00 using /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/

User sc-hsm suggested that GPG could be the culprit because of connecting to the token directly via CCID. I am a bit at a loss here - I do not use GPG actively though it seems to be installed. I looked at all the “systemd” services as well as the active processes and could not find anything related to GPG.

Best regards

pcscd uses libccid to interface with card readers like the Nitrokey HSM. That module is usually located in /usr/lib/pcsc/driver/ifd-ccid.bundle and has a configuration file named Info.plist.

Info.plist contains a list of vendor and product ids. Can you check, if the VID and PID is listed there ?

See our blog for details.

1 Like

Hello sc-hsm,

your hint towards “libccid” lead me to the solution (somewhat unexpected). Your blog entry pointed to a configuration file somewhere in “/usr/lib/pcsc/*” WHICH DID NOT EXIST on my installation!!! So I looked for something “ccid” and that search revealed nothing:

rpm qa *ccid*

The missing CCID driver was the root cause for my problem. I looked for the “libccid” package to install but there is no such thing for openSUSE. So I opted for Ludovic Rousseau’s “CCID free software driver for Unix” (“”) which needs the “pcsc-lite-dev” package for compilation. There is no “pcsc-lite-dev” package for openSUSE, but a search “zypper search pcsc” revealed two things: firstly, the needed development package is called “pcsc-lite-devel” and secondly (much more important) there is a package named “pcsc-ccid” with the description “PCSC Driver for CCID Based Smart Card Readers”. And that did the trick!!!

This is the complete list of prequisite software packages I had to install to get Nitrokey HSM 2 running under openSUSE Tumbleweed:

sudo zypper install opensc gnutls pcsc-tools pcsc-ccid

I still have the problem that only an administrative user is able to see and use Nitrokey as “pkcs11-tool -L” still returns “No slots” for a regular unprivileged user. But I should be able to sort that out on my own. User “root” gets the expected output and is able to work with the Nitrokey as expected:

sudo pkcs11-tool -L
    Available slots:
    Slot 0 (0x0): Nitrokey Nitrokey HSM (xxxxxxxxxxxxxxx         ) 00 00
      token label        : SmartCard-HSM (UserPIN)
      token manufacturer :
      token model        : PKCS#15 emulated
      token flags        : login required, rng, token initialized, PIN initialized
      hardware version   : 24.13
      firmware version   : 3.5
      serial num         : xxxxxxxxxxx
      pin min/max        : 6/15

Thank you all for the support.

Best regards

That seems to be a packaging problem at SUSE: pcscd does not make sense without libccid. CCID is the standard interface used by 98% of card readers in the market.

Probably. When I have a look at “” and do a search for, let’s say “opensc” or “pcsc-ccid”, the answer is that there are official packages only for openSUSE Tumbleweed, the leading-edge rolling release, but not for openSUSE Leap, the more stable regular release. I do not know how to interpret that - but may be PC/SC support is not on openSUSE’s priority list…

Thanks again

Just for completeness: we need the additional package “openssl-engine-libp11” for using “openssl … -engine pkcs11 …” as described in “Creating a Certificate Authority - Nitrokey Documentation”. So this is the complete list of prequisites for using the Nitrokey HSM 2 on a current OpenSUSE Tumbleweed (OpenSSL 3.1.2 is installed per default - at least on my machine :-)):
sudo zypper install opensc gnutls pcsc-tools openssl-engine-libp11

The libraries can be found in the following locations:
find /usr -name *pkcs11*.so



The configuration file for OpenSSL needs to have an initialization section like this:
# Initialize for “Nitrokey HSM 2”
openssl_conf = openssl_init

    engines            = engine_section

    pkcs11             = pkcs11_section

    engine_id          = pkcs11
    MODULE_PATH        = /usr/lib64/

Hope this helps…

Best regards

sudo zypper install opensc gnutls pcsc-tools openssl-engine-libp11 pcsc-ccid

1 Like