Nitrokey HSM Token Label

When creating a token label during the initialisation of a Nitrokey HSM with pkcs11-tool, the token label specified on the command line is preceded by “UserPIN (” and terminated with a “)” when displayed from a call to pkcs11-tool with the -M option. So my label of “mylabel” is stored as “UserPIN (mylabel)” on the token. Is there a way to avoid the addition of these extraneous characters?


Andrew Twigger


this is new to me, what exact command did you use?

Kind regards

Hi Alex,

Here are the commands and output that show the additional text in the token label:

sc-hsm-tool --initialize --so-pin 3537363231383830 --pin Andrew12345 --label "Nitrokey_Twysoft_01"

	pkcs11-tool --module /usr/local/lib/ -L

Available slots:

Slot 0 (0x0): Nitrokey Nitrokey HSM

token label : UserPIN (Nitrokey_Twysoft_01)

token manufacturer :

token model : PKCS#15 emulated

token flags : login required, rng, token initialized, PIN initialized

hardware version : 24.13

firmware version : 2.6

serial num : DENK0101507

pin min/max : 6/15

It seems that the UserPIN (….) has been added by sc-hsm-tool.

Kind regards,



this is “normal” behaviour and is the same for other cards (like OpenPGP Card). Thus, this is a OpenSC thing, which is not actually saved on your HSM, but just represented this way by OpenSC’s command. I don’t know, why it is done this way, but a general change in OpenSC would be needed to get rid of it.

The label is saved correctly though.

Kind regards