NitroKey Pro 2 not recognized in gpg [SOLVED]

Hey folks!
Today I received my brand new Nitrokey Pro 2 and started setup immediately. I am on Windows 10 Pro.
Unfortunately it worked only half.
I installed the Nitrokey App v 1.4.0 in advance and it recognized the Nitrokey successfully - I was able to change user PIN and admin PIN. So far so good.
I then tried to transfer my PGP key to the stick. As described in the HowTo, I used the command ‘keytocard’ which resulted in the following message:

gpg> keytocard
Really move the primary key? (y/N) y
gpg: selecting card failed: No such device
gpg: key operation not possible: No such device

I then tried to execute ‘certutil -scinfo’ and got the following output:

The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 2
0: Microsoft IFD 0
1: Nitrokey Nitrokey Pro 0
— Reader: Microsoft IFD 0
— Status: SCARD_STATE_EMPTY
— Status: No card.
— Card:
— Reader: Nitrokey Nitrokey Pro 0
— Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
— Status: The card is available for use.
— Card: OpenPGP card v3.x
— ATR:
3b da 18 ff 81 b1 fe 75 1f 03 00 31 f5 73 c0 01 ;…u…1.s…
60 00 90 00 1c `…

=======================================================
Analyzing card in reader: Microsoft IFD 0

--------------===========================--------------

=======================================================
Analyzing card in reader: Nitrokey Nitrokey Pro 0
OpenSC CSP: Missing stored keyset
Microsoft Smart Card Key Storage Provider: Missing stored keyset

--------------===========================--------------
CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist

I tried reinstalling GnuGPG (newest version 3.1.14), installing OpenSC, nothing worked.
At the end I even opened GPA where the card manager says ‘Error accessing the card’…
Googling a bit I found similar issues that were resolved by disabling second smartcards (I only have one) or using the Windows standard driver (which I use, in device manager it shows one entry under ‘smart card readers’: Microsoft Usbccid Smartcard Reader (WUDF).

So I am stuck now and hope any of you guys can help me.
Thanks in advance!

Haui

Hi @Haui!

Try this command in the terminal - it is meant to stop OpenSC smart card service, which perhaps blocks access of the GnuPG to the device:

net stop scardsvr

Then please call the gpg again.

Hi @szszszsz,

thanks for your quick reply.
Tried that (had to open an elevated prompt for this) and the service stopped successfully.
Unfortunately the issue persists.
‘gpg --card-status’ shows this output on elevated prompt

C:\Windows\system32>gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

as well as on user prompt

C:\Users\Haui>gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

I did some more troubleshooting, maybe this information helps to pinpoint the issue.
I uninstalled all software (all minidrivers, OpenSC, OpenPGP, GPG4Win) and did a clean restart.
Then I reinstalled GPG4Win, tried again, output for certutil now is a bit different, I guess because I uninstalled OpenSC:

Analyzing card in reader: Nitrokey Nitrokey Pro 0
SCardGetCardTypeProviderName: The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Cannot retrieve Provider Name for SCardGetCardTypeProviderName: The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Cannot retrieve Provider Name for
--------------===========================--------------
CertUtil: -SCInfo command FAILED: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.

Ok, I then tried to insert my smartcard for work (used for certificate auth for web application). certutil shows same output so this seems to be ok then, because another ‘gpg --card-status’ immediately recognized this card:

C:\Users\Haui>gpg --card-status
Reader …: Identiv SCR3500 C Contact Reader 0
Application ID …: 021028103607134A
Application type .: PKCS#15

So I think the main issue is that the Nitrokey Pro 2 is not recognized by gpg because everything else (e.g. Password manager) works as expected. Hope this helps… very much appreciated :slight_smile:

New day, new luck.
I finally figured it out by myself :slight_smile:

What I did (in case you have the same issue):
I enabled smartcard logging in Kleopatra (4 - verbose) and specified a log file.
After connecting the nitrokey I saw the following lines:

2020-11-29 09:12:37 scdaemon[13888] detected reader ‘Microsoft IFD 0’
2020-11-29 09:12:37 scdaemon[13888] detected reader ‘Nitrokey Nitrokey Pro 0’
2020-11-29 09:12:37 scdaemon[13888] reader slot 0: not connected

I came to the conclusion that somehow the Microsoft SC (which is in fact not present) and the Nitrokey get in conflict. I copied the reader name ‘Nitrokey Nitrokey Pro 0’ and pasted into the field ‘Connect to reader at port n’ under Kleopatra settings > GnuPG systems.
After removing and inserting the Nitrokey again, everything worked instantly…

So, long story short: I transferred my PGP keys seconds ago. Weekend saved! :slight_smile:

2 Likes

Keep Nitrokey App closed whenever you use GnuPG. Uninstall OpenSC before using GnuPG.