Nitrokey Pro - Key generation failed: Card error

Hi *,

ich bekomme bei meinem Nitrokey Pro den Fehler “Key generation failed: Card error”, wenn ich mit “generate” in gpg die Schlüssel erzeugen will.
Ich habe gelesen, dass es für Nitrokey Storage ein Firmware Update gibt. Ist das auch für Nitrokey Pro geeignet?
Und wenn ja, wie lauten da die Update-Anweisungen?

Danke und ciao.

Do you still need help with this issue?


yes please!


I need also support regarding this issue !

Is the nitro keypro capable to generate 4096bit keys?
If i look in the spec sheet it says 1024 - 4096 so it should generate it !

I tried it under arch & debian(8.x) stable with gpg --card-edit
and with the option - 2048bit keys and it went through without errors.
So if im not wrong there is a problem with the driver(app) or the worst case scenario the HW is buggy :frowning:

Would be massively appreciated if an expert at nitrokey can comment on this topic.

Best regards Blanka

Hello nobanzai

There is no firmware update for the Nitrokey Pro that I am aware of and hopefully that isn’t the reason you are having difficulties…

Hopefully I can help…what operating system are you using to issue the “generate” command using the GPG Tools?


this is openSuSE Leap 42.2.


Wow, I have no idea how you would accomplish this on OpenSUSE. Such an operating system like OpenSUSE requires an immense level of IT knowledge and skill that I don’t have.

I can only help by asking you to install Windows 7 or Vista on another computer to do this operation.

Hi @blanka !
Sorry for delay. As far as I remember 4096 RSA keys will work from GnuPG 2.1.21. It probably does not work on versions 2.1.11-20.

Hi @nobanzai !
Do you still have issues with your device?

yes, the problem described in my initial posting still exists.


Also having the issue. Opened an issue here:

Tested under Ubuntu 15, Fedora 24 and Debian 9 :frowning:

Moved my keys from a working setup under fedora24 to the nitrokey pro.
I can decrypt mails read them through enigmail, can sign files no prob.

Bug when it comes to generate keys… Under Debian 9:

gpg/card> admin
Admin commands are allowed

gpg/card> generate
Make off-card backup of encryption key? (Y/n) y

gpg: Note: keys are already stored on the card!

Replace existing keys? (y/N) y
What keysize do you want for the Signature key? (4096) 
What keysize do you want for the Encryption key? (4096) 
What keysize do you want for the Authentication key? (4096) 
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 3y
Key expires at Sun 07 Jun 2020 01:36:55 AM EDT
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Test
Email address: 
You selected this USER-ID:

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

gpg: key generation failed: Card error
Key generation failed: Card error

Tools versions:

Nitrokey firmware version 0.7    

gpg (GnuPG) 2.1.18
libgcrypt 1.7.6-beta

Package: libccid
Source: ccid
Version: 1.4.26-1

…Any guide to help troubleshoot further?

Hi @NoiZtril ! I will quote my response from Github.

As far as I remember generating 4096 RSA keys works from GnuPG in version 2.1.21. It probably does not work on versions 2.1.11-20. Please try latest (or older, like 2.0.30 or 2.1.10) GnuPG version.
I am not aware of any workaround for not working GnuPG versions.

Sorry for delay. What is your gpg version and what kind of key/length would you like to generate?
Due to bug in GnuPG RSA 4096 is not working on some GnuPG versions (namely 2.1.11-20), but should work on other ones (including stable 2.0.30).

@nobanzai is the issue still valid? What is your gpg version and what kind of key/length would you like to generate?