Nitrokey Storage 2 dead -- can I move the GPG card to another Nitrokey?

SvenS · April 11, 2022, 5:42am

As of this evening my Nitrokey Storage 2 is simply dead: the LED won’t flash when inserted into a computer (tried multiple machines / OS). To be honest the only use case I have for it is as GPG card. Never used the storage or any of the other features, except the HOTP with Heads for a while.

However, this one use case is major for me. I sign stuff all the time and the key that was generated on the Nitrokey is my main secret key that signed all the other keys. It is my identity and it would be a major pain replacing it and losing access to the files and emails encrypted with it.

Assuming my Nitrokey Storage 2 is in fact dead, can I “just” order a Nitrokey Pro 2, open both up and swap the GPG cards? Will that work?

What troubleshooting steps would you recommend?

My1 · April 11, 2022, 1:54pm

if the GPG cards are actually modular inside rather than a chip soldered on it might be possible, but I’d really not recommend it.

also generating it on the nitrokey has the issue that you cannot extract the keys. I also would assume you have generated the key without checking the “backup encryption key” option. honestly the only tuly safe way to not rely on a single nitrokey not breaking would be generating the keyset off the nitrokey, ideally an offline pc and then throwing it in the nitrokey and make a few backups on SD or even a piece of paper to type if really needed (only recommended for ECC keys because RSA keys get REALLY long)

SvenS · April 12, 2022, 12:00am

The Nitrokey Storage 2 is a PCB that has two slots. One holding a smart card (looks exactly like the SIM card in your phone) and the other slot holds a standard micro SD card … for the storage.

I don’t care about the storage. I do care a lot about the key in the smart card. What I am asking is if I can simply move that smart card from one key to another and then access it using the respective PINs I created on the original key.

… I already ordered a Libremkey (same thing) for faster shipping since I am in Texas. So I guess I’ll find out pretty soon.

Nevertheless: if someone here actually knows the details I would greatly appreciate some insight.

/Sven

szszszsz · April 12, 2022, 4:42pm

Hi!
Sorry to hear that. Yes, there are no lock-in’s, and smart cards can be moved between Nitrokey’s.

This sounds like it would enter the update mode. Can you check if it shows up in the system as an ATMEL device?

SvenS · April 12, 2022, 5:27pm

Thank you Szczepan!

there are no lock-in’s, and smart cards can be moved between Nitrokey’s.
Excellent news, thank you!

This sounds like it would enter the update mode. Can you check if it shows up in the system as an ATMEL device?

It doesn’t show up at all anymore using lsusb, nor does it get detected by Windows or the Chromebook.

It has been dying for a long time, that’s why I stopped using HOTP with heads … sometimes it took several minutes of unplugging an re-plugging to get it recognized at all.

No big deal. As long as the private key is not lost I am OK with replacing the key.

szszszsz · April 12, 2022, 5:38pm

Interesting! Mine behaved for some period like that as well, but I thought this is only related to this one hardware sample. If I can offer any workaround for that, you can try to connect it to the USB port and leave it like this, then reconnect after 10 minutes or so - this helped getting my Nitrokey Storage up.

We certainly offer replacements for the hardware faults while warranty holds - please feel free to write to support@nitrokey.com regarding that.

My1 · April 12, 2022, 5:45pm

the main issue rather than the hw itself seems to be the privkeys on it.

that’s cool to know. dunno if pro is the same but only one slot.

I also wonder if the microSD is in anyway special, because to be completely frank the pricing for more storage is quite high especially if you consider what normal microsds cost nowadays (also the ability to have more than 64GB might be cool (and considering 64GB is already XC, unless there’s a sw limit somewhere, up to 2TB might go)

I always thought the storage was some super secure element or whatever and that was the reason it was that expensive.

hell an “empty” nitrokey storage might be interesting, basically without the mSD and just slot one in yourself.

SvenS · April 12, 2022, 8:34pm

Thank you Szczepan!

try to connect it to the USB port and leave it like this, then reconnect after 10 minutes or so - this helped getting my Nitrokey Storage up.

This worked. So happy!

My1 · April 12, 2022, 9:51pm

that’s certainly cool.
just in case there’s a next time you need to make a key you might wanna consider having a backup if it’s your main identity and for example could use a on-chip generated subkey for signatures that would be easy to replace later.

according to the datasheet of both the nitrokey pro2 and storage2 the MTBF (mean time between failures) is “greater than 100 000 PIN entries” and the USB plug is rated to be “greater than 1 500 plug/unplug cycles”

especially with a Nitrokey storage I would expect it to be used more often which could mean less of a lifetime on average (although less is obviously less meaningful if the scale is high enough.)

going with a pessimistic approach and plugging the nitrokey storage in at an avergage of once per day would be a bit above 4 years (tho let’s be real I’d think most USB sticks including the nitrokeys should have no issue lasting a ton longer).

to be honest tho I’d love to experiment with a cracked open Nitrokey storage (2 or not does likely not matter too much) what crazy stuff you can do with it.

SvenS · April 12, 2022, 10:56pm

USB plug is rated to be “greater than 1 500 plug/unplug cycles”
I have certainly exceeded that by a long shot. Especially since it wasn’t always detected and it sometimes took 10+ attempts to get it recognized by heads.

In any case, I can live with having to replace the key every few years as long as the smart card continues to work. I also hope that with the new hardware I won’t have to un/replug as often anymore.

My1 · April 12, 2022, 11:09pm

okay, then let’s hope the chip lives long.

SvenS · April 16, 2022, 11:46pm

I wrote:

I can live with having to replace the key every few years as long as the smart card continues to work

I can confirm that this worked like a charm.

My choice to not have a backup and to generate the key inside the smart card was very intentional. Justified or not I always wondered if my private key was compromised / exposed accidentally at any time in the past and the possibility that this could happen in the future. The not being sure about it, being the most annoying part.

With the private key being inside the smart card, having never existed in another place and being impossible to extract with any reasonable effort makes me sure that as long as I have the key / smart card in my physical possession I am in fact the only person holding the key.

The flip side of this is of course that losing the key or it being damaged means it’s gone forever. But even that, I consider actually a feature instead of a disadvantage.

My1 · April 17, 2022, 12:43am

at least the opening post didnt seem you overly like the replacing all keys and stuff.
for me personally the best security and safety combined and you REALLY dont wanna lose the key would likely to just take a computer that doesnt have networking after getting all the important things are installed (for example a raspi), then generate the keys there and store them using a good passphrase on maybe a few storage devices and then put them also on the nitrokey.

depending on how advanced one wants to go signing/encryption subkeys could be made on the nitrokey itself as these are easier to replace than the main key. while the encryption key might wanna have a backup, the signing subkey is likely by far the easiest to have smartcard only without worrying.

makes sense, the problem with security is always that you have to choose somewhere between effort and security and the big where on the line you wanna be is dependent on which is worse, your key being compromised or your key being lost.

not sure if there are stats on the chip that could tell how many unlocks it had so one could take a guess on its life or get an early info that a key replacement might be imminent.

another idea to keep running with only smartcard keys (at least for signature stuff, encryption is always problematic to deal with for things like this) could also be to get a 2nd smartcard, make a new set of keys there and sign those off by your first key as a kinda “these are my second set of keys” statement.
that way you could prove without manual verification that it’s still you, which is at least for signatures pretty nice.

nku · April 24, 2022, 3:08pm

You could also use a short USB extension cord / adapter and never unplug the Nitrokey itself.

Having to solder tiny pins of a broken/detached USB-c connector to a PCB myself (on an USB armory, not a Nitrokey), I tend to use USB adapters/cords for all things that I regularly have to plug/unplug.

This works especially nice with small form factors, that are supposed to disappear in a USB plug.