I just started using my Nitrokey HSM. I intend to use it for both GnuPG and OpenSC due to project requirements. As of now, I have the following tools installed for Linux:
$ sudo apt list opensc Listing... Done opensc/focal,now 0.20.0-3 amd64 [installed]
$ gpg --version gpg (GnuPG) 2.2.19 libgcrypt 1.8.5 Copyright (C) 2019 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/osboxes/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2
$ openpgp-tool --version openpgp-tool - OpenPGP card utility version 0.20.0 Copyright (c) 2012-18 Peter Marschall <firstname.lastname@example.org> Licensed under LGPL v2
I followed the instructions for setting up my own SO and USR pins via OpenSC. The
pkcs11-tool shows the Nitrokey as an available slot:
$ pkcs11-tool -L Available slots: Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK01031250000 ) 00 00 token label : CST-HSM-DEMO (UserPIN) token manufacturer : www.CardContact.de token model : PKCS#15 emulated token flags : login required, rng, token initialized, user PIN count low, PIN initialized hardware version : 24.13 firmware version : 3.3 serial num : DENK0103125 pin min/max : 6/15
But when attempting to use gpg to create a key, I get the error
not an OpenPGP card:
$ gpg --card-edit Reader ...........: Nitrokey Nitrokey HSM (DENK01031250000 ) 00 00 Application ID ...: 44454E4B30313033313235 Application type .: Unknown gpg/card> admin Admin commands are allowed gpg/card> generate gpg: key operation not possible: not an OpenPGP card
Since this HSM is new, I figured I could just try to restore it and start over. However, the Nitrokey App does not detect the card, and I cannot erase with OpenPGP tool due to the following error:
$ openpgp-tool --erase Using reader with a card: Nitrokey Nitrokey HSM (DENK01031250000 ) 00 00 Failed to connect to card: Reader in use by another application error: failed to connect to card: Reader in use by another application Aborting.
Can I get some feedback as to why GnuPG is not working? Is this due to OpenSC, GnuPG and OpenPGP failing to cooperate?