[NitrokeyHSM] Cannot use OpenPGP or Nitrokey App after OpenSC setup

Nitrokeys Misc
1

Hi,
I just started using my Nitrokey HSM. I intend to use it for both GnuPG and OpenSC due to project requirements. As of now, I have the following tools installed for Linux:

OpenSC:

$ sudo apt list opensc
Listing... Done
opensc/focal,now 0.20.0-3 amd64 [installed]

GnuPG:

$ gpg --version
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/osboxes/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

OpenPGP:

$ openpgp-tool --version
openpgp-tool - OpenPGP card utility version 0.20.0

Copyright (c) 2012-18 Peter Marschall <peter@adpm.de>
Licensed under LGPL v2

I followed the instructions for setting up my own SO and USR pins via OpenSC. The pkcs11-tool shows the Nitrokey as an available slot:

$ pkcs11-tool -L
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK01031250000         ) 00 00
  token label        : CST-HSM-DEMO (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, user PIN count low, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.3
  serial num         : DENK0103125
  pin min/max        : 6/15

But when attempting to use gpg to create a key, I get the error not an OpenPGP card:

$ gpg --card-edit

Reader ...........: Nitrokey Nitrokey HSM (DENK01031250000         ) 00 00
Application ID ...: 44454E4B30313033313235
Application type .: Unknown

gpg/card> admin
Admin commands are allowed

gpg/card> generate
gpg: key operation not possible: not an OpenPGP card

Since this HSM is new, I figured I could just try to restore it and start over. However, the Nitrokey App does not detect the card, and I cannot erase with OpenPGP tool due to the following error:

$ openpgp-tool --erase
Using reader with a card: Nitrokey Nitrokey HSM (DENK01031250000         ) 00 00
Failed to connect to card: Reader in use by another application
error: failed to connect to card: Reader in use by another application
Aborting.

Can I get some feedback as to why GnuPG is not working? Is this due to OpenSC, GnuPG and OpenPGP failing to cooperate?

Thanks,
Cory

2

Hi @cheusch!

  1. From the documentation I see, that you need to use gpgsm tool, not gpg.

Excerpts:

Starting with version 2.1, GnuPG has build-in but limited support for the Nitrokey HSM. Use the gpgsm tool to sign, verify, encrypt and decrypt files or S/MIME messaging using your Nitrokey HSM. Use a signature key on a Nitrokey HSM to sign documents using Acrobat Reader, Open Office / Libre Office or any other PDF reader supporting electronic signatures.

  1. Regarding the openpgp-tool --erase error it came from use of the device by GnuPG. Both this one and OpenSC are always using the smart card exclusively and later occupy it, so as a user you need to kill one when you want to use the other. In case you would like to use OpenSC:
gpgconf --kill all

In case of using GnuPG:

sudo systemctl stop pcscd pcscd.socket
3

Hi szszszsz,
I tried killing GnuPG with gpgconf --kill all and re-running the erase command, but I still see the following:

$ sudo gpgconf --kill all
$ openpgp-tool --erase
Using reader with a card: Nitrokey Nitrokey HSM (DENK01031250000         ) 00 00
error: card type 6590: not an OpenPGP card
4

Sorry, I missed that it is not possible to use openpgp-tool with Nitrokey HSM. The workaround should work for other OpenSC commands though. Any luck with gpgsm?

5

I am trying to use gpgsm, but the first issue I run into is that gpgsm --learn-card returns nothing. I can try to restart my system, kill OpenSC, then insert my HSM.

This is a bit concerning about the erase command not working though. How is the NitroKey HSM supposed to be reset? As I stated earlier, I cannot use the Nitrokey App to communicate with the HSM.

Thanks,
Cory

6

I see. For Nitrokey HSM you need other tools for that:

  • sc-hsm-tool
  • pkcs15-tool
  • pkcs11-tool

See following for the initialization:

And for key generation:

General documentation available here:

Edit: as for initializing it for the GnuPG use, I would use gpsm for that.

Best regards,
Szczepan

7

The SmartCard-HSM is not compatible with current gnupg versions (<2.3), because so far only cards conforming to the OpenPGP card specifications are supported. The SmartCard-HSM uses a completely different API, mainly because of the advanced key management mechanisms.

You need to use gnupg-pkcs11-scd as described here.

We also provide a pure Java implementation (sc-hsm-pgp) that is available in the CDN GIT repo.

Current versions of gpgsm have minimal support for the SmartCard-HSM, but we are not actively maintaining this code so far. That is supposed to change with the 2.3 version of gnupg, which implements support for keys on devices that do not support the OpenPGP card specification. For 2.3 we are improving the sc-hsm part in gnupg’s scdaemon component to support the new API, which ultimately will allow to use keys on a SmartCard-HSM as signing and encryption keys.

1 Like
8

The Staf Wagemakers blog post is exactly what I was looking for! I just could not find it in so many Google searches… :sweat_smile:

I’m going to mark this as the solution as you have provided me a good workaround and future outlook for GnuPG. Thank you!