[Nitropad] Clear GPG key(s) and reset all user settings

Hello,
I’ve just set up my one of 2 new X230 Nitropads with Nitrokey storage with the features listed on the attached image of the shipping invoice.

After setting up I powered down for several hours and when restarting I received the ERROR: Boot Hash Mismatch.

I followed this procedure -
https://www.nitrokey.com/documentation/nitropad-system-update

However, even though I was very careful in documenting the user PIN I assigned to the Nitrokey, apparently the saved PIN I’m trying to use is incorrect.

Is there a way that I can choose the following option and clear the “GPG key(s) and reset all user settings”? i.e. start over from scratch?

I have only 1 remaining attempt to enter the correct user Nitrokey PIN.
I’m praying a reset would be a possible work around as I have not even added any documents to the incredibly beautiful machine that I’ve ordered from you.

Please, please help me win this Russian Roulette :expressionless::man_facepalming:t4::pray:t4:!!!

First of all, you can always factory reset your Nitrokey but–of course–that would wipe your keys. If you want to avoid that you could use gpg --card-edit on a separate computer and reset the User PIN. This requires your Admin PIN. Maybe this solves the issue that your legitimate User PIN is not accepted by Heads too.

Hi @GMHIII !

What’s weird here is that the Remaining attempts counter is not decreasing with the each PIN input. It is possible that this is caused by some kind of temporary communication issue between the Nitropad and the Nitrokey Storage device. Could you remove and insert the Nitrokey Storage on the another attempt, if the problem still persist?

Thank you for the info.

I selected to reset the Nitrokey and entered a new TPM password.

Configuration Reset Updated Successfully

I am at the stage of OEM Factory Reset. I am a novice and would like to confirm that I am correct in choosing to continue with regard to this warning “It requires that you already have an OS installed on a dedicated /boot partition.”

Is this the correct choice?

OEM factory reset is not going to damage anything. But you should only execute this with systems where you are certain no backdoor has been installed. Because your current system will be signed and trusted from now on. Furthermore the OEM factory reset does reset your PGP keys and OTP secret on the Nitrokey.

Hi @GMHIII,

Regarding your latest post:

  1. Please run again the OEM factory reset once again,
  2. Continue with selected options as before until ERROR: GPG keyring empty
  3. Select Add a GPG key to the running BIOS
  4. Follow the prompts to add the key
  5. Continue as previously

The reason is, that after the OEM factory reset the GPG keys are removed both from the device and from the BIOS image, hence it is needed to generate and add them to both places.

Alternatively it should be possible to do so as well through one of the options in the GPG Options screen.

It seems that in case you have backed up your keys already during the last OEM reset, these could be used during the GPG Options -> Replace GPG key(s) in the current ROM + reflash procedure. If not, I think it will be best to work over the OEM reset once again.

Thank you.

I have begun OEM factory reset in the following order :

  • Selected /dev/sdc1 as USB disk

  • Reset TPM admin and GPG user/admin default pw with custom pw

  • Added new Real Name, email address and Comment

  • Boot device was set to /dev/sda1

Now I am at the point of Error Key export error

My guess here is that you are using Nitrokey Storage for backup. In the factory state the Nitrokey Storage has the unencrypted volume set to read-only, which blocks the export operation here. This attribute can be changed with the Nitrokey App: Configure -> Set unencrypted volume to read-write.
You can use another USB flash device as well, as the data to backup are not secret - the items to export are the public parts of the GPG keys which could be used later, e.g. for import to avoid another key generation in case OEM factory reset would be required again.

cc @jan @nitroalex : This operation can be done semi-automatically by Heads

Exactly!

@GMHIII Please use a simple USB drive instead. It is recommended to insert the Nitrokey first, then the USB drive so that you know which one to choose in the menu (=the last one).

We are building a new firmware version for the NitroPad which improves the situation hopefully. I am sorry for the inconvenience.

This does not help as it is overwritten after factory-reset afaik

Though the factory reset is done only for the smart card (through GnuPG), is that not right? That should not change the UV attribute in that case :slight_smile:

Thank you for the response!

Unfortunately this what I saw when opening the Nitropad this morning -

And the images below were my attempt to get back to a point where I can access the Nitrokey app so I could follow your suggestions regarding the Nitrokey being used as backup.

I have to generate a new HOTP/TOTP secret, can use the reset admin key, but without a GPG on the keyring key I am back to replacing GPG key and reflash, but need a public key.

ERROR: No Files found

I tried to move past that point but now am seeing HOTP: invalid Code

If i can’t find the GPG key on the Nitrokey after reset, and can’t get back to the system starting page to log in and open the app, what is the workaround? Another OEM reset?
Is it possible there is something going on with the key itself? At the very beginning of this process I was able to set everything up. I shut the Nitropad down for the night and when I restarted there was System Update announced on the screen. This is where the problems began.
It also seems strange to me that the machine would receive a system update without having been online.
How would the update arrive?

Thank you for the response!

Unfortunately this what I saw when opening the Nitropad this morning -

And the images below were my attempt to get back to a point where I can access the Nitrokey app so I could follow your suggestions regarding the Nitrokey being used as backup.

I have to generate a new HOTP/TOTP secret, can use the reset admin key, but without a GPG on the keyring key I am back to replacing GPG key and reflash, but need a public key.

ERROR: No Files found

I tried to move past that point but now am seeing HOTP: invalid Code

If i can’t find the GPG key on the Nitrokey after reset, and can’t get back to the system starting page to log in and open the app, what is the workaround? Another OEM reset?

Is it possible there is something going on with the key itself? At the very beginning of this process I was able to set everything up. I shut the Nitropad down for the night and when I restarted there was System Update announced on the screen. This is where the problems began.

It also seems strange to me that the machine would receive a system update without having been online.

How would the update arrive?

As the OEM reset did not succeed last time, you indeed need to do it again.

This time I suggest to use a additional USB drive instead of trying to use the Nitrokey for it. This would be the easiest solution.

Thank you.

I know this is a long list of actions and images, but I’m hoping you can advise me on the next best steps to take. Thank you very, very much.

I performed the OEM factory reset as follows :

  • OEM reset

  • Set custom pw for TPM admin and GPG

F794FB51-D726-4263-9A6A-3B96B1552477_1_105_c.jpeg

  • For USB disk selected / dev / sdb1 F965F7A2-1E0C-4247-B379-1B621247B273_1_105_c.jpeg

However, Boot device set up as / dev / sda1

68664409-6AFF-4D4B-8EE9-CBCEAF803A7E_1_105_c.jpeg

  • Received the message ERROR: TOTP Generation Failed

F2BD435D-4977-450E-8DC0-143BB7D8379B_1_105_c.jpeg

  • Generated new HOTP/TOTP secret

1DE04F22-CD6B-4134-8A48-C7B5EB434F40_1_105_c.jpeg

  • Nitrokey initialized successfully

4CBA20B6-C4F9-465A-BA7E-990FDEA4E0E2_1_105_c.jpeg

  • Selected default boot from Heads Boot Menu

2FE9636F-4FF0-458A-8CD1-CC25A656F16C_1_105_c.jpeg

  • Received the message ERROR: Missing Hash File

8852AD26-7B00-485C-B829-4B731C85C578_1_105_c.jpeg

  • Updated Checksums

21F6FB60-571B-40DA-A16A-7571EE4E4FE1_1_105_c.jpeg

  • Verified presence of GPG card. Entered the previously created TPM pw

AC9840A2-95EC-4890-90CA-73EEF792515F_1_105_c.jpeg

  • ERROR; GPG keyring empty

Heads couldn’t find GPG keys in keyring

I ignored the error and continued to default boot menu

2762D945-4E7C-4F57-9C79-0EE732629653_1_105_c.jpeg

  • No Default Boot Option Configured

I chose to load a menu of boot options5625E3A3-6034-4A22-8231-31CE502C2775_1_105_c.jpeg

  • Typed ‘admin’ and ‘generate’ to generate GPG key4A9EDFBB-0760-4A9D-A2DF-F4D882D80657_1_105_c.jpeg

  • Changed cardholder’s name

6747EF33-88F5-412A-AA35-7D408919863C_1_105_c.jpeg

  • made off-card backup of encryption key

  • Replaced existing keys

  • Used newly created admin and user PIN to construct user ID Real name, Email address and Comment

58D368CC-F8A9-4D9A-9172-C420AEEF2D99_1_105_c.jpeg

2ABB0B09-5382-445B-9F53-281C1D454C67_1_105_c.jpeg

  • At this point I thought I had successfully created the secret and public keys

E3EC327B-A298-4557-8E4E-D16DDB5DC10B_1_105_c.jpeg

12F30BBD-88AB-4D58-9F69-0133952EE9BB_1_105_c.jpeg

  • Unforunately when I restarted the Nitropad I received this message -

7E1BA7F5-B9C9-4BC0-B8AA-0DEDF6834D11_1_105_c.jpeg

Please advise on how best to solve this error.

Thanks again,

GMH III

Thank you.

Can you provide instructions or steps on how to proceed using an additional USB drive?

Would I be using the the additional drive as a sort of intermediate step to get the GPG key on to the Nitrokey? I do not have experience with this process.

Hello,

Would you be able to provide further guidance on how to proceed?

I re-tried the factory reset with original key as a test. No success. Could you advise on how to use a different USB drive to perform this task? I’m really in the dark here. I’ve had this Nitropad since July 3rd and need to get started using it for work. I ordered another just like it - Qubes with Nitrokey storage - and I am stuck. Please help! I Need these machines for pressing projects.

Thank you

Hello,
Sorry for the delay. Please run everything as previously, but with any USB drive used for the public keys export. Because Nitrokey Storage is by default write-protected, currently it cannot be used unless the protection is removed with the Nitrokey App on another PC before its use.
During the process the additional drive should listed in the dialog, where user is choosing the export destination. Please try one of the options, and then another one if the former would not work.

  1. The screen to choose device will look like this one:
  1. We have not received pictures from [Nitropad] Clear GPG key(s) and reset all user settings, could you upload them again, or send via email?
  2. Could you tell what is your current state? That is, what error message do you get right now?
  1. On this one please do not choose the ignore option, but rather generate the key (unless the OEM factory reset is planned to be done afterwards).

Edit: The drive screen as mentioned in the 1st point is mentioned in the following guide as well:

Thank you.

Here are the photos -

[
I’ve just set up my one of 2 new X230 Nitropads with Nitrokey storage with the features listed on the attached image of the shipping invo

](https://support.nitrokey.com/uploads/default/original/1X/b45bbbc71878006f45661bd4d638e71d2b5bf3bc.jpeg)

A24ACCE4-ED6F-4E30-8291-74AD1A3E9B88

A24ACCE4-ED6F-4E30-8291-74AD1A3E9B882973×618 334 KB

After setting up I powered down for several hours and when restarting I received the ERROR: Boot Hash Mismatch.

F4B04FC3-0E97-47D3-A181-72836A04E2FC_1_105_c

F4B04FC3-0E97-47D3-A181-72836A04E2FC_1_105_c1159×678 109 KB

821DAB2E-DE77-4582-93B9-F01A05780FA5_1_105_c

821DAB2E-DE77-4582-93B9-F01A05780FA5_1_105_c1024×768 245 KB

I followed this procedure -

https://www.nitrokey.com/documentation/nitropad-system-update

However, even though I was very careful in documenting the user PIN I assigned to the Nitrokey, apparently the saved PIN I’m trying to use is incorrect.

3C75DC8E-DEBD-4D6F-A89A-53863930DF0F_1_105_c



[
F4B

](https://support.nitrokey.com/uploads/default/original/1X/2b7c2e34be3e83db07ae51ce5eddb65317fa7911.jpeg)

Is there a way that I can choose the following option and clear the “GPG key(s) and reset all user settings”? i.e. start over from scratch?


04FC3-0E97-47D3-A181-72836A04E2FC_1_105_c1159×67
[013CB59A-68A4-4DB6-93E2-596B56F2F2F1_1_105_c

](https://support.nitrokey.com/uploads/default/original/1X/13a63f9f6e57edbac1942cb25f1447d81c0fe12a.jpeg)

I have only 1 remaining attempt to enter the correct user Nitrokey PIN.

I’m praying a reset would be a possible work around as I have not even added any documents to the incredibly beautiful machine that I’ve ordered from you.

Please, please help me win this Russian Roulette :expressionless::man_facepalming:t4::pray:t4:!!!



[
013CB59A-68A4-4DB6-93E2-596B56F2F2F1_1_105_c1024×768 172 KB

](https://support.nitrokey.com/uploads/default/original/1X/13a63f9f6e57edbac1942cb25f1447d81c0fe12a.jpeg)
8 109 KB

CE4-ED6F-4E30-8291-74AD1A3E9B882973×618 334 KB
[

](https://support.nitrokey.com/uploads/default/original/1X/21ef672c47ac5b369de316b813a28be0aa56128f.jpeg)