[Nitropad] Clear GPG key(s) and reset all user settings

Nitrokeys Misc
1

Hello,
I’ve just set up my one of 2 new X230 Nitropads with Nitrokey storage with the features listed on the attached image of the shipping invoice.

A24ACCE4-ED6F-4E30-8291-74AD1A3E9B88
A24ACCE4-ED6F-4E30-8291-74AD1A3E9B882973×618 334 KB

After setting up I powered down for several hours and when restarting I received the ERROR: Boot Hash Mismatch.

F4B04FC3-0E97-47D3-A181-72836A04E2FC_1_105_c
F4B04FC3-0E97-47D3-A181-72836A04E2FC_1_105_c1159×678 109 KB

821DAB2E-DE77-4582-93B9-F01A05780FA5_1_105_c
821DAB2E-DE77-4582-93B9-F01A05780FA5_1_105_c1024×768 245 KB

I followed this procedure -
https://www.nitrokey.com/documentation/nitropad-system-update

However, even though I was very careful in documenting the user PIN I assigned to the Nitrokey, apparently the saved PIN I’m trying to use is incorrect.

3C75DC8E-DEBD-4D6F-A89A-53863930DF0F_1_105_c
3C75DC8E-DEBD-4D6F-A89A-53863930DF0F_1_105_c1024×768 145 KB

Is there a way that I can choose the following option and clear the “GPG key(s) and reset all user settings”? i.e. start over from scratch?

013CB59A-68A4-4DB6-93E2-596B56F2F2F1_1_105_c
013CB59A-68A4-4DB6-93E2-596B56F2F2F1_1_105_c1024×768 172 KB

I have only 1 remaining attempt to enter the correct user Nitrokey PIN.
I’m praying a reset would be a possible work around as I have not even added any documents to the incredibly beautiful machine that I’ve ordered from you.

Please, please help me win this Russian Roulette :expressionless::man_facepalming:t4::pray:t4:!!!

2

First of all, you can always factory reset your Nitrokey but–of course–that would wipe your keys. If you want to avoid that you could use gpg --card-edit on a separate computer and reset the User PIN. This requires your Admin PIN. Maybe this solves the issue that your legitimate User PIN is not accepted by Heads too.

3

Hi @GMHIII !

What’s weird here is that the Remaining attempts counter is not decreasing with the each PIN input. It is possible that this is caused by some kind of temporary communication issue between the Nitropad and the Nitrokey Storage device. Could you remove and insert the Nitrokey Storage on the another attempt, if the problem still persist?

4

Thank you for the info.

I selected to reset the Nitrokey and entered a new TPM password.

ED99406B-32E6-431E-B5FA-3F0BB68B76E5_1_105_c
ED99406B-32E6-431E-B5FA-3F0BB68B76E5_1_105_c1024×768 292 KB

Configuration Reset Updated Successfully

E97A7C1F-3AAA-4F4B-9BEF-BA689DA03BA1_1_105_c
E97A7C1F-3AAA-4F4B-9BEF-BA689DA03BA1_1_105_c1024×768 157 KB

I am at the stage of OEM Factory Reset. I am a novice and would like to confirm that I am correct in choosing to continue with regard to this warning “It requires that you already have an OS installed on a dedicated /boot partition.”

D01A2CBE-5DF4-4A6D-B048-339AD30C25B6_1_105_c
D01A2CBE-5DF4-4A6D-B048-339AD30C25B6_1_105_c1024×768 206 KB

Is this the correct choice?

5

OEM factory reset is not going to damage anything. But you should only execute this with systems where you are certain no backdoor has been installed. Because your current system will be signed and trusted from now on. Furthermore the OEM factory reset does reset your PGP keys and OTP secret on the Nitrokey.

8

Hi @GMHIII,

Regarding your latest post:

  1. Please run again the OEM factory reset once again,
  2. Continue with selected options as before until ERROR: GPG keyring empty
  3. Select Add a GPG key to the running BIOS
  4. Follow the prompts to add the key
  5. Continue as previously

The reason is, that after the OEM factory reset the GPG keys are removed both from the device and from the BIOS image, hence it is needed to generate and add them to both places.

Alternatively it should be possible to do so as well through one of the options in the GPG Options screen.

9

It seems that in case you have backed up your keys already during the last OEM reset, these could be used during the GPG Options -> Replace GPG key(s) in the current ROM + reflash procedure. If not, I think it will be best to work over the OEM reset once again.

10

Thank you.

I have begun OEM factory reset in the following order :

  • Selected /dev/sdc1 as USB disk

FF586B85-9278-4C93-82C9-A0090EABC60E_1_105_c
FF586B85-9278-4C93-82C9-A0090EABC60E_1_105_c1024×768 200 KB

  • Reset TPM admin and GPG user/admin default pw with custom pw

  • Added new Real Name, email address and Comment

  • Boot device was set to /dev/sda1

4EC692AE-755A-4993-83F9-729950DBF020_1_105_c
4EC692AE-755A-4993-83F9-729950DBF020_1_105_c1024×768 208 KB

Now I am at the point of Error Key export error

2200FAD1-46B4-4212-99F5-E1FA4F3246B3_1_105_c
2200FAD1-46B4-4212-99F5-E1FA4F3246B3_1_105_c1024×768 204 KB

11

My guess here is that you are using Nitrokey Storage for backup. In the factory state the Nitrokey Storage has the unencrypted volume set to read-only, which blocks the export operation here. This attribute can be changed with the Nitrokey App: Configure -> Set unencrypted volume to read-write.
You can use another USB flash device as well, as the data to backup are not secret - the items to export are the public parts of the GPG keys which could be used later, e.g. for import to avoid another key generation in case OEM factory reset would be required again.

cc @jan @nitroalex : This operation can be done semi-automatically by Heads

12

Exactly!

@GMHIII Please use a simple USB drive instead. It is recommended to insert the Nitrokey first, then the USB drive so that you know which one to choose in the menu (=the last one).

We are building a new firmware version for the NitroPad which improves the situation hopefully. I am sorry for the inconvenience.

This does not help as it is overwritten after factory-reset afaik

13

Though the factory reset is done only for the smart card (through GnuPG), is that not right? That should not change the UV attribute in that case :slight_smile:

15

Thank you for the response!

Unfortunately this what I saw when opening the Nitropad this morning -

66F8B737-9306-43D2-95AE-EC32C1944EF5_1_105_c
66F8B737-9306-43D2-95AE-EC32C1944EF5_1_105_c1024×768 229 KB

And the images below were my attempt to get back to a point where I can access the Nitrokey app so I could follow your suggestions regarding the Nitrokey being used as backup.

0F22B98B-4E07-4BA5-8809-C3450120BE68_1_105_c
0F22B98B-4E07-4BA5-8809-C3450120BE68_1_105_c1024×768 179 KB

EB31C3D7-D8F4-4ACB-BFC3-E1D8AFCEF279_1_105_c
EB31C3D7-D8F4-4ACB-BFC3-E1D8AFCEF279_1_105_c1024×768 229 KB

25A13E4B-8818-4B37-A62E-01C03FFDA8D3_1_105_c
25A13E4B-8818-4B37-A62E-01C03FFDA8D3_1_105_c1024×768 240 KB

3386E461-83BE-44FF-A1FF-2132C7142040_1_105_c
3386E461-83BE-44FF-A1FF-2132C7142040_1_105_c1024×768 222 KB

5C453CD9-D80C-4474-ABDE-4214AE6ACF1F_1_105_c
5C453CD9-D80C-4474-ABDE-4214AE6ACF1F_1_105_c1024×768 185 KB

63CC54BF-ABDC-4391-A4AD-2F433A15E7BC_1_105_c
63CC54BF-ABDC-4391-A4AD-2F433A15E7BC_1_105_c1024×768 136 KB

256D8FCE-27DA-4345-BEE5-9DC55ECA4838_1_105_c
256D8FCE-27DA-4345-BEE5-9DC55ECA4838_1_105_c1024×768 197 KB

01F7B1F7-B90D-428D-BBDF-BE825C1C810A_1_105_c
01F7B1F7-B90D-428D-BBDF-BE825C1C810A_1_105_c1024×768 193 KB

175D3B4B-7B67-43BB-94BB-84B21557E6A1_1_105_c
175D3B4B-7B67-43BB-94BB-84B21557E6A1_1_105_c1024×768 138 KB

3B2A6B36-6419-4554-BBEF-D7A31B22B954_1_105_c
3B2A6B36-6419-4554-BBEF-D7A31B22B954_1_105_c1024×768 184 KB

I have to generate a new HOTP/TOTP secret, can use the reset admin key, but without a GPG on the keyring key I am back to replacing GPG key and reflash, but need a public key.

ERROR: No Files found

I tried to move past that point but now am seeing HOTP: invalid Code

If i can’t find the GPG key on the Nitrokey after reset, and can’t get back to the system starting page to log in and open the app, what is the workaround? Another OEM reset?
Is it possible there is something going on with the key itself? At the very beginning of this process I was able to set everything up. I shut the Nitropad down for the night and when I restarted there was System Update announced on the screen. This is where the problems began.
It also seems strange to me that the machine would receive a system update without having been online.
How would the update arrive?

16

Thank you for the response!

Unfortunately this what I saw when opening the Nitropad this morning -

66F8B737-9306-43D2-95AE-EC32C1944EF5_1_105_c
66F8B737-9306-43D2-95AE-EC32C1944EF5_1_105_c1024×768 229 KB

And the images below were my attempt to get back to a point where I can access the Nitrokey app so I could follow your suggestions regarding the Nitrokey being used as backup.

0F22B98B-4E07-4BA5-8809-C3450120BE68_1_105_c
0F22B98B-4E07-4BA5-8809-C3450120BE68_1_105_c1024×768 179 KB

EB31C3D7-D8F4-4ACB-BFC3-E1D8AFCEF279_1_105_c
EB31C3D7-D8F4-4ACB-BFC3-E1D8AFCEF279_1_105_c1024×768 229 KB

25A13E4B-8818-4B37-A62E-01C03FFDA8D3_1_105_c
25A13E4B-8818-4B37-A62E-01C03FFDA8D3_1_105_c1024×768 240 KB

3386E461-83BE-44FF-A1FF-2132C7142040_1_105_c
3386E461-83BE-44FF-A1FF-2132C7142040_1_105_c1024×768 222 KB

5C453CD9-D80C-4474-ABDE-4214AE6ACF1F_1_105_c
5C453CD9-D80C-4474-ABDE-4214AE6ACF1F_1_105_c1024×768 185 KB

63CC54BF-ABDC-4391-A4AD-2F433A15E7BC_1_105_c
63CC54BF-ABDC-4391-A4AD-2F433A15E7BC_1_105_c1024×768 136 KB

256D8FCE-27DA-4345-BEE5-9DC55ECA4838_1_105_c
256D8FCE-27DA-4345-BEE5-9DC55ECA4838_1_105_c1024×768 197 KB

01F7B1F7-B90D-428D-BBDF-BE825C1C810A_1_105_c
01F7B1F7-B90D-428D-BBDF-BE825C1C810A_1_105_c1024×768 193 KB

175D3B4B-7B67-43BB-94BB-84B21557E6A1_1_105_c
175D3B4B-7B67-43BB-94BB-84B21557E6A1_1_105_c1024×768 138 KB

3B2A6B36-6419-4554-BBEF-D7A31B22B954_1_105_c
3B2A6B36-6419-4554-BBEF-D7A31B22B954_1_105_c1024×768 184 KB

I have to generate a new HOTP/TOTP secret, can use the reset admin key, but without a GPG on the keyring key I am back to replacing GPG key and reflash, but need a public key.

ERROR: No Files found

I tried to move past that point but now am seeing HOTP: invalid Code

If i can’t find the GPG key on the Nitrokey after reset, and can’t get back to the system starting page to log in and open the app, what is the workaround? Another OEM reset?

Is it possible there is something going on with the key itself? At the very beginning of this process I was able to set everything up. I shut the Nitropad down for the night and when I restarted there was System Update announced on the screen. This is where the problems began.

It also seems strange to me that the machine would receive a system update without having been online.

How would the update arrive?

17

As the OEM reset did not succeed last time, you indeed need to do it again.

This time I suggest to use a additional USB drive instead of trying to use the Nitrokey for it. This would be the easiest solution.

18

Thank you.

I know this is a long list of actions and images, but I’m hoping you can advise me on the next best steps to take. Thank you very, very much.

I performed the OEM factory reset as follows :

  • OEM reset

  • Set custom pw for TPM admin and GPG

F794FB51-D726-4263-9A6A-3B96B1552477_1_105_c.jpeg

  • For USB disk selected / dev / sdb1 F965F7A2-1E0C-4247-B379-1B621247B273_1_105_c.jpeg

However, Boot device set up as / dev / sda1

68664409-6AFF-4D4B-8EE9-CBCEAF803A7E_1_105_c.jpeg

  • Received the message ERROR: TOTP Generation Failed

F2BD435D-4977-450E-8DC0-143BB7D8379B_1_105_c.jpeg

  • Generated new HOTP/TOTP secret

1DE04F22-CD6B-4134-8A48-C7B5EB434F40_1_105_c.jpeg

  • Nitrokey initialized successfully

4CBA20B6-C4F9-465A-BA7E-990FDEA4E0E2_1_105_c.jpeg

  • Selected default boot from Heads Boot Menu

2FE9636F-4FF0-458A-8CD1-CC25A656F16C_1_105_c.jpeg

  • Received the message ERROR: Missing Hash File

8852AD26-7B00-485C-B829-4B731C85C578_1_105_c.jpeg

  • Updated Checksums

21F6FB60-571B-40DA-A16A-7571EE4E4FE1_1_105_c.jpeg

  • Verified presence of GPG card. Entered the previously created TPM pw

AC9840A2-95EC-4890-90CA-73EEF792515F_1_105_c.jpeg

  • ERROR; GPG keyring empty

Heads couldn’t find GPG keys in keyring

I ignored the error and continued to default boot menu

2762D945-4E7C-4F57-9C79-0EE732629653_1_105_c.jpeg

  • No Default Boot Option Configured

I chose to load a menu of boot options5625E3A3-6034-4A22-8231-31CE502C2775_1_105_c.jpeg

  • Typed ‘admin’ and ‘generate’ to generate GPG key4A9EDFBB-0760-4A9D-A2DF-F4D882D80657_1_105_c.jpeg

  • Changed cardholder’s name

6747EF33-88F5-412A-AA35-7D408919863C_1_105_c.jpeg

  • made off-card backup of encryption key

  • Replaced existing keys

  • Used newly created admin and user PIN to construct user ID Real name, Email address and Comment

58D368CC-F8A9-4D9A-9172-C420AEEF2D99_1_105_c.jpeg

2ABB0B09-5382-445B-9F53-281C1D454C67_1_105_c.jpeg

  • At this point I thought I had successfully created the secret and public keys

E3EC327B-A298-4557-8E4E-D16DDB5DC10B_1_105_c.jpeg

12F30BBD-88AB-4D58-9F69-0133952EE9BB_1_105_c.jpeg

  • Unforunately when I restarted the Nitropad I received this message -

7E1BA7F5-B9C9-4BC0-B8AA-0DEDF6834D11_1_105_c.jpeg

Please advise on how best to solve this error.

Thanks again,

GMH III

20

Thank you.

Can you provide instructions or steps on how to proceed using an additional USB drive?

Would I be using the the additional drive as a sort of intermediate step to get the GPG key on to the Nitrokey? I do not have experience with this process.

21

Hello,

Would you be able to provide further guidance on how to proceed?

I re-tried the factory reset with original key as a test. No success. Could you advise on how to use a different USB drive to perform this task? I’m really in the dark here. I’ve had this Nitropad since July 3rd and need to get started using it for work. I ordered another just like it - Qubes with Nitrokey storage - and I am stuck. Please help! I Need these machines for pressing projects.

Thank you

22

Hello,
Sorry for the delay. Please run everything as previously, but with any USB drive used for the public keys export. Because Nitrokey Storage is by default write-protected, currently it cannot be used unless the protection is removed with the Nitrokey App on another PC before its use.
During the process the additional drive should listed in the dialog, where user is choosing the export destination. Please try one of the options, and then another one if the former would not work.

23
  1. The screen to choose device will look like this one:
  1. We have not received pictures from [Nitropad] Clear GPG key(s) and reset all user settings - #18 by GMHIII, could you upload them again, or send via email?
  2. Could you tell what is your current state? That is, what error message do you get right now?
  1. On this one please do not choose the ignore option, but rather generate the key (unless the OEM factory reset is planned to be done afterwards).

Edit: The drive screen as mentioned in the 1st point is mentioned in the following guide as well:

24

Thank you.

Here are the photos -

[
I’ve just set up my one of 2 new X230 Nitropads with Nitrokey storage with the features listed on the attached image of the shipping invo

](https://support.nitrokey.com/uploads/default/original/1X/b45bbbc71878006f45661bd4d638e71d2b5bf3bc.jpeg)

A24ACCE4-ED6F-4E30-8291-74AD1A3E9B88

A24ACCE4-ED6F-4E30-8291-74AD1A3E9B882973×618 334 KB

After setting up I powered down for several hours and when restarting I received the ERROR: Boot Hash Mismatch.

F4B04FC3-0E97-47D3-A181-72836A04E2FC_1_105_c

F4B04FC3-0E97-47D3-A181-72836A04E2FC_1_105_c1159×678 109 KB

821DAB2E-DE77-4582-93B9-F01A05780FA5_1_105_c

821DAB2E-DE77-4582-93B9-F01A05780FA5_1_105_c1024×768 245 KB

I followed this procedure -

https://www.nitrokey.com/documentation/nitropad-system-update

However, even though I was very careful in documenting the user PIN I assigned to the Nitrokey, apparently the saved PIN I’m trying to use is incorrect.

3C75DC8E-DEBD-4D6F-A89A-53863930DF0F_1_105_c



[
F4B

](https://support.nitrokey.com/uploads/default/original/1X/2b7c2e34be3e83db07ae51ce5eddb65317fa7911.jpeg)

Is there a way that I can choose the following option and clear the “GPG key(s) and reset all user settings”? i.e. start over from scratch?


04FC3-0E97-47D3-A181-72836A04E2FC_1_105_c1159×67
[013CB59A-68A4-4DB6-93E2-596B56F2F2F1_1_105_c

](https://support.nitrokey.com/uploads/default/original/1X/13a63f9f6e57edbac1942cb25f1447d81c0fe12a.jpeg)

I have only 1 remaining attempt to enter the correct user Nitrokey PIN.

I’m praying a reset would be a possible work around as I have not even added any documents to the incredibly beautiful machine that I’ve ordered from you.

Please, please help me win this Russian Roulette :expressionless::man_facepalming:t4::pray:t4:!!!



[
013CB59A-68A4-4DB6-93E2-596B56F2F2F1_1_105_c1024×768 172 KB

](https://support.nitrokey.com/uploads/default/original/1X/13a63f9f6e57edbac1942cb25f1447d81c0fe12a.jpeg)
8 109 KB

CE4-ED6F-4E30-8291-74AD1A3E9B882973×618 334 KB
[

](https://support.nitrokey.com/uploads/default/original/1X/21ef672c47ac5b369de316b813a28be0aa56128f.jpeg)