Security Advice: SmartCard-HSM generates weak AES Keys

No need to have a license from Oracle. You can still use OpenJDK which is released under GPL with class path exception. We do not use any of the Oracle proprietary extensions.

As a beginner with this kind of devices I want to understand what I have to do (step-by-step) to update the Nitrokey HSM.

Update: So I succeeded with the following flow

  • Laptop with OpenSuSE 15.1 KDE, opensc installed, java available
  • Nitrokey HSMv1, Firmware 2.5, already initialized
  • in Firefox configured - Nitrokey is detected
  • Download and start by
    java -jar ocf-cc.jar -v
  • Register
    Enter PIN when requested
    Error message “the token is not registered yet” --> To register: enter valid e-mail address!
    Enter my e-mail address, receive an activation by this e-mail address, enter the activation code. Them I am logged in.
    Request a certificate by “Home / Request DevNet Certificate”
    Store this certificate on the HSM (is this necessary?)
  • Request a Firmware Update
    Error Message “SmartCard-HSM contains keys. Please remove keys first”.
  • re-initialize the Nitrokey:
    sc-hsm-tool --initialize --so-pin XXXXXXXXXXXXXXXXX --pin YYYYYY
  • Request a Firmware Update
    now the update to firmware succeeded.

After the update, the Nitrokey was again unitialized and had even a different serial number.


Hello, my Nitrokey HSM 2 is up to date, but I cannot generate a symmetric key… I am trying with the APDU commands from the manual, or with pkcs11-tool.

On windows, I type the command :
pkcs11-tool.exe -l --pin 981567 --keygen --key-type aes:128 --id 1
error: Generate Key mechanism not supported

Can someone describe the steps to use to generate the key ?

Edit: moved to Unable to create a symmetric, or secret key on Nitrokey HSM 2

Please create a separate discussion for your question.

OK, I will.