"Smartcard-HSM contains keys. Please remove keys first" on firmware update

I am trying to update my firmware of the Smartcard-HSM2 using the pki-as-a-service.net and receive the error “Smartcard-HSM contains keys. Please remove keys first”. What exactly needs to be done? Kind of backup and restore all keys? Reinitialize?
Is there a step-by-step documentation availabel for this please? Thank you!

Hi @daubsi !

  1. The keys should be either removed by hand, or the HSM should be reinitialized. Both could be done with OpenSC. See below:
  2. If you have initialized the HSM before with DKEK, you can wrap your keys with it and export them to a secure location. Otherwise the backup is not possible, and the content of the HSM cannot be restored after the update process. The backup and importing guides are described here:
  3. Once the Nitrokey HSM is free of the secret material the update process should be allowed. This limitation is done by design.

Thanks! I will go for option 2!

I’ve now backuped all keys, tested the restore and also wiped all the certificates. I did not reinit the HSM. Then I was able to request the firmware update. I am now at version 3.5.
When I tried to unwrap the keys i receive the following error:

sc-hsm-tool --unwrap-key my_wrapped_key.bin --key-reference 1
Using reader with a card: Nitrokey Nitrokey HSM (DENK0         ) 00 00
Wrapped key contains:
  Key blob
  Private Key Description (PRKD)
Enter User PIN :

PIN verification failed with Data object not found

Also logging on gives me:

pkcs11-tool -O -l
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
error: PKCS11 function C_Login failed: rv = CKR_GENERAL_ERROR (0x5)

What’s wrong now?

OK I did not realize I have to reinitialize the HSM from scratch after a firmware upgrade. After doing the reinit and DKEK load I was now able to re-import my keys again.