I am trying to update my firmware of the Smartcard-HSM2 using the pki-as-a-service.net and receive the error “Smartcard-HSM contains keys. Please remove keys first”. What exactly needs to be done? Kind of backup and restore all keys? Reinitialize?
Is there a step-by-step documentation availabel for this please? Thank you!
Hi @daubsi !
- The keys should be either removed by hand, or the HSM should be reinitialized. Both could be done with OpenSC. See below:
- If you have initialized the HSM before with DKEK, you can wrap your keys with it and export them to a secure location. Otherwise the backup is not possible, and the content of the HSM cannot be restored after the update process. The backup and importing guides are described here:
- Once the Nitrokey HSM is free of the secret material the update process should be allowed. This limitation is done by design.
Thanks! I will go for option 2!
I’ve now backuped all keys, tested the restore and also wiped all the certificates. I did not reinit the HSM. Then I was able to request the firmware update. I am now at version 3.5.
When I tried to unwrap the keys i receive the following error:
sc-hsm-tool --unwrap-key my_wrapped_key.bin --key-reference 1
Using reader with a card: Nitrokey Nitrokey HSM (DENK0 ) 00 00
Wrapped key contains:
Key blob
Private Key Description (PRKD)
Certificate
Enter User PIN :
PIN verification failed with Data object not found
Also logging on gives me:
pkcs11-tool -O -l
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
error: PKCS11 function C_Login failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
What’s wrong now?
OK I did not realize I have to reinitialize the HSM from scratch after a firmware upgrade. After doing the reinit and DKEK load I was now able to re-import my keys again.
2 Likes