Unable to change Nitrokey Start passwords


I recently purchased few Nitrokey Starts and I’ve been trying to take them into use. I provisioned the first token with ECC certs successfully but I noticed that I was unable to change the reset password for the token. I can change the user and the admin password but for some reason changing the reset password fails every time. It failed with the provisioned token and it failed with unprovisioned token that I had done nothing else except taken it from the bag.

[ MBP ~ ] $ gpg2 --version
gpg (GnuPG/MacGPG2) 2.2.3
libgcrypt 1.8.1

[ MBP ~ ] $ gpg2 --card-status
Reader …: Nitrokey Nitrokey Start
Application ID …: D276000124010200FFFE671127420000
Version …: 2.0
Manufacturer …: unmanaged S/N range
Serial number …: 67112742
Name of cardholder: [not set]
Language prefs …: [not set]
Sex …: unspecified
URL of public key : [not set]
Login data …: [not set]
Signature PIN …: forced
Key attributes …: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key …: [none]
Encryption key…: [none]
Authentication key: [none]
General key info…: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. D276000124010200FFFE671127420000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 4
Error setting the Reset Code: Card error

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection?

I’ve tried short passwords, long passwords, short and long number only PINs but nothing seems to work and I am unable to set the reset code. So what am I missing here?

I’ve tried this with both Linux and OSX and I get same errors. I even tried the firmware upgrade instructions but those fail with USB errors despite having the required usb python libraries installed


I’ve never heard of such problems yet :thinking: I think it would help, if I’d knew the firmware version of your NK Start. I could try it myself then. Unfortunately the ‘gpg --card-status’ output does not always state the specific version.

Could you please type ‘lsusb -v -d 20a0:4211 | grep FSIJ’ (not sure if it is working on macOS the same, but should definitely work on GNU/Linux). The number after the FSIJ is the firmware version.

Furthermore you may could provide us with the errors occurring when trying to upgrade.

Kind regards


$ lsusb -v -d 20a0:4211 | grep FSIJ
iSerial 3 FSIJ-1.2.6-67101329

I only tried the upgrade after I was unable to change the reset passwords on both tokens. But if I interpret that correctly 1.2.6 should be the newest version right?

$ python3 ./upgrade_by_passwd.py …/prebuilt/RTM.5/regnual.bin …/prebuilt/RTM.5/gnuk.bin
Admin password:
…/prebuilt/RTM.5/regnual.bin: 4372
…/prebuilt/RTM.5/gnuk.bin: 113664
CRC32: b7020271

Configuration: 1
Interface: 0
Traceback (most recent call last):
File “./upgrade_by_passwd.py”, line 139, in
main(wait_e, keyno, passwd, data_regnual, data_upgrade[4096:])
File “./upgrade_by_passwd.py”, line 49, in main
gnuk.cmd_write_binary(1+keyno, rsa_raw_pubkey, False)
File “/…/nitrokey-start-firmware/tool/gnuk_token.py”, line 294, in cmd_write_binary
raise ValueError(“cmd_write_binary 1”, “%02x%02x” % (sw[0], sw[1]))
ValueError: (‘cmd_write_binary 1’, ‘6581’)

I think this was some sort of error with gpg and gpg-agent. I removed all gpg packages and reinstalled everything again and now I am able to set the reset password.

I am happy that it eventually works for you!