Unable to create a symmetric, or secret key on Nitrokey HSM 2

Hello, my Nitrokey HSM 2 is up to date, but I cannot generate a symmetric key… I am trying with the APDU commands from the manual,

or with pkcs11-tool :
On windows, I type the command :

pkcs11-tool.exe -l --pin 981567 --keygen --key-type aes:128 --id 1
error: Generate Key mechanism not supported

or with pkcs15-init :
on windows, I type the command :

pkcs15-init.exe --store-secret-key aes_key.txt --secret-key-algorithm aes/128 --auth-id 01 --id 03 --pin 981567
Using reader with a card: Nitrokey Nitrokey HSM 0
Failed to store secret key: Key length/algorithm not supported by card

Can someone describe the steps to use to generate the key ?


Confirmed this behavior occurs on Fedora 30 with OpenSC 0.19 on older smart card, HSM v2.0.
HSM vendor lists AES as supported - https://www.smartcard-hsm.com/features.html.
Have you tried SCSH? https://www.openscdp.org/scsh3/download.html

@nitroalex Could you check this on HSM v3?
cc @sc-hsm


No, I did not try the SCSH yet. I opened it, but did not understand how to use it…

I will look into it.

Thank you.

Hello szszszsz,

It works with the “Smart Card Shell”, by loading the key manager.

For now, it is the only way I succeed doing it, I do not know if it is normal, but it is ok, as long as I found a way…

Thank you.

1 Like

Please look at: Importing private key fail on HSM2 :


I know what it is not possible to import a key on the Nitrokey, except by unwrapping it, if it has already been wrapped with the same DKEK or XKEK.

But I expected to be able to generate a new AES Symmetric key. The APDU command to do so exists, and the pkcs11-tool should do it also.

Something must be missing…