Unable to generate keys or move keys to device

aciddemon · March 23, 2025, 1:49am

Hier ist dein überarbeiteter und optimierter Text für eine technisch versierte Zielgruppe:

Issue: Nitrokey 3C – Key Generation & Key Transfer Failing

I recently received my Nitrokey 3C, but I’m encountering issues with both on-device key generation and importing externally generated keys (OS: Linux).

Initially, I attempted to generate Ed25519 keys directly on the device, but even after more than six hours, the process was still running. Eventually, I canceled the operation, performed a factory reset, and tried a different approach: generating the keys off-device and then transferring them. However, this also failed—the operation never completed, even after running for several hours.

Steps Taken

On-Device Key Generation (Failed)

gpg --card-edit
admin
generate

Result: Stuck in progress indefinitely

Off-Device Key Generation & Transfer (Failed)

gpg --full-generate-key  
gpg --edit-key <KEY_ID>  
addkey  
keytocard

Result: Transfer to the Nitrokey never completes

Device & Software Information

Nitropy Status Output

$ nitropy nk3 status  
Command line tool to interact with Nitrokey devices 0.7.4  
UUID:               AC00000  
Firmware version:   v1.8.1  
Init status:        ok  
Free blocks (int):  41  
Free blocks (ext):  471  
Variant:            LPC55

Nitropy Test Output

$ nitropy nk3 test  
Command line tool to interact with Nitrokey devices 0.7.4  
Found 1 NK3 device(s):  
- Nitrokey 3 at /dev/hidraw0  

Running tests for Nitrokey 3 at /dev/hidraw0  

[1/5]   uuid            UUID query                      SUCCESS         AC00000  
[2/5]   version         Firmware version query          SUCCESS         v1.8.1  
[3/5]   status          Device status                   SUCCESS         Status(init_status=<InitStatus: 0>, ifs_blocks=41, efs_blocks=471, variant=<Variant.LPC55: 1>)  
Running SE050 test: |  
[4/5]   se050           SE050                           SUCCESS         SE050 firmware version: 3.1.1 - 1.11, (persistent: (28828,), transient_deselect: (607,), transient_reset: (592,))  
[5/5]   fido2           FIDO2                           SUCCESS  

5 tests, 5 successful, 0 skipped, 0 failed 

$gpg --version
gpg (GnuPG) 2.4.7
libgcrypt 1.11.0

Any insights or debugging suggestions would be greatly appreciated!

kevin · March 23, 2025, 10:39pm

generating gpg keys on-device and off the device works for my without issues.
Not sure what exact commands are you entering in the gpg cli programme.
Do you get any output if you do gpg --card-edit . Like any key stored on it ?
for entering new keys i think you need to do factory reset of the gpg smartcard.
Also remember the admin pin would be reset if you factory reset. The default admin pin is 12345678 and the pin is 123456.
If the admin pin is blocked it won’t let you add new key to the card. Also you might not be able to authenticate if pin is blocked.

It should be a combination of one or more of these things .
Also make sure the pcscd service is running and the gpg-agent as well.

You can also try kleopatra for generating keys on the card directly.(though it has weird way and asks for admin pin multiple times)
Generating keys on card don’t take hours it should work in seconds. Maybe a problem with gpg-agent or scdaemon. You should check logs if they are recognising the device.
Let me know if it still doesn’t work!

aciddemon · March 25, 2025, 1:14am

The device is brand new, but I performed a factory reset just in case - without success.

The steps I followed are:

$ gpg --card-edit
> admin
> generate

After that, I enter the previously set PIN, specify the key validity period, provide name, email, and comment, confirm everything, enter the admin PIN, and finally confirm with a touch. At this point, the process hangs and never completes.

Isn’t Kleopatra just another frontend for the same task? The steps should work regardless, but I tested with Kleopatra and encountered the same issue.
gpg-agent and scdaemon are both running and otherwise functioning correctly.

Other ideas?

nob · March 25, 2025, 6:38am

Hi,
I have exactly the same issue! I’m not able to write anything to the NitroKey. LED on the key is switching to red after a few seconds (after trigger to write), which means device failure.
I tried a reset with:

gpg --card-edit
admin
factory-reset

after confirming everything, I go the following error message:

card command SELECT AID failed: Kartenfehler (0x6a82)

In the conclusion:

GPG factory reset fails (with error message, card is disconnected)
write keys fails (red LED → device failure)

But:

Changing PINs are successful (admin and user)

I did it on command line but also in windows in kleopatra. I have logs of kleopatra if it would be helpful, but I would like to send them only to the supplier, if needed.

I hope, someone can support?

kevin · March 25, 2025, 3:29pm

ohh yeah . i think kleopatra does not fully work well with all smart cards. Sorry i mistakenly recommended that.
But nitrokey 3 should work with the gpg command line program perfectly.

The commands you used should work.

gpg --card-edit
admin
factory-reset

Try killing the gpg-agent gpgconf --kill gpg-agent and then entering gpg --card-edit after few seconds to restart the gpg-agent. Then try the above commands again to reset the key.
I don’t know why would it allow changing admin pin but not factory reset it.
Also if you fail to enter admin pin 3 times it should factory reset the key automatically and then the default admin pin will be 12345678.
Then you can proceed to change it.
Also check with `list’ command if it shows any credential to ensure it got reset.
Hope it helps

kevin · March 28, 2025, 12:54pm

you should file a bug report if many people are facing this issue. Likely some bug in newer 1.8.1 versions.
i had also faced the red light once while creating keys using the gpg cli version which should be supported for sure.