Unable to store Private Data Object 3 on NitroKey Pro


I’m trying to use my nitrokey as a security token with VeraCrypt.

When attempting to create Data Object with OpenSC 0.15.0, I get the following in OpenSC spy log when attempting to store test key:
40: C_CreateObject
2015-09-29 17:17:57.129
[in] hSession = 0x33204b0
[in] pTemplate[5]:
CKA_LABEL 0000000002278400 / 8
74657374 2E6B6579
t e s t . k e y
CKA_VALUE 0000000002279070 / 64
00000000 1F B6 E7 91 11 23 B1 E1 FB FE E8 99 22 BB 9C 84 …#…"…
00000010 0E C6 91 D4 66 6E DF EE 47 96 F9 AF C9 89 D0 B1 …fn…G…
00000020 1C EE 89 D8 E4 CC A2 A3 F7 86 4D 69 C2 F9 48 45 …Mi…HE
00000030 72 95 78 C1 CE 82 82 39 E1 F8 11 19 E8 93 51 7C r.x…9…Q|

When using pkcs11 DLL from smartcard-auth.de/download-en.html with VeraCrypt or OpenSC, I’ve been able to create DO3, but the object disappears when the DLL unloads (object never permanently stored on Nitrokey).

I’m not sure if this is a problem with Nitrokey or with OpenSC and / or Peter Koch’s library.

Any help would be appreciated. Thanks,


There is a pending (but now outdated) pull request for OpenSC to get this working. [1] You are more than welcome to help on this.

Regarding Peter Koch’s driver I suggest to mail him your bug report directly. Usually he is quick in responding.

[1] github.com/OpenSC/OpenSC/pull/150

I tried using nightly build of opensc and I also found that Windows 10 needed a longer timeout set for smart card access or it would time out and fail when asking for the PIN with Peter’s library + VeraCrypt. It is working now.

P.S. Lucky for me it was a different keyfile than the one in my original post, because I’m not sure I can reproduce or change it now. :slight_smile:

A longer timeout is required in OpenSC? Please report this to OpenSC if you didn’t do so already. Many thanks!

No, sorry, the timeout was a Windows smart card service setting in the registry.

More info here: technet.microsoft.com/en-us/lib … 10%29.aspx
Specifically, I had to create the Windows registry key TransactionTimeoutMilliseconds with a larger value than the default. The default value only gives 1.5 seconds to type in the pin when prompted. When I didn’t complete PIN entry within 1.5 seconds, Windows logged smart card timeout / reset in the Windows event log.