Unlock Password Safe asks for admin password but does not accept it


#1

Hi,

I’m a new user of Nitrokey Pro (maybe more correct: I still hope to become one) and have an issue to get started:
I’m using the Nitrokey Pro with a firmware version 0.10 and Nitrokey App 1.2.1 on Ubuntu 18.04 (using xfce; for whatever reason the Nitrokey App shows an empty icon).
Following the instructions I changed the user and the admin password.
When I try to “Unlock Password Safe” I’m asked for the user password, then the app says something about a missing AES Key and asks me for the admin password.
Then it claims the password was wrong (I’m sure I provided the same password I set the admin password to, probably not all times but at least in the end; I also found that I can reset the retry counter by providing the same password three times in the update admin password form).
I once reset the key to factory defaults already :frowning:
I tried to upgrade the Nitrokey App by providing the ppa:nitrokey-team/ppa but that only leads to an error Err:11 http://ppa.launchpad.net/nitrokey-team/ppa/ubuntu bionic Release and 404 Not Found [IP: 91.189.95.83 80]

I’ve seen other topics about password safe issues (esp. Can't unlock password safe) but the answer talks about a
Destroy encrypted data from the Configure menue my Nitrokey App does not have (the menu entry, the configure menu is there)…

My short question is: what am I doing wrong?

PS: output of gpg --card-status:

Reader ...........: 20A0:4108:000000000000000000006CAF:0
Application ID ...: D276000124010303000500006CAF0000
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: 00006CAF
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 2
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

#2

Hi mow,

you may open the Nitrokey App with this command and upload the debug log for us:

nitrokey-app --debug-level 4 -d --df debug.log

You are right that there is no “Destroy encrypted data” entry in the menu. It should indeed recognize the problem automatically and should work like you expected. I can not tell what is going wrong right now.

What is the way you did the factory-reset?

Kind regards
Alex


#3

Hi!

I think this might be caused by using App v1.2, which does not report missing AES key required to unlock the PWS. It’s re-generation has to be triggered manually via the mentioned Destroy encrypted data. If it does not show up, could you try to run v1.3.2 version? It is available as an AppImage from
https://github.com/Nitrokey/nitrokey-app/releases/download/v1.3.2/Nitrokey.App.AppImage.

Edit: AES key is removed on smart card’s factory reset, e.g. executed via the GnuPG.
Edit: Latest Nitrokey App is available via the Snap store as well (see https://github.com/Nitrokey/nitrokey-app/releases for details).


#4

Hi @nitroalex, hi @szszszsz

thanks for your help.
I was able to create the AES key using v1.3.2 on windows. Basically same workflow as in v1.2, except it recognizes the admin password.

The factory reset I did (because the wrong “wrong password” messages confused me to the point where I added the wrong admin password a third time), was using gpg --card-edit / admin / factory-reset

How relevant is using v1.3.2? (I downloaded the app image but I cannot say I like the app image approach as it’s unreasonable big)

best
Morus


#5

Perhaps you would find Snap store more handy. Otherwise, hopefully our private PPA channel will be updated in the near future, with the v1.3.2 version.

Alternative solution to use is nitrocli, a 3rd party Rust written command line tool with features similar to
Nitrokey App.


#6

Thanks for your suggestions.
I was probably too fast judging the size of the app image. I just looked at the file size, having a 2nd look at the memory footprint it looks much nicer and I probably just stay with it.
Good to know about the cli though, also I didn’t have time to install it yet.
Merci.