What is SO PIN and what is PIN?

I’m a noob and I googled and searched on Nitrokey docs and there’s no answer on what exactly is SO PIN or PIN.

Such as this command…

$ sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219

I guess SO PIN is “3537363231383830” and PIN is “648219” but can I change the SO PIN and PIN? Why is everyone starting with the same SO PIN and PIN?

UPDATE: I’m using Nitrokey 3A Mini USB

Make sure you use a Nitrokey HSM 2 and not any other model. In that case there are no default PINs and during initialization you define both PINs with the command you just showed. Of course you should use different PINs than used in this example.


Sorry I forgot to say, I have Nitrokey 3A Mini USB key. But I thought HSM 2 is no longer in production. Only 3 is available.

Please follow the documentation of Nitrokey 3.

HSM 2 and Nitrokey 3 are totally different products.

1 Like

Yeah, I just learned about this the hard way. I bought the wrong item - Nitrokey 3. If I’m interested in running PKI and wanting to store my root CA keys, which product should I use?

And does Nitrokey allow full refund of the wrong item? What’s the procedure? I emailed the support and there’s no response yet.

Thanks for sharing your use case. You had some more questions.

  1. SO PIN and PIN difference.

A HSM follows a model where you have split responsibilities. Someone may prepare you a HSM and needs to authenticate as Security Officer while you use your Personal Identification Number.

  1. Do you need multiple Nitrokey HSMs

It depends. I possess multiple HSMs. Usually I buy most security hardware three times. One I use, one backup, one for development/update tests/procedure rehearsals. Even for products I just evaluate/tinker with. As IT professional I see this part of a dedicated education budget.
Do you need multiple just for testing? I would say yes, when you would like to spread a Security Domain between two hardware HSMs. Backups/m-of-n schemes can be tested with a single one as the HSM encrypts just files for downloading to your PC.
Do you need a hardware HSM for testing? I would say yes. You could work with a SoftHSM and could do most things but real use of a physical HSM is slightly different.
Do you need multiple HSMs for productive use? I would say yes. One for at least 3 trustworthy Security Officers. And additionally a backup as files. Why? Redundancy and 3-2-1 backup applied to the HSM. Also consider the costs of a HSM. Nitrokey HSM - while being entry level - are quite affordable. Beware that some users might lack features that can be found in more expensive solutions (like pure on device encryption/decryption of data as the smartcard is not designed for such compute heavy workloads.)

Somehow you did not answer the OP questions.

You opened several threads. I was unsure whether you really want to use a Nitrokey HSM as you have a Nitrokey 3.

1 answers the question in this thread and 2 your question here.

I replied the above few threads above. I’m interested in running PKI and wanting to store my root CA keys, which product should I use?

For a PKI, the Nitrokey HSM is a good fit.

1 Like

Thank you. But when you say Nitrokey HSM, are you referring to this because Nitrokey Pro 2 and HSM 2 and some others look EXACTLY identical.

Yes, they all look quite identical. There is a nice overview to see what the differences are.

If your usecase is PKI, then Nitrokey HSM is the right hardware.

If you still need to learn whether it is the right thing, you could use SoftHSM to learn whether a HSM is what you need. This software is intended for development and is not a replacement for a hardware token.