Getting Started

Windows

  1. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically. Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning.
  2. Download and start the Nitrokey App.
  3. Go to "Menu" -> "Configure" to change the User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Note: For many use cases described, it is necessary to have either OpenPGP or S/MIME keys installed on the device (see below).

Key Creation with OpenPGP or S/MIME

There are two widely used standards for email encryption. While OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used by enterprises. If you are in doubt which one to choose, you should use OpenPGP.

GNU/Linux

  1. To access the OpenPGP smart card of the Nitrokey, install the package libccid.
    On Debian/Ubuntu based Distributions type in terminal: sudo apt-get update && sudo apt-get install libccid
    Note: If your distribution has a rather old version of libccid (<1.4.21) you have to add the device information by yourself (for example if you are using Ubuntu 14.04 or older). In this case please follow these instructions.
  2. Download and start the Nitrokey App. Follow the instructions to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Note: For many use cases described, it is necessary to have either OpenPGP or S/MIME keys installed on the device (see below).

Key Creation with OpenPGP or S/MIME

There are two widely used standards for email encryption. While OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used by enterprises. If you are in doubt which one to choose, you should use OpenPGP.

macOS

  1. Important: Once you plug in the Nitrokey, your computer will start the Keyboard Setup Assistant. Don't run through this assistant but exit it right away.

  2. Download and start the Nitrokey App. Follow the instructions to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Note: For some Versions of MacOS it is necessary to install custom ccid driver (for information see here), but in general MacOS should have the driver onboard.

Note: For many use cases described, it is necessary to have either OpenPGP or S/MIME keys installed on the device (see below).

Key Creation with OpenPGP or S/MIME

There are two widely used standards for email encryption. While OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used by enterprises. If you are in doubt which one to choose, you should use OpenPGP.

Windows

  1. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically.

    Note: Windows Vista, 7, 8 and 10 may fail to install an additional device driver for the smart card. Its safe to ignore this warning.
     
  2. Download and start the Nitrokey App. Perhaps you want to store it on the unencrypted partition of your Nitrokey Storage. There won't open a window, but an icon appears in the system tray (see screenshot below). Please right-click on this icon to use all the options of the App.
  3. Open the About window from Nitrokey App's menu and check if you have the latest firmware installed. If it's not the latest, please update.
  4. Use the Nitrokey App to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Note: For many use cases described, it is necessary to have either OpenPGP or S/MIME keys installed on the device (see below).

Key Creation with OpenPGP or S/MIME

There are two widely used standards for email encryption. While OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used by enterprises. If you are in doubt which one to choose, you should use OpenPGP.

GNU/Linux

  1. To access the OpenPGP smart card of the Nitrokey, install the package libccid.
    On Debian/Ubuntu based Distributions type in terminal: sudo apt-get update && sudo apt-get install libccid

    Note: If your distribution has a rather old version of libccid (<1.4.21) you have to add the device information by yourself (for example if you are using Ubuntu 14.04 or older). In this case please follow these instructions.

  2. Download and start the Nitrokey App.
  3. Open the About window from Nitrokey App's menu and check if you have the latest firmware installed. If it's not the latest, please update.
  4. Use the Nitrokey App to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Note: For many use cases described, it is necessary to have either OpenPGP or S/MIME keys installed on the device (see below).

Key Creation with OpenPGP or S/MIME

There are two widely used standards for email encryption. While OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used by enterprises. If you are in doubt which one to choose, you should use OpenPGP.

macOS

  1. Important: Once you plug in the Nitrokey, your computer will start the Keyboard Setup Assistant. Don't run through this assistant but exit it right away.
  2. Download and start the Nitrokey App. Perhaps you want to store it on the unencrypted partition of your Nitrokey Storage.
  3. Open the About window from Nitrokey App's menu and check if you have the latest firmware installed. If it's not the latest, please update.
  4. Use the Nitrokey App to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Note: For some Versions of MacOS it is necessary to install custom ccid driver (for information see here), but in general MacOS should have the driver onboard.

Note: For many use cases described, it is necessary to have either OpenPGP or S/MIME keys installed on the device (see below).

Key Creation with OpenPGP or S/MIME

There are two widely used standards for email encryption. While OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used by enterprises. If you are in doubt which one to choose, you should use OpenPGP.

Windows

  1. Install Gpg4win on your Computer (https://www.gpg4win.org).
  2. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically.
    Note: Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning.
  3. Use GnuPG to generate new keys or import existing ones.

    Note: It is indeed necessary to first import or create new keys and change the PINs afterwards. Otherwise changing User PIN will fail! Furthermore overriding keys results in PIN reset (default values), please keep this in mind!
     
  4. Change the Admin PIN (default: 12345678) and then the User PIN (default: 123456) to your own choices. The PIN must consist of at least 14 characters. Use 'gpg --card-edit' -> 'admin' -> 'passwd' to achieve this. (Please be careful to change admin PIN first and user PIN second! Otherwise the admin-less mode got activated, see this instructions for further information.)

    Firmware version 1.2.5 or below: In case you forget a PIN or enter it wrongly three times you need the reset code to unblock the PIN. Otherwise the device wouldn't be usable anymore! Therefore please set the reset code as well when initialising the key!

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Key Creation with OpenPGP or S/MIME

There are two widely used standards for email encryption. While OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used by enterprises. If you are in doubt which one to choose, you should use OpenPGP.
Please note that the Nitrokey App can not be used for this device!

GNU/Linux

  1. Install scdaemon and GnuPG 2.1 or higher by using your package manager (e. g. apt update && apt install scdaemon gpg2 on Ubuntu).
  2. Connect your Nitrokey Start to your computer.
  3. Use GnuPG to generate new keys or import existing ones.

    Note: It is indeed necessary to first import or create new keys and change the PINs afterwards. Otherwise changing User PIN will fail! Furthermore overriding keys results in PIN reset (default values), please keep this in mind!
  4. Change the Admin PIN (default: 12345678) and then the User PIN (default: 123456) to your own choices. The PIN must consist of at least 14 characters. Use 'gpg --card-edit' -> 'admin' -> 'passwd' to achieve this. (Please be careful to change admin PIN first and user PIN second! Otherwise the admin-less mode got activated, see this instructions for further information.)

    Firmware version 1.2.5 or below: In case you forget a PIN or enter it wrongly three times you need the reset code to unblock the PIN. Otherwise the device wouldn't be usable anymore! Therefore please set the reset code as well when initialising the key!

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Key Creation with OpenPGP or S/MIME

There are two widely used standards for email encryption. While OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used by enterprises. If you are in doubt which one to choose, you should use OpenPGP.
Please note that the Nitrokey App can not be used for this device!

Troubleshooting

On some GNU/Linux systems it is necessary to insert the UDEV rules for the Nitrokey device manually. If you followed the above instructions and get the message: 
gpg: OpenPGP card not available: No such device
please install the Nitrokey App or type the following commands in the terminal to download and install the UDEV rules: 
wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
sudo mv 41-nitrokey.rules /etc/udev/rules.d/

macOS

  1. Install GnuPG 2.1 or higher (https://gpgtools.org/).
  2. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically.
  3. Use GnuPG to generate new keys or import existing ones.

    Note: It is indeed necessary to first import or create new keys and change the PINs afterwards. Otherwise changing User PIN will fail! Furthermore overriding keys results in PIN reset (default values), please keep this in mind!
  4. Change the Admin PIN (default: 12345678) and then the User PIN (default: 123456) to your own choices. The PIN must consist of at least 14 characters. Use 'gpg --card-edit' -> 'admin' -> 'passwd' to achieve this. (Please be careful to change admin PIN first and user PIN second! Otherwise the admin-less mode got activated, see this instructions for further information.)

    Firmware version 1.2.5 or below: In case you forget a PIN or enter it wrongly three times you need the reset code to unblock the PIN. Otherwise the device wouldn't be usable anymore! Therefore please set the reset code as well when initialising the key!

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Key Creation with OpenPGP or S/MIME

There are two widely used standards for email encryption. While OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used by enterprises. If you are in doubt which one to choose, you should use OpenPGP.
Please note that the Nitrokey App can not be used for this device!

Windows

  1. Install OpenSC. Alternatively, install this driver (source).
  2. If you didn't do so already, change the default SO-PIN ("3537363231383830") to your own choices. See these instructions. Afterwards you can begin to generate new keys.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

GNU/Linux

  1. Install OpenSC. You need at least version 0.19. You can find recent builds for debian-based systems like Ubuntu here if your system does not have the newest version of OpenSC. Alternatively, install this driver (source).
  2. If you didn't do so already, change the default SO-PIN ("3537363231383830") to your own choices. See these instructions. Afterwards you can begin to generate new keys.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

macOS

  1. Install OpenSC. Alternatively, install this driver (source).
  2. If you didn't do so already, change the default SO-PIN ("3537363231383830") to your own choices. See these instructions. Afterwards you can begin to generate new keys.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Windows

The first time you plug in the Nitrokey FIDO U2F Windows may need some time to configure the device.

The Nitrokey FIDO U2F supports two-factor authentication (2FA). With two-factor authentication (2FA), the Nitrokey FIDO U2F is checked in addition to the password.

The Nitrokey FIDO U2F can be used with any current browser.

Two-Factor Authentication (2FA)

  1. Open one of the websites that support FIDO U2F.
  2. Log in to the website and enable two-factor authentication in your account settings. (In most cases you will find a link to the documentation of the supported web service at dongleauth.info)
  3. Register your Nitrokey FIDO U2F in the account settings by touching the button to activate the Nitrokey FIDO U2F. After you have successfully configured the device, you must activate the Nitrokey FIDO U2F this way each time you log in.
Checkout the various use cases and supported applications.
 

Note: Google only accepts the Chrome browser for registering the Nitrokey FIDO U2F. Logging in works fine with Firefox though.

Note: The Nitrokey App can not be used for the Nitrokey FIDO U2F.

 

GNU/Linux

The Nitrokey FIDO U2F supports two-factor authentication (2FA). With two-factor authentication (2FA), the Nitrokey FIDO U2F is checked in addition to the password.

The Nitrokey FIDO U2F can be used with any current browser.

Two-Factor Authentication (2FA)

  1. Open one of the websites that support FIDO U2F.
  2. Log in to the website and enable two-factor authentication in your account settings. (In most cases you will find a link to the documentation of the supported web service at dongleauth.info)
  3. Register your Nitrokey FIDO U2F in the account settings by touching the button to activate the Nitrokey FIDO U2F. After you have successfully configured the device, you must activate the Nitrokey FIDO U2F this way each time you log in.
Checkout the various use cases and supported applications.
 

Note: Google only accepts the Chrome browser for registering the Nitrokey FIDO U2F. Logging in works fine with Firefox though.

Note: The Nitrokey App can not be used for the Nitrokey FIDO U2F.

 

Troubleshooting

  • If the Nitrokey is not accepted immediately, you may need to copy this file 41-nitrokey.rules to etc/udev/rules.d/. In very rare cases, the system will need the older version of this file.
  • After copying the file, restart udev via sudo service udev restart.

macOS

The Nitrokey FIDO U2F supports two-factor authentication (2FA). With two-factor authentication (2FA), the Nitrokey FIDO U2F is checked in addition to the password.

The Nitrokey FIDO U2F can be used with any current browser.

Two-Factor Authentication (2FA)

  1. Open one of the websites that support FIDO U2F.
  2. Log in to the website and enable two-factor authentication in your account settings. (In most cases you will find a link to the documentation of the supported web service at dongleauth.info)
  3. Register your Nitrokey FIDO U2F in the account settings by touching the button to activate the Nitrokey FIDO U2F. After you have successfully configured the device, you must activate the Nitrokey FIDO U2F this way each time you log in.
Checkout the various use cases and supported applications.
 

Note: Google only accepts the Chrome browser for registering the Nitrokey FIDO U2F. Logging in works fine with Firefox though.

Note: The Nitrokey App can not be used for the Nitrokey FIDO U2F.

 

Windows

The Nitrokey FIDO2 supports two-factor authentication (2FA) and passwordless authentication:

  • With passwordless authentication, entering a password is replaced by logging in with the Nitrokey FIDO2 and a PIN.
  • With two-factor authentication (2FA), the Nitrokey FIDO2 is checked in addition to the password.

The Nitrokey FIDO2 can be used with any current browser.

Passwordless authentication

  1. Open a web page that supports FIDO2 (currently only Microsoft).
  2. Log in to the website and go to "Set up security key" in the security settings of your account.
  3. Now you need to set a PIN for your Nitrokey FIDO2.
  4. Touch the button of your Nitrokey FIDO2 when prompted.
  5. Once you have successfully configured the device, you will need to activate your Nitrokey FIDO2 this way each time you log in, after entering your PIN.


Two-Factor Authentication (2FA)

  1. Open one of the websites that support FIDO U2F.
  2. Log in to the website and enable two-factor authentication in your account settings. (In most cases you will find a link to the documentation of the supported web service at dongleauth.info)
  3. Register your Nitrokey FIDO2 in the account settings by touching the button to activate the Nitrokey FIDO2. After you have successfully configured the device, you must activate the Nitrokey FIDO2 this way each time you log in.

    Checkout the various use cases and supported applications.
     

    Note: Google only accepts the Chrome browser for registering the Nitrokey FIDO2 Logging in works fine with Firefox though.

Note: The Nitrokey App can not be used for the Nitrokey FIDO2.

GNU/Linux

The Nitrokey FIDO2 supports two-factor authentication (2FA) and passwordless authentication:

  • With passwordless authentication, entering a password is replaced by logging in with the Nitrokey FIDO2 and a PIN.
  • With two-factor authentication (2FA), the Nitrokey FIDO2 is checked in addition to the password.

The Nitrokey FIDO2 can be used with any current browser.

Passwordless authentication

  1. Open a web page that supports FIDO2 (currently only Microsoft).
  2. Log in to the website and go to "Set up security key" in the security settings of your account.
  3. Now you need to set a PIN for your Nitrokey FIDO2.
  4. Touch the button of your Nitrokey FIDO2 when prompted.
  5. Once you have successfully configured the device, you will need to activate your Nitrokey FIDO2 this way each time you log in, after entering your PIN.


Two-Factor Authentication (2FA)

  1. Open one of the websites that support FIDO U2F.
  2. Log in to the website and enable two-factor authentication in your account settings. (In most cases you will find a link to the documentation of the supported web service at dongleauth.info)
  3. Register your Nitrokey FIDO2 in the account settings by touching the button to activate the Nitrokey FIDO2. After you have successfully configured the device, you must activate the Nitrokey FIDO2 this way each time you log in.

    Checkout the various use cases and supported applications.
     

    Note: Google only accepts the Chrome browser for registering the Nitrokey FIDO2 Logging in works fine with Firefox though.

Note: The Nitrokey App can not be used for the Nitrokey FIDO2.


Troubleshooting

  • If the Nitrokey is not accepted immediately, you may need to copy this file 41-nitrokey.rules to etc/udev/rules.d/. In very rare cases, the system will need the older version of this file.
  • After copying the file, restart udev via sudo service udev restart.

macOS

The Nitrokey FIDO2 supports two-factor authentication (2FA) and passwordless authentication:

  • With passwordless authentication, entering a password is replaced by logging in with the Nitrokey FIDO2 and a PIN.
  • With two-factor authentication (2FA), the Nitrokey FIDO2 is checked in addition to the password.

The Nitrokey FIDO2 can be used with any current browser.

Passwordless authentication

  1. Open a web page that supports FIDO2 (currently only Microsoft).
  2. Log in to the website and go to "Set up security key" in the security settings of your account.
  3. Now you need to set a PIN for your Nitrokey FIDO2.
  4. Touch the button of your Nitrokey FIDO2 when prompted.
  5. Once you have successfully configured the device, you will need to activate your Nitrokey FIDO2 this way each time you log in, after entering your PIN.


Two-Factor Authentication (2FA)

  1. Open one of the websites that support FIDO U2F.
  2. Log in to the website and enable two-factor authentication in your account settings. (In most cases you will find a link to the documentation of the supported web service at dongleauth.info)
  3. Register your Nitrokey FIDO2 in the account settings by touching the button to activate the Nitrokey FIDO2. After you have successfully configured the device, you must activate the Nitrokey FIDO2 this way each time you log in.

    Checkout the various use cases and supported applications.
     

    Note: Google only accepts the Chrome browser for registering the Nitrokey FIDO2 Logging in works fine with Firefox though.

Note: The Nitrokey App can not be used for the Nitrokey FIDO2.

Ubuntu Linux

With the NitroPad X230, malicious changes to the BIOS, operating system, and software can be easily detected. For example, if you left your NitroPad in a hotel room, you can use your Nitrokey to check if it has been tampered with while you were away. If an attacker modifies the NitroPad's firmware or operating system, the Nitrokey will detect this (instructions below).

Verification of the Sealed Hardware


If you have ordered the unit with the option "sealed screws and sealed bag", please check the sealing before unpacking. If you do not know what this means, please skip this section.

Secure Starting Procedure

Each time you start the NitroPad, you should - if possible - connect your Nitrokey. If the Nitrokey is plugged in and the system has not been modified, the following screen will appear when the NitroPad is turned on.

The box marked in red contains the information that the BIOS has not been changed and that the shared secret of the NitroPad and the Nitrokey match. But this information is not sufficient, because an attacker could have faked it! But if at the same time the Nitrokey also flashes green, everything is fine. An attacker would have to have had access to the NitroPad and Nitrokey to achieve this result. It is therefore important that you do not leave both devices unattended.

If the information on the NitroPad does not match the information on the Nitrokey, the background would turn red and the message "Invalid Code" would appear. This could indicate that manipulation has taken place.

How the boot process may look like if the system has been changed (for example after an update) and what error messages may otherwise occur is described further below.
By the way: the NitroPad X230 can also be started without the Nitrokey. If you don't have the Nitrokey with you, but are sure that the hardware has not been changed, you can boot your system without checking.

Getting Started

After purchase, the passwords are set to a default value and must be changed by you:

  1. Press Enter ("Default Boot") after booting the system, provided the NitroPad has not shown any errors and the Nitrokey is lit green (see above).
  2. Next, the system will prompt you to enter the passphrase to decrypt the hard disk. The passphrase is initially "PleaseChangeMe".

  3. The system will then guide you through the process of creating a user account. After that you should have successfully booted the system and could already use it normally.
  4. Click on the Nitrokey icon on the left side of the screen to open the pre-installed Nitrokey app.
  5. Change the PINs of your Nitrokey as described here.
  6. Change the passphrase for disk encryption as described here.

Behavior After a System Update

The NitroPad firmware checks certain system files for changes. If your operating system has updated important components, you will be warned the next time you boot the NitroPad. This could look like this, for example:

That's why it's important to restart your NitroPad under controlled conditions after a system update. Only when the new status has been confirmed can you leave the device unattended again. Otherwise, you will not be able to distinguish a possible attack from a system update. Detailed instructions for a system update can be found here.

Troubleshooting

If Ubuntu doesnt boot as shown below, please execute the following steps: 
+++ Found verified kexec boot params 
gpg: verify signatures failed: Unknown system error 
Invalid signature on kexec boot params 
!!!!! Failed default boot 
New value of PCR[4]: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
!!!!!Starting recovery shell 
/boot #

Restart your Laptop and go to Options.


Select "Update Checksums and sign all files on /boot".


After that, please follow these instructions from step 3 found here.

Qubes OS

With the NitroPad X230, malicious changes to the BIOS, operating system, and software can be easily detected. For example, if you left your NitroPad in a hotel room, you can use your Nitrokey to check if it has been tampered with while you were away. If an attacker modifies the NitroPad's firmware or operating system, the Nitrokey will detect this (instructions below).

Verification of the Sealed Hardware


If you have ordered the unit with the option "sealed screws and sealed bag", please check the sealing before unpacking. If you do not know what this means, please skip this section.

Secure Starting Procedure

Each time you start the NitroPad, you should - if possible - connect your Nitrokey. If the Nitrokey is plugged in and the system has not been modified, the following screen will appear when the NitroPad is turned on.

The box marked in red contains the information that the BIOS has not been changed and that the shared secret of the NitroPad and the Nitrokey match. But this information is not sufficient, because an attacker could have faked it! But if at the same time the Nitrokey also flashes green, everything is fine. An attacker would have to have had access to the NitroPad and Nitrokey to achieve this result. It is therefore important that you do not leave both devices unattended.

If the information on the NitroPad does not match the information on the Nitrokey, the background would turn red and the message "Invalid Code" would appear. This could indicate that manipulation has taken place.

How the boot process may look like if the system has been changed (for example after an update) and what error messages may otherwise occur is described further below.
By the way: the NitroPad X230 can also be started without the Nitrokey. If you don't have the Nitrokey with you, but are sure that the hardware has not been changed, you can boot your system without checking.

Getting Started

After purchase, the passwords are set to a default value and must be changed by you:

  1. Press Enter ("Default Boot") after booting the system, provided the NitroPad has not shown any errors and the Nitrokey is lit green (see above).
  2. Next, the system will prompt you to enter the passphrase to decrypt the hard disk. The passphrase is initially "PleaseChangeMe".

  3. The system will then guide you through the process of creating a user account. After that you should have successfully booted the system and could already use it normally.
  4. Open the pre-installed Nitrokey app and change the PINs of your Nitrokey as described here.
  5. Change the passphrase for the hard disk encryption by running "sudo cryptsetup luksChangeKey /dev/sda2" in a terminal.
In case the Network Manager icon is not shown and when starting a VM an error like "Domain sys-net has failed to start: PCI device dom0:03_00.0 does not exist" is shown, proceed as follows:
  1. Open menu -> Service: sys-net -> sys-net: Qube Settings
  2. Go to Devices tab
  3. Remove "Unknown device" from the right side
  4. Add "Network controler" device
  5. Click "OK" and restart the system.

Behavior After a System Update

The NitroPad firmware checks certain system files for changes. If your operating system has updated important components, you will be warned the next time you boot the NitroPad. This could look like this, for example:

That's why it's important to restart your NitroPad under controlled conditions after a system update. Only when the new status has been confirmed can you leave the device unattended again. Otherwise, you will not be able to distinguish a possible attack from a system update. Detailed instructions for a system update can be found here.

Troubleshooting

If Qubes doesnt boot as shown below, please execute the following steps: 
+++ Found verified kexec boot params 
gpg: verify signatures failed: Unknown system error 
Invalid signature on kexec boot params 
!!!!! Failed default boot 
New value of PCR[4]: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
!!!!!Starting recovery shell 
/boot #

Restart your Laptop and go to Options.


Select "Update Checksums and sign all files on /boot".


After that, please follow these instructions from step 3 found here.

Nitrokey - Made in Germany