Applications

Nitrokey can be used with a large variety of 3rd party applications. Basically every application which uses GnuPG, Windows certificate store or a PKCS#11 interface can be used with the Nitrokey. This page gives an incomplete overview of the most popular applications and their usages.

Please send us your feedback or instructions if you sucessfully used Nitrokey with applications not listed here.

  • General

    Für: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    GnuPG

    GnuPG is required for many use cases. It is a command line tool but usually you don't need to invoke it directly but use another application with user interface.

    Don't use GnuPG in parallel with OpenSC or another PKCS#11 driver because both may interfere and unexpected issues may result.

    1. Install GPG4Win which contains Gnu Privacy Assistant (GPA) and GnuPG (GPG).
    2. Start Gnu Privacy Assistant (GPA) or another application such as your email client to use GnuPG.
      Advanced users could use GnuPG directly (command line). Please note: The Fellowship smart card is similar to the Nitrokey Pro so that this instructions work Nitrokey as well. In general the official documentation is recommendable.

    PKCS#11 Driver

    If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.

    Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.

    Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)

    Instructions, how to create a valid X.509 certificate with Nitrokey (123). These are general instructions how to use X.509 certificates.

    Alternative PKCS#11 Driver:

    The recommended PKCS#11 driver is OpenSC. Alternatively, you could use Peter Koch's PKCS#11 driver which has the following limitations:

    • No import of existing X.509 certificates. (Instead, keys have to be generated on the Nitrokey)
    • The Linux version does not allow to generate keys.
    • Modification of the password/PIN under Linux is not possible.

    Windows Mini Driver

    This Mini Driver allows to integrate Nitrokey with Window's certificate store. Subsequently all applications which use this certificate storage can be used with Nitrokey (e.g. Internet Explorer, Google Chrome web browser, Windows Login). To install the driver, you may need to allow the installation of unsigned drivers first.

    Aloaha

    All applications of Aloaha are working with the Nitrokey. This includes a middleware to integrate Nitrokey with other PKCS#11 based applications and with Windows as well as applications to encrypt and sign PDFs and the hard disk.

  • General

    Für: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    GnuPG

    GnuPG is required in many use cases to initialize and use the Nitrokey. It is a command line tool but usually you don't need to invoke it directly.

    Instruction how to use Nitrokey with GnuPG (command line). Please note: The Fellowship smart card is similar to the Nitrokey Pro so that this instructions work Nitrokey as well. In general the official documentation is recommendable.

    PKCS#11 Driver

    If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.

    Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.

    Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)

    Instructions, how to create a valid X.509 certificate with Nitrokey (123). These are general instructions how to use X.509 certificates.

    Alternative PKCS#11 Driver:

    The recommended PKCS#11 driver is OpenSC. Alternatively, you could use Peter Koch's PKCS#11 driver which has the following limitations:

    • No import of existing X.509 certificates. (Instead, keys have to be generated on the Nitrokey)
    • The Linux version does not allow to generate keys.
    • Modification of the password/PIN under Linux is not possible.

    p11-glue

    P11-glue uses PKCS#11 as glue between crypto libraries and security applications on the open source desktop.

    Articles in German

  • General

    Für: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    GnuPG

    GnuPG is required in many use cases to initialize and use the Nitrokey. It is a command line tool but usually you don't need to invoke it directly.

    Instruction how to use Nitrokey with GnuPG (command line). Please note: The Fellowship smart card is similar to the Nitrokey Pro so that this instructions work Nitrokey as well. In general the official documentation is recommendable.

    PKCS#11 Driver

    If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.

    Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.

    Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)

    Instructions, how to create a valid X.509 certificate with Nitrokey (123). These are general instructions how to use X.509 certificates.

  • General

    Für: Nitrokey HSM
    • OpenSC: Comprehensive instructions exist for OpenSC framework.
    • GnuPG: The latest GnuPG 2.1 supports Nitrokey HSM.
    • Embedded Systems: For systems with minimal memory footprint a read/only PKCS#11 module is provided by the sc-hsm-embedded project.
      This PKCS#11 module is useful for deployments where key generation at the user's workplace is not required. The PKCS#11 module also supports major electronic signature cards available in the German market.
    • OpenSCDP: The SmartCard-HSM is fully integrated with OpenSCDP, the open smart card development platform. See the public support scripts for details.
  • Computer Login

    Für: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    To access Nitrokey devices read-only, download and install this Mini Driver (CSP). If you are using Windows Server you may need to disable the driver signature verification before being able to install the driver.

    To generate keys, create certificates and enroll Nitrokeys to your users, the following instructions, applicable for Nitrokey HSM, may be useful. Note that the Mini Driver for Nitrokey Pro may not work yet for write mode:

  • Computer Login

    Für: Nitrokey HSM

    Select your use case:

  • Computer Login

    Für: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    Linux Login with PAM

    You have two options: pam_p11 or Poldi.

    Poldi 0.4.1 works flawlessly with Nitrokey for PAM authentication, using the default /etc/poldi/poldi.conf

    • auth-method localdb
      log-file /var/log/poldi.log
      debug
      scdaemon-program /usr/bin/scdaemon

    Add one line to /etc/poldi/localdb/users with with Nitrokey's serial number (from gpg --card status | grep Application) :

    • D00600012401020000000000xxxxxxxx <username>

    And then dump the public key from my Crypto Stick into poldi local db:

    • sudo poldi-ctrl -k > /etc/poldi/localdb/keys/D00600012401020000000000xxxxxxxx

    Then you have to configure PAM. Just add "auth sufficient pam_poldi.so" to pam configuration files according to your needs:

    • /etc/pam.d/common-auth for graphical user login
    • /etc/pam.d/login for console login
    • /etc/pam.d/sudo for sudo authentication
    • /etc/pam.d/gnome-screensaver for login back from a locked screen
    • etc..

    Note: Pam is dangerous to play around with, so make sure you have a way of accessing the machine if you break authentication completely. Remember that booting into rescue mode from Grub requires a root password, so keep that or a live CD which can read your filesystems to hand.

    Here you find other instructions.

  • Login im Web mit Einmalpasswörtern (OTP, 2FA)

    Für: Nitrokey Pro, Nitrokey Storage

    Einmalpasswörter (OTP) werden für eine sichere Anmeldung auf Webseiten und lokalen Anwendungen verwendet.

    Es gibt zwei Varianten von Einmalpaswörter:

    • HMAC-basierte Einmalpasswörter (HOTP) werden für lokale Anwendungen und Computer-Logins verwendet.     
    • Zeitbasierte Einmalpasswörter (TOTP) werden von den meisten Webseiten verwendet. Wenn Sie unschlüssig sind, verwenden Sie diese Variante.

    Ersteinrichtung

    1. Laden Sie die neueste Nitrokey App herunten und installieren sie. Bitte überprüfen Sie, ob es wirklich um die neueste Version ist.

    2. Ändern Sie die Standard Benutzer-PIN und Admin-PIN zur Ihrer eigenen PIN: Starten Sie die Nitrokey App, drücken Sie das Tray-Symbol und wählen Sie "Einstellungen> Benutzer-PIN ändern" und "Einstellungen> Admin-PIN ändern".

    Konfigurieren Sie eine Website/Anwendung um OTP zu verwenden     

    1. Loggen Sie sich in Ihre Webseite ein, die Zwei-Faktor-Authentifizierung bzw. Einmalpasswörter kompatibel zu Yubikey und Google Authenticator unterstützt. Normalerweise finden Sie die Option um die Zwei-Faktor-Authentifizierung zu aktivieren in Ihrem Profil oder in den Einstellungen. Dort erhalten Sie ein base32-kodiertes Wort (das Secret). Kopieren Sie diese Zeichenfolge in die Zwischenablage.     

    2. Starten Sie die Nitrokey App, drücken Sie das Tray-Symbol und wählen Sie "Einstellungen> Einmal-Passwörter".     

    3. Geben Sie Ihre Admin-PIN ein.     

    4. Wählen Sie entweder einen Speicherplatz für TOTP (üblich für Websites) oder für HOTP (üblich für Anwendungen) und geben Sie das Secret ein, das Sie in Schritt 1 kopiert haben. Geben Sie dem Speicherplatz einen Namen. Die Standardwerte der anderen Optionen können in der Regel unverändert bleiben.

    Sicher einloggen an Webseiten/Anwendung

    1. Starten Sie die Nitrokey App, drücken Sie auf das Tray-Symbol und wählen Sie im Menü den entsprechenden Speicherplatz (Slot), den Sie zuvor konfiguriert haben.

    2. Bestätigen Sie das Fenster und kopieren Sie das Einmalpasswort in die Zwischenablage.

    3. Geben Sie das Einmalpasswort aus der Zwischenablage in die entsprechenden Eingabeaufforderung/Webseite ein.

    HMAC-basierte Einmalpasswörter - HOTP

    Neben der oben beschriebenen Verwendung können Sie HOTPs mit einer USB-Tastatur (interne Laptop-Tastaturen funktionieren nicht) direkt verwenden, ohne die Nitrokey App zu verwenden.

    1. Konfiguration: Starten Sie die Nitrokey App, drücken Sie das Tray-Symbol und wählen Sie "Einstellungen> Einmal Passwörter". Gehen Sie auf "Allgemeine Konfiguration" und drücken Sie eine beliebe Taste doppelt um Ihre HOTP auszulösen.     

    2. Verwendung:

      1. Richten Sie den Cursor in die entsprechende Passwort- Eingabeaufforderung.      

      2. Drücken Sie die Taste doppelt, die Sie oben konfiguriert haben (z.B. Caps-Lock).

  • Verschlüsselter mobiler Speicher

    Für: Nitrokey Storage

    Bevor Sie den verschlüsselten Speicher nutzen müssen Sie den Nitrokey Storage installieren und initialisieren sowie die aktuelle Nitrokey App herunterladen.

    1. Starten Sie die Nitrokey App.
    2. Drücken Sie auf das Taskleistensymbol und wählen Sie im Menü "verschlüsseltes Volumen freischalten".
    3. Geben Sie Ihre Benutzer-PIN im nächsten Fenster ein.
    4. Falls dies das erste Mal ist, müssen Sie eine Partition auf dem verschlüsselten Volumen anlegen. Windows wird dafür ein entsprechendes Fenster anzeigen und Sie dazu auffordern. Auf Linux und Mac OS müssen Sie Ihren Partitions-Manager öffnen und eine Partition manuell erstellen. Sie können soviele Partitionen erstellen wie Sie wollen. Wenn Sie auf die Partition von unterschiedlichen Betriebssystemen aus zugreifen wollen empfehlen wir FAT(32).
    5. Jetzt können Sie das verschlüsselte Volumen wie ein gewöhnliches USB-Laufwerk verwenden. Allerdings werden alle gespeicherten Daten automatisch in der Nitrokey Hardware verschlüsselt.
    6. Um ein verschlüsseltes Volumen zu entfernen oder sperren sollten Sie es zuerst aushängen/auswerfen.
    7. Anschließend können Sie den Nitrokey entfernen oder "verschlüsseltes Volumen sperren" im Nitrokey App Menü auswählen.

    Versteckte Volumen

    Versteckte volumen ermöglichen das Verstecken von Daten innerhalb des verschlüsselten Volumens. Die Daten werden mit einem zusätzlichen Passwort geschützt. Ohne das Passwort kann die Existenz der Daten nicht bewiesen werden. Versteckte Volumen existieren standardmäßig nicht so dass ihre Existenz glaubhaft abgestritten werden kann. Dies Konzept ähnelt den Hidden Volumes von VeraCrypt/TrueCrypt ist allerdings beim Nitrokey vollständig in Hardware umgesetzt.

    Sie können bis zu vier versteckte Volumen einrichten. Sobald sie freigeschaltet sind verhalten sich versteckte Volumen wie gewöhnlicher Speicher in dem Sie beliebige Partitionen und Dateisysteme erstellen und Dateien speichern können.

    Versteckte Volumen einrichten:

    1. Schalten Sie das verschüsselte Volumen im Nitrokey App Menü frei.
    2. Wählen Sie "Verstecktes Volumen einrichten".
    3. Jetzt müssen Sie ein neues Passwort doppelt eingeben, welches das versteckte Volumen sichert. Die Stärke des Passworts wird unterhalb angezeigt.
      Hinweis: PINs können nur dreimal ausprobiert werden weshalb eine kurze Länge ausreicht. Passwörter könnten grundsätzlich unbegrenzt angegriffen werden, weshalb sie ausreichend stark sein müssen.
    4. Als nächstes müssen Sie den zu verwendenen Speicherbereich festlegen. Versteckte Volumen werden im leeren Speicher des verschlüsselten Volumens gespeichert. Diese Auswahl ist kritisch weil es Daten des verschlüsselten (nicht versteckten) Volumens zerstören könnte und die Existenz des versteckten Volumens verraten könnte.
      1. Sie sollten eine FAT-Partition im verschlüsselten Volumen verwenden.
      2. Kopieren Sie einige Dateien auf das verschlüsselte Volumen bevor Sie ein verstecktes Volumen einrichten. Nachdem Sie ein verstecktes Volumen eingerichtet haben sollten Sie keine Dateien auf dem verschlüsselten Volumen hinzufügen oder verändern.
      3. Ermitteln Sie wieviel Speicher Ihre Dateien auf dem verschlüsselten Volumen benötigen. z. B. 10%
      4. Das versteckte Volumen sollte nach den Dateien des verschlüsselten Volumens beginnen. z. B. 10% Dateien + 10% Puffer = 20%
      5. Das versteckte Volumen sollte in einigem Abstand  vor dem Ende des Speichers enden. z. B. 90%

    Hinweis: Falls Sie zwei oder mehr versteckte Volumen verwenden, darf sich deren Speicherbereich nicht überschneiden. Andernfalls würden sie gegenseitig die Daten überschreiben und zerstören. Jedes verstecktes Volumen benötigt ein eigenes Passwort.

    Versteckte Volumen benutzen:

    1. Wählen Sie "verschlüsseltes Volumen freischalten" und geben Sie Ihre Benutzer-PIN ein.
    2. Wählen Sie "verstecktes Volumen freischalten" und geben Sie eines der Passwörter der versteckten Volumen ein.
    3. Falls dies das erste Mal ist müssen Sie auf dem versteckten Volumen eine Partition anlegen. Windows wird dazu ein entsprechendes Fenster öffnen und Sie dazu auffordern. Auf Linux und Mac OS müssen Sie evtl. einen Partitionsmanager starten um eine Partition manuell anzulegen. Sie können so viele Partitionen anlegen wie Sie wollen. Wir empfehlen FAT(32) falls Sie auf die Partition von unterschiedlichen Betriebssystemen aus zugreifen möchten.
    4. Stellen Sie sicher alle Partitionen des versteckten Volumens auszuhängen/auszuwerfen bevor sie den Nitrokey entfernen oder sperren.

     

    Siehe auch das ältere aber umfangreiche Nitrokey Storage Handbuch (in Englisch).

  • Hidden Volumes

    Für: Nitrokey Storage
  • Email Encryption

    Für: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    Note: Two different email encryption formats exist:

    • OpenPGP / GnuPG is popular among individuals.
    • S/MIME / X.509 is mostly used by enterprises.

    If unsure which format to use, choose OpenPGP.

     

    Mozilla Thunderbird with OpenPGP

    Thunderbird is a popular and open source email client. The add-on Enigmail provides OpenPGP email encryption functionality.

    1. Download and install GPG4Win and Thunderbird.
    2. Download and install Enigmail (instructions).
    3. If you didn't do so already, change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices. (instructions)
    4. Generate new keys or import your existing RSA keys. (instructions)
      Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).

     

    Mozilla Thunderbird with S/MIME

    Thunderbird is a popular and open source email client which can encrypt emails in S/MIME format out-of-the-box.

    1. Download the PKCS#11 driver and configure it in Thunderbird.

     

    GNOME Evolution with OpenPGP or S/MIME

    Evolution is the email client of GNOME which supports OpenPGP- and S/MIME-based email encryption.

     

    Microsoft Outlook with OpenPGP or S/MIME

    OpenPGP:

    • GPG4Win contains the Outlook plugin GpgOL which enables its usage with GnuPG and with Nitrokey (untested).
    • Alternatively you may want to try the new Outlook Privacy Plugin.

    S/MIME:

    • To use S/MIME, install the MiniDriver.

     

    Claws Mail with OpenPGP or S/MIME

    Claws Mail is an email client (and news reader) for Linux and Windows, based on GTK+, with focus on quick response.

  • Email Encryption

    Für: Nitrokey HSM

    Encrypt your e-mail using the S/MIME industry standard available in all major e-mail clients.

    The Nitrokey HSM has been tested to work with Mozilla Thunderbird and Microsoft Outlook. Other e-mail clients with support for PKCS#11 or Microsoft CSP should work as well.

  • Instant Messenger

    Pidgin (plugin), GajimPsi and KDE's Kopiete (plugin) are instant messenger clients for Jabber/XMPP which can encrypt messages with GnuPG and the Nitrokey (untested).

  • Hard Disk Encryption

    Für: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    TrueCrypt

    TrueCrypt and it's successor VeraCrypt are free and open-source disk encryption software for Window, Mac OS X, and Linux. Follow these steps to use it with Nitrokey:

    1. Configure the PKCS#11 library under Settings>Preferences>Security Token.
      Note: OpenSC seems not to work because of this pending issue.
    2. Choose as token a little keyfile (64 bytes generated via Tools>Keyfile>Keyfile Generator).
    3. Now you should be able to import this key file after the correct PIN via Tools > Manage Security Token Keyfiles. The keyfile is stored on the Nitrokey as 'Private Data Object 3' (don't forget to wipe the original keyfile securely).
    4. Now you can use TrueCrypt with the Nitrokey: Create a container, choose as password the keyfile on the device.

    Security Consideration: Please note that TrueCrypt/VeraCrypt doesn't make use of the full security which Nitrokey (and smart cards in general) offer. Instead it stores a keyfile on the Nitrokey which theoretically could be stolen by a computer virus after the user enters the password.

    Note: Aloaha Crypt is based on TrueCrypt but without the described security limitation.

     

    Hard Disk Encryption on Linux, Based on LUKS/dm-crypt

    Here are excellent instructions how to use Nitrokey to encrypt your hard disk under Linux with LUKS/dm-crypt. Other instruction.

     

    Storage Encryption on Linux, Based on EncFS

    Prerequisite: Please ensure that you installed the device driver, changed the default PINs and generated or imported keys.

    An easy to use encrypted file system is EncFS, which is based on FUSE. You may follow these steps to use it with very long passwords and Nitrokey:

    Initialization

    Enter a long passphrase into a key file:
    $ echo "Your long secret passphrase" > keyfile
    
    Encrypt the key file:
    $ gpg -e keyfile
    
    Remove the key file in clear text:
    $ rm keyfile
    
    Create mount point:
    $ mkdir ~/.cryptdir.encfs ~/cryptdir
    
    Select paranoia mode and enter "Your long secret passphrase" as password:
    $ encfs ~/.cryptdir.crypt ~/cryptdir
    
    Unmount the new file system:
    $ fusermount -u ~/cryptdir
    

    Usage

    # Mount encrypted file system and enter PIN of Nitrokey:
    $ gpg -d key.gpg | encfs -S ~/.cryptdir ~/cryptdir
    
    # After usage, unmount the file system:
    $ fusermount -u ~/cryptdir
    

     

    Storage Encryption on Linux, Based on ECryptFS

    eCryptfs is a file based transparent encryption file system for Linux which can be used with Nitrokey through a PKCS#11 driver. See these instructions. Alternatively, try ESOSI or follow these steps using OpenSC and OpenVPN:

    Warning: This will delete existing keys on your Nitrokey!

    # Import the certificate and key to the Nitrokey
    $ pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key user@example.com.p12 --format pkcs12 --auth-id 3 --verify-pin
    
    # Create the file ~/.ecryptfsrc.pkcs11:
    $ editor ~/.ecryptfsrc.pkcs11
    
    # Enter this content:
    $ pkcs11-log-level=5
        pkcs11-provider1,name=name,library=/usr/lib/opensc-pkcs11.so,cert-private=true
    
    $ openvpn --show-pkcs11-ids path to opensc-pkcs11 module
    Certificate
        DN: /description=Iv4IQpLO02Mnix9i/CN=user@example.com/emailAddress=user@example.com
        Serial: 066E04
        Serialized id: ZeitControl/PKCS\x2315\x20emulated/000500000c7f/OpenPGP\x20card\x20\x28User\x20PIN\x29/03
    
    # Copy the serialized id for later usage:
    $ ecryptfs-manager
    
    # This will show list option. Choose option "Add public key to keyring"
    # Choose pkcs11-helper
    # Enter the serialized ID of step 3 to PKCS#11 ID.
    
  • Hard Disk Encryption

    Für: Nitrokey HSM

    TrueCrypt

    TrueCrypt and it's successor VeraCrypt are free and open-source disk encryption software for Window, Mac OS X, and Linux. Follow these steps to use it with Nitrokey:

    1. Configure the PKCS#11 library under Settings>Preferences>Security Token.
      Note: OpenSC seems not to work because of this pending issue.
    2. Choose as token a little keyfile (64 bytes generated via Tools>Keyfile>Keyfile Generator).
    3. Now you should be able to import this key file after the correct PIN via Tools > Manage Security Token Keyfiles. The keyfile is stored on the Nitrokey as 'Private Data Object 3' (don't forget to wipe the original keyfile securely).
    4. Now you can use TrueCrypt with the Nitrokey: Create a container, choose as password the keyfile on the device.

    Security Consideration: Please note that TrueCrypt/VeraCrypt doesn't make use of the full security which Nitrokey (and smart cards in general) offer. Instead it stores a keyfile on the Nitrokey which theoretically could be stolen by a computer virus after the user enters the password.

    Note: Aloaha Crypt is based on TrueCrypt but without the described security limitation. (Not tested with Nitrokey HSM)

  • Signing and Encrypting Files and PDF Documents

    Für: Nitrokey HSM

    GnuPG

    Starting with version 2.1, GnuPG has build-in but limited support for the Nitrokey HSM. Use the gpgsm tool to sign, verify, encrypt and decrypt files or S/MIME messaging using your Nitrokey HSM. Use a signature key on a Nitrokey HSM to sign documents using Acrobat Reader, Open Office / Libre Office or any other PDF reader supporting electronic signatures.

  • Signing and Encrypting Files and PDF Documents

    Für: Nitrokey Pro, Nitrokey Storage

    Aloaha

    Aloaha provides several applications to encrypt and sign PDFs. All of them, which allow smart card integration, work with Nitrokey.

     

    GnuPG

    Use the gpgsm tool to sign, verify, encrypt and decrypt files. Use a signature key on a Nitrokey to sign documents using Acrobat Reader, Open Office / Libre Office or any other PDF reader supporting electronic signatures.

     

    GPA - GNU Privacy Assistant

    The Gnu Privacy Assistant (GPA) recognizes Nitrokey out-of-the-box, has various features to manage keys and cards. It also allows file operations such as file encryption, decryption, signing.

     

    GpgEx for Windows Explorer

    GpgEx integrates smoothly into Windows Explorer to allow encryption and decryption of files. Install it as part of the GPG4Win package.

  • Certificate-Based Web Login

    Für: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    Before you start to use any of these applications with your Nitrokey, please ensure that you installed the device driver and initialized the stick (e.g. generated keys).

    Certificate-based login with TLS and web browser is a very secure authentication method but it is only used rarely. If you are unsure what this means, this approach is most likely not relevant for you.

    This page refers to websites and applications which support certificate authentication, so that users don't need to enter username and password when login. For instance WebID is a great protocol which makes use of it. Certificate authentication can be used easily with the Nitrokey and also with any other certificate storages.

    Mozilla Firefox

    You need to install the PKCS#11 driver:

    1. Download the PKCS11 driver and store it on your local hard disk.
    2. Open the menu Options -> Advanced -> Encryption -> Security Devices
    3. Press the button Load. Enter "Crypto Stick" as the Module Name and press the Browse button to select the PKCS11 driver file. Confirm and close all dialogs.

    Now you are ready to access websites which provide certificate authentication.

    Internet Explorer

    Install this Mini Driver for Windows. Now you are ready to access websites which provide certificate authentication.

    Google Chrome

    Under Windows, install this Mini Driver. Under Linux, follow these instructions. Now you are ready to access websites which provide certificate authentication.

    WebID

    WebID is a technology to enable secure and federated social websites. Here is a video (WebMOgg videoH.264) which demonstrates how to use Nitrokey to create a WebID profile and subsequently to use it in an Internet cafe in Singapore. Nitrokey protects against computer viruses which might otherwise steel the username and password.

    Websites

    Web Site Category
    CAcert community-based Certificate Authority
    PrivaSphere Secure messaging
    StartCom Certificate Authority
    HM Revenue & Customs UK's tax administration

    Software

    Application Category
    Roundcube (plugin) Webmail
    Drupal (WebID, Certificate login) Content management system
    Media Wiki (plugin) Wiki
    Joomla! Content management system
    Apache + mod_ssl Web server
    OpenSSH SSH (remote secure shell) client and server
    Wordpress (plugin) Blog and CMS
    Tivoli System management framework
    Globalscape EFT managed file transfer (MFT)
    Oracle Identity Manager I&AM
    Fuse Source Middleware
    Liferay Blog
    FusionForge web-based project-management and collaboration software

    This website is a good read about strong authentication mechanisms, why client certificate authentication isn't popular and better alternatives at the horizon.

  • Certificate-Based Web Login

    Für: Nitrokey HSM

    Protect access to sensible information on your website with 2nd factor authentication.

    Use a Nitrokey HSM as authentication token via the build-in device authentication PKI or use keys and certificates on a Nitrokey HSM for TLS/SSL client authentication.

  • Enterprise Authentication

    Für: Nitrokey Pro, Nitrokey Storage
  • Enterprise Authentication

    Für: Nitrokey U2F

    gluu  

  • SSH for Server Administration

    Für: Nitrokey Pro, Nitrokey Storage, Nitrokey Start, Nitrokey HSM

    SSH with PuTTY / KiTTY

    1. Download and install PuTTY and Gpg4win.
    2. Enable PuTTY support in %appdata%/gnupg/gpg-agent.conf:enable-putty-support
      Now PuTTY will use gpg-agent instead of pageant and can access the Nitrokey.

    Alternative versions of PuTTY can be used as well: KiTTY , Peter Koch's modified PuTTY. Configure KiTTY/PuTTY to load the PKCS#11 driver as displayed in the following screen shot:

     

    Cygwin

    1. Download and insetall Cygwin.
    2. Download and install ssh-pageant.
    3. Edit .bashrc and add eval $(ssh-pageant -r -a /tmp/ssh-pageant-$USERNAME)
      Now SSH uses gpg-agent which allows accessing the Nitrokey.

    git with Windows

    In case ssh-pageant doesn't work with git right away, try the following steps:

    1. Open: Control Panel -> System ->Advanced -> Preferences -> Environment Variables
    2. Enter: GIT_SSH=C:\Program Files (x86)\putty\plink.exe
    3. Logout and login again to your Windows session

    Now git uses PuTTY which uses gpg-agent to access the Nitrokey.

    WinSCP

    WinSCP is a free SFTP client for Windows.

    OpenSSH

    1. Make sure ~/.gnupg/gpg.conf contains use-agent (it should by default)
    2. Add ssh support to gnupg-agent by adding enable-ssh-support to ~/.gnupg/gpg-agent.conf
    3. Log out and back in and you should be ready to use it
    4. You can now generate an authorised_keys file by running gpgkey2ssh 12345678 >> ~/authorized_keys where 12345678 is the subkey id being used for authentication. You can now append that file to a remote server's authorized_keys and when you ssh in you'll be asked for a pin rather than a passphrase.

    Other instructions can be found here and here. Please note: The Fellowship smart card is similar to Nitrokey so that this documentation applies to Nitrokey as well.

    Another instruction is this (Section use eToken with OpenSSH). The tutorial uses a different card, but the same approach applies for Nitrokey. Note: That tutorial export SSH key from Key ID 45 with "pkcs15-tool --read-ssh-key 45 >> .ssh/authorized_keys" but our OpenPGP card will export from Key ID 3 with "pkcs15-tool --read-ssh-key 3"

    Alternatively, information on OpenSSH secure shell and X.509 certificates.

  • SSH for Server Administration

    Für: Nitrokey U2F
  • DNSSEC

    Für: Nitrokey HSM

    Protect your domain name resolution using DNSSEC and a Nitrokey HSM as secure key store. It's based on Smartcard-HSM which is why the following resource apply:

  • Physical Access Control

    Für: Nitrokey HSM

    With it's unique build-in device authentication PKI, a Nitrokey HSM has a cryptographically protected unique identity that can be verified in a fast authentication protocol. An access control terminal can verify authenticity and identity of the device, create a secure communication channel and perform offline PIN verification. The coolPACS project has all the details.

  • VPN Access

    Für: Nitrokey Pro, Nitrokey Storage, Nitrokey Start, Nitrokey HSM

    OpenVPN

    See this link for further information.

    IPsec

    Strong Swan could work using the PKCS#11 driver.

    Stunnel

    Stunnel works as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code.

  • PKI / Certificate Authority (CA)

    Für: Nitrokey Pro, Nitrokey Storage, Nitrokey Start, Nitrokey HSM

    CA keys are very sensible and must not be compromised or lost.

    GnuPG

    Instructions

    OpenSSL

    1. Install OpenSC'S engine_pkcs11
    2. Run the command "pkcs11-tool --list-slots" to list the available slots.
    3. Run the command "openssl> req -engine pkcs11 -new -key slot_X-id_XXXX -keyform engine -x509 -out cert.pem -text" where X is the appropriate slot number and XXXX is the slot ID, e.g. "... -key slot_5-id_c6f280080fb0ed1ebff0480a01d00a98a1b3b89a ..."
    4. Test

    Other

    Nitrokey HSM integrates well with industry solutions like EJBCA or XCA.

    µ-CA-tool is a script based on GnuPG, OpenSC and OpenSSL which helps to perform basic tasks of a CA. It works with Nitrokey Pro and Nitrokey Storage.

  • Password Manager

    Für: Nitrokey Pro, Nitrokey Storage

    You have the following options:

    • Use Nitrokey's built-in Password Safe to store passwords securely. For this you need the Nitrokey App. Maximum are 16 passwords.
    • Use KeePass as described below.

    Protecting KeePass with Nitrokey's One-Time Passwords

    You can also follow this video (It contains a mistake around time 4:22 which is described later below).

    Keepass Installation

    1. Install Keepass 2.3.5.
      For Ubuntu: Because the main repository contains the older 2.3.4, you have to use some other source like this private PPA (please run these commands in terminal):
      sudo add-apt-repository ppa:jtaylor/keepass
      sudo apt-get update
      sudo apt-get install keepass2
    2. Install the OtpKeyProv plugin by downloading the archive, unzipping and copying the content to Keypass' Plugin directory.
      On Linux: sudo cp OtpKeyProv.plgx /usr/lib/keepass2/Plugins/
    3. For Linux, optional: Install mono-complete package if plugin is not detected when running Keepass2 (you can check that in Tools/Plugins):
      sudo apt-get install mono-complete

    Keepass OTP Configuration

    Existing Database

    1. Open database as usual
    2. Select File/Change Master Key...

    New Database

    1. Create new database as usual

    Common

    1. Insert Master Password (optional)
    2. Set Key file / provider: to One-Time Passwords (OATH HOTP)
    3. Click OK
    4. With Nitrokey App: select HOTP slot and generate HOTP secret (it will be copied to clipboard automatically).
    5. Paste the secret to Keepass OTP Plugin window
    6. Make sure the Counter field and digits count are set the same in both windows. Click OK in Nitrokey App to save the slot.
    7. Select secret type: Base32
    8. Set the other settings as you like. Please consult plugin's manual (should be in same downloaded archive). I would recommend to set look-ahead value to non-zero to prevent locking up the database after accidental code request from used HOTP slot. In that case counters on the device and in Keepass would be out of sync and OTP codes will not be the same with expected.

    Unlocking Database

    1. Open database
    2. Insert Master Password (if set)
    3. Key file / provider: to One-Time Passwords (OATH HOTP)
    4. Press OK
    5. Insert HOTP codes by repeatedly choosing proper HOTP slot from the Nitrokey App and pasting the clipboard content to proper field (the order of the codes is important).
    6. Press OK

    Issues

    1. Due to nature of HOTP solution it is possible to get counters desynchronized (by selecting wrong OTP slot during day-to-day use). Using look-ahead plugin's setting should prevent that (value 10 or so should suffice - depends on desired security requirements - this would allow to 10 accidental requests). TOTP is not having that problem.
    2. Setting the OTP protection could be error-prone. There is no secret validation on OtpKeyProv side. In the test movie at 4:22 I have managed to set the Base32 coded secret as Hex (which was not a proper hex value) and it has not complained about it. There is no information what happened to database and how it is now configured. I have not noticed until I have watched the movie.

    Tested under Ubuntu 16.10, Nitrokey App v0.6.3 and Nitrokey Storage v0.45.

  • Secure Web Login (U2F)

    Für: Nitrokey U2F
    1. Use one of these browsers:
      1. Google Chrome
      2. Chromium
      3. Firefox with U2F Support Add-on
      4. macOS Safari with Safari-FIDO-U2F plugin
    2. Open one of the websites supporting U2F.
    3. Connect the Nitrokey U2F for registering it with your website account.
    4. Reconnect the Nitrokey U2F after each registration and login.
  • Development and Integration

    Für: Nitrokey Pro
  • Development and Integration

    Für: Nitrokey Storage
  • Development and Integration

    Für: Nitrokey Start
  • Development and Integration

    Für: Nitrokey HSM

    Schlüsselbackups und n-von-m Zugriffsschutz

    Schlüsselbackup und -restore ist eine Funktion bei der das Schlüsselmaterial das Geräte niemals im Klartext verlässt. Der für die Verschlüsselung der Schlüssel notwendige Device Key Encryption Key (DKEK) wird über Schlüsselteile eingebracht, die im HSM per XOR zum DKEK zusammengesetzt werden. Die Anzahl der Schlüsselteile wird bei der Initialisierung festgelegt. Jeder Schlüsselteil kann optional per n-of-m Schema weiter verteilt werden. Dieser Schritt passiert im sc-hsm-tool.

    Man hat also verschiedene Kombinationsmöglichkeiten

    1. Kein DKEK -> kein Key Backup
    2. 0 DKEK Share -> DKEK wird intern als Zufallszahl erzeugt
    3. 1 DKEK Share -> DKEK wird in PWD-verschlüsselter Datei abgelegt
    4. 1 DKEK Share -> DKEK wird mit n-of-m Shamir Shared Secret verteilt
    5. s DKEK Shares -> s DKEK Shares werden in s PWD-verschlüsselten Dateien abgelegt
    6. s DKEK Shares -> s DKEK Shares werden s mal in n-of-m Shamir Shared Secrets verteilt.

    Bei Variante 2 können die Schlüssel nur in genau das HSM importiert werden, aus dem sie exportiert wurden. Der DKEK ist niemandem bekannt. Diese Funktion erlaubt also die Anzahl Schlüssel im HSM beliebig zu erhöhen.

    Bei Variante 3 und 5 wird der DKEK (bzw. DKEK Share) als Zufallszahl durch das HSM erzeugt und der Wert dann mit Passwort verschlüsselt auf der Platte gespeichert.

    Bei Variante 4 und 6 wird der DKEK (bzw. DKEK Share) als Zufallszahl durch das HSM erzeugt und der Wert dann mit Shamir Shared Secret auf die m Key Custodians verteilt. Die drucken die Werte dann aus und halten die unter Verschluss. n der m Key Custodians müssen zusammenkommen um dem DKEK (bzw. DKEK Share) wieder zusammen zu setzen.

    Das n-of-m zur Authentifizierung funktioniert unabhängig vom n-of-m zur Wiederherstellung des DKEK. Das DKEK n-of-m kann nicht im HSM selbst implementiert werden, weil es die benötigten BigInteger Operationen dort nicht gibt. Das n-of-m für die Authentifizierung benutzt kein Shamir Shared Secret, kann deshalb komplett innerhalb des Chips implementiert werden.

    Windows und Microsoft CA

    Der Nitrokey HSM kann mittels des CSP Minidriver von OpenSC unter Windows verwendet werden. Damit kann man auf dem angeschlossenen HSM einen Schlüssel und PKCS#10 Request erzeugen und den zur Microsoft CA schicken. Das Zertifikat wird dann nicht auf dem Gerät gespeichert, sondern im Zertifikatsspeicher von Windows. Das HSM als Schlüsselspeicher für den Client zu verwenden funktioniert einwandfrei.

    Was nicht geht, ist für einen Nitrokey HSM Zertifikate über den MS Forefront Manager zu provisionieren (denn dafür benötigt man ein spezielles MS Protokoll auf dem Gerät) und das HSM als Schlüsselspeicher für die CA-Schlüssel einer Microsoft CA zu benutzen.