General product-specific questions and answers.
It depends. No one can copy the keys which are stored on the Nitrokey. But depending on the key creation process you can still have a backup of the keys.
If you use Thunderbird's or GnuPG's function for generating keys directly on-card, it will propose you a backup. But this is a backup of the encryption subkey only! That is to say it is not a full key backup. Restoring this backup leaves you unable to sign or authenticate. Therefore it is not recommend to even create this backup. Technically the subkey is generated on your computer, backed-up, and then loaded to the Nitrokey so that it cannot get copied afterwards. By using this option you have not a full functional backup, but still expose the encryption key on your machine instead of creating the key directly on the device.
If you need and want a backup of your key, you have to create the keys locally first (ideally on a safe Live-System), so that you can backup them and move the keys on the Nitrokey afterwards. Please have a look at this instructions for further information.
See the frontpage for an overview of supported use cases.
Supported operating systems: Windows, Linux, and Mac OS X.
Supported applications: See the documentation.
Nitrokey Pro, Nitrokey Start, Nitrokey HSM and Nitrokey U2F don't contain storage capability for ordinary data (it can only store cryptographic keys and certificates).
Nitrokey Storage can store and encrypt 8, 32, or 64 GB of data (depending on particular model).
We strongly recommend to change these PINs/password to user-chosen values before using the Nitrokey.
Nitrokey uses PINs instead of passwords. The main difference is that the hardware limits the amount of tries to three while a limit doesn't exist for passwords. Because of this, a short PIN is still secure and there is not need to choose a long and complex PIN.
Nitrokey Pro's and Storage's PINs can be up to 20 digits long and can consist of numbers, characters and special characters. Note: When using GnuPG or OpenSC, 32 character long PINs can be used but aren't supported by Nitrokey App.
The user PIN is at least 6-digits long and is used to get access to the contect of the Nitrokey. This is the PIN you will use a lot in every day use e.g. for decrypting messages, for unlocking your encrypted storage (NK Storage only) etc.
The user PIN can have up to 20 digits and other characters (e.g. alphabetic and special characters). But as the user PIN is blocked as soon three wrong PIN attempts were done, it is sufficiently secure to only have a 6 digits PIN. The default PIN is 123456.
The admin PIN is at least 8-digits long and is used to change contents/settings of the Nitrokey. That is to say after initializing the Nitrokey you probably won't need this PIN too often (e.g. if you want to add another password to the password safe of the Nitrokey Pro or Nitrokey Storage).
The admin PIN can have up to 20 digits and other characters (e.g. alphabetic and special characters). But as the admin PIN is blocked as soon three wrong PIN attempts were done, it is sufficiently secure to only have 8 digits PIN. The default PIN is 12345678.
The firmware password should meet general password recommandations (e.g. use alphabetic characters, digits and special characters or use a usfficiently long password). The firmware password is needed to update the firmware of the Nitrokey Storage. See further instructions for update process here.
The firmware password is never blocked. An attacker could try to guess the password and would have unlimited attempts. Therefore you must choose a strong password. The default password is 12345678.
The SO PIN is used in the Nitrokey HSM only and is something like a "master" PIN with special properties. Please read this instructions carefully to understand the SO PIN of the Nitrokey HSM.
The Nitrokey Pro, Nitrokey Start and Nitrokey Storage can store three RSA key pairs. All keys use the same identity but are used for different purposes: authentication, encryption and signing.
Nitrokey HSM can store 20 RSA-2048 and 31 ECC-256 key pairs.
Nitrokey U2F stores a single ECC key pair but can be used with an unlimited amount of user accounts.
As part of hybrid encryption, additional symmetric encryption (e.g. AES) is performed on the computer and only the session key is send to the Nitrokey (to be decrypted with RSA). This is a standard mechanism and allows optimal performance even for large amounts of data.
Die Anzahl der Datenobjekte (DF, EF) ist auf 124 beschränkt. Die maximale Größe eines EF beträgt 256 Byte. Der maximale Speicher von ca. 32 KByte wird dynamisch zwischen Schlüssel- und Datenobjekten geteilt.
In general the encryption and decryption of emails, hard disks and any other type of (large) data with the Nitrokey has almost no performance reduction. This is because of hybrid encryption approach. It means that AES for example is used to encrypt gigabytes of data at the computer and only the session key is send to the Nitrokey to be decrypted with RSA.
Nitrokey Storage's mass storage: Storing files on the encrypted mass storage is 5-6 MByte/s fast (both read/write).
Nitrokey Pro and Storage (v1)
Internal performance for a single 16 byte block without input/output to the smart card:
Nitrokey Pro and Storage (v2)
Encryption of 50kiB of data:
Nitrokey Pro, Nitrokey HSM and Nitrokey Storage contain a tamper resistant smart card. To some extent this also applies to Nitrokey U2F but it's of lower quality. Nitrokey Start is implemented in the microprocessor.
In OpenSC the function C_GenerateRandom is mapped to the random number generator of the device. However, engine-pkcs11 doesn't contain a mapping for OpenSSL to C_GenerateRandom. Hence, it doesn't work yet. It would be required to implement the mapping in engine-pkcs11 to C_GenerateRandom.
Nitrokey Pro and Nitrokey Storage
Nitrokey Pro and Nitrokey Storage:
Nitrokey Pro and Nitrokey Storage use a True Random Number Generator (TRNG) for generating keys on the device. The entropy generated by the TRNG is used for the entire key length. Therefore the TRNG is compliant to BSI TR-03116.
The TRNG provides about 40 kbit/s.
Nitrokey HSM uses the TRNG of JCOP 2.4.1r3 which has a quality of DRNG.2 (according to AIS 31 of the BSI).
Usage-specific questions and answers.
Folgender Fehler tritt unter Umständen auf Ihrem GNU/Linux System auf:
$ gpg --card-status ODER $ gpg --card-edit gpg: selecting openpgp failed: unknown command gpg: OpenPGP Karte ist nicht vorhanden: general error
Es gibt verschiedene mögliche Gründe für diesen Fehler. Falls Sie den Nitrokey gerade erst einrichten und vorher nie benutzt haben, schauen Sie unter dem Bereich "UDEV Regeln" weiter unten. Wenn Sie das Gerät bereits einige Male verwendet haben, blockiert vermutlich eine andere Anwendung den Nitrokey, indem die Software die OpenPGP Card exklusiv nutzt. Schaue Sie sich zum Beheben dieses Problem die weiteren Hinweise unten an. Es kann auch helfen, den Nitrokey schlicht einmal ein- und auszustecken.
Der einfachste Weg, dieses Problem zu beheben, ist das Installieren der Nitrokey App. Ab der Nitrokey App version 1.2, sollten Sie keine Probleme mit den UDEV Regeln haben.
Wenn Sie die Regeln lieber händisch installieren wollen, führen Sie bitte folgende Befehle aus:
wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules sudo mv 41-nitrokey.rules /etc/udev/rules.d/
Falls der Gnome-Keyring die OpenPGP Card blockiert, sollte der folgende Befehl das Problem für die aktuelle Sitzung beheben:
pkill -f gnome-keyring-daemon.
Für eine dauerhafte Lösung das Problems, schauen Sie sich bitte diesen und diesen Beitrag an (Englisch).
Have look at applications you installed for use with the Nitrokey and check if they may are blocking the Nitrokey. For example OpenSC can make your Nitrokey stop working. After finding out what program provokes this kind of behaviour you are maybe able to fix the problem. You can ask for help in the forum as well.
Now, plug in your Nitrokey and use it with GnuPG.
To undo the change in order to use it with OpenSC:
Linux: $ tail -v /var/log/syslog
Mac OS: $ tail -f /var/log/system.log
Windows: Start -> Preferences -> Control Panel -> System -> Hardware -> Device Manager -> Smart card adapter
Check if GnuPG recognizes the device: gpg --card-status resp. gpg2 --card-status (depending on the version) should deliver some status information of the Nitrokey.
Verify to use a current version of GnuPG, at least 1.4.10 resp 2.0.18.
Try using GnuPG 1 instead of GnuPG 2.
Remove the packages openct and opensc because they may interfere with GnuPG.
Use 2048 bit keys instead of 3072 or 4096 bit keys.
Test the Nitrokey on another computer or with another operating system.
Reset the device and delete all keys.
Add the following lines to ~/.gnupg/scdaemon.conf and provide the resulting log file for debugging purposes, where <username> is the name of your user account.
Delete the file /Library/Preferences/com.apple.keyboardtype.plist and restart your computer.
Warning: When resetting the Nitrokey all information on the device get lost!
Option 1, if the device is not fully blocked and if you remember the valid Admin PIN use Nitrokey App to reset the Nitrokey.
Open a terminal (for example on Windows: press the Start button and enter "cmd") and start the Nitrokey App with "nitrokey-app --admin". Klick on the Nitrokey App's tray icon, select "Configure" and "Factory reset".
Option 2, Windows only:
Option 3, to reset a blocked device with GnuPG 2 and Windows:
Option 4, to reset a blocked device with GnuPG 2 and Linux:
Option 5, to reset a blocked device with GnuPG 2.1:
Option 6, to reset a blocked device using OpenSC:
Install OpenSC and execute "openpgp-tool --erase" in a terminal.
You can find out the version of your device by executing gpg --card-status (the version number is behind 'FSIJ' in the 'Reader' field). To upgrade your device see this instructions (admin PIN needed!).
If and only if the device is not blocked (PIN wasn't typed in wrong too often) you can use the same procedure as in newer firmware (see above). You need the reset code to unblock device or you can not use the device anymore!
In order to reset a Nitrokey Start 1.0, you need to define a public key for firmware updates beforehand! In case of a blocked device it enables your to perform a firmware update which resets the device.
You may also define a reset code which enables the reset of the User PIN (not Admin PIN).
As long as you know the unblocked SO-PIN you can initialize the device as described here. There is no way of resetting the Nitrokey HSM if the SO-PIN is forgotten or entered wrongly 15 times. In such case the device can't be used anymore.
Prerequisite: An initialized Nitrokey with keys being generated.
On another computer, than the one you generated the keys on, you need to inform GnuPG about the Nitrokey. You have two options for doing so:
If you published your public key on your website you should program that URL into your smartcard in the "URL of public key" section (gpg --card-edit, admin, url). In addition or instead you may want to publish your public key on a key server. When you get to a new computer, you can insert the card, run "gpg --card-edit", then run "fetch" and GPG will fetch the public key from the URL. If there's no URL entered then it will attempt to retrieve the public key from the keyserver.
Alternatively, you can copy and import the public key manually from a flash drive for instance. In this case you have to insert the device and run "gpg --card-status". (Now the general key info will be correctly populated, and new pseudo-secret stubs will be created.)
In any case the keyring file (e.g. ~/.gnupg/pubring.gpg) which contains the public keys of your contacts has to be copied manually.
See this more detailed description.
See these instructions.
Execute the following commands in a terminal.
$ sudo apt-add-repository ppa:gurqn/systray-utopic
$ sudo apt-get update
$ sudo apt-get upgrade
Logout and login again to your computer account.
Nitrokey Start doesn't support overriding keys in firmware version prior to 1.2 (see 'gpg --card-status', the number after "FSIJ-" is the firmware version). Once keys were generated or written, you should use the Python script gnuk_remove_keys_libusb.py to remove keys.
On firmware versions higher or equal 1.2 you can override the keys. But please note that your PIN gets reset with factory defaults when overriding the keys!
Dieser Schritt ist nur notwendig falls das Linux System nicht die neuesten Geräte Treiber hat (ccid Version < 1.4.21). Bearbeiten Sie die Datei /etc/libccid_Info.plist (zum Beispiel indem Sie "sudo gedit /etc/libccid_Info.plist" in die Konsole eingeben) und fügen Sie die folgenden fett gedruckten Zeilen hinzu:
<key>ifdVendorID</key> <array> <string>0x20A0</string> <string>0x20A0</string> <string>0x20A0</string> <string>0x20A0</string> [...]
<key>ifdProductID</key> <array> <string>0x4108</string> <string>0x4109</string> <string>0x4211</string> <string>0x4230</string> [...]
<key>ifdFriendlyName</key> <array> <string>Nitrokey Pro</string> <string>Nitrokey Storage</string> <string>Nitrokey Start</string> <string>Nitrokey HSM</string> [...]
Brief und Einschreiben:
Die Nitrokey UG besitzt einen heterogenen Kundenstamm, aus Privat- und Geschäftskunden, aus Deutschland, der EU und dem außereuropäischen Ausland. Wir wollen mit unserer Preisgestaltung sicherstellen, dass alle Kunden eine einheitliche Belastung haben. Zum Beispiel soll ein großer internationaler Konzern genau soviel zahlen wie eine deutsche Privatperson. Deshalb entspricht der Bruttopreis (inkl. USt.) für deutsche Kunden dem Nettopreis (exkl. USt.) außereuropäischer Kunden. Dieser Ansatz wurde steuerrechtlich überprüft und ist einwandfrei.