Frequently Asked Questions (FAQ)

  • General

    General product-specific questions and answers.

    • Can I backup the internal keys?

      Yes, at time when generating new keys only. If you use Thunderbird or GnuPG for instance it allows you to do a backup when generating new keys. Technically the keys are generated on your computer, backed-up, and then loaded to the Nitrokey so that they cannot leave it afterwards. Alternatively you can generate keys on the Nitrokey directly but this does not allow a backup.

    • What can I use the Nitrokey for?

      See the frontpage for an overview of supported use cases.

    • Which operating systems and applications are supported?

      Supported operating systems: Windows, Linux, and Mac OS X.

      Supported applications: See the documentation.

    • How large is the storage capacity?

      Nitrokey Pro, Nitrokey Start, Nitrokey HSM and Nitrokey U2F don't contain storage capability for ordinary data (it can only store cryptographic keys and certificates).

      Nitrokey Storage can store and encrypt 8, 32, or 64 GB of data (depending on particular model).

    • What is the default PIN/password?

      • User PIN: "123456"
      • Administrator PIN: "12345678"
      • Firmware Password (Nitrokey Storage only): "12345678"
      • SO-PIN (Nitrokey HSM only): "3537363231383830"

      We strongly recommend to change these PINs/password to user-chosen values before using the Nitrokey.

    • How many keys can I store?

      The Nitrokey Pro, Nitrokey Start and Nitrokey Storage can store three RSA key pairs. All keys use the same identity but are used for different purposes: authentication, encryption and signing.

      Nitrokey HSM can store 32 RSA and 40 ECC key pairs.

      Nitrokey U2F stores a single ECC key pair but can be used with an unlimited amount of user accounts.

    • Which algorithms and maximum key length are supported?

      • Nitrokey Pro: RSA 1024-4096 bit. It can store one X.509 certificate with a size of up to 2 KB.
      • Nitrokey Storage: RSA 1024-4096 bit. Mass storage: AES-256 bit
      • Nitrokey Start: RSA 2048 bit
      • Nitrokey HSM: RSA 1024-2048 bit, ECDSA GF(p) 192-320 bit, elliptic curves:
        • secp192r1 (aka prime192v1)
        • secp256r1 (aka prime256v1)
        • brainpoolP192r1
        • brainpoolP224r1
        • brainpoolP256r1
        • brainpoolP320r1
        • secp192k1
        • secp256k1 (the Bitcoin curve)
      • Nitrokey U2F: ECC 256 bit (NIST P-256) as required by the FIDO U2F specification.

      As part of hybrid encryption, additional symmetric encryption (e.g. AES) is performed on the computer and only the session key is send to the Nitrokey (to be decrypted with RSA). This is a standard mechanism and allows optiomal performance even for large amounts of data.

    • How fast is encryption and signing?

      In general the encryption and decryption of emails, hard disks and any other type of (large) data with the Nitrokey has almost no performance reduction. This is because of hybrid encryption approach. It means that AES for example is used to encrypt gigabytes of data at the computer and only the session key is send to the Nitrokey to be decrypted with RSA.

      Nitrokey HSM:

      • Key generation on-card: RSA 2048: 2 per minute
      • Key generation on-card: ECC 256: 10 per minute.
      • Signature creation with off-card hash: RSA 2048; 100 per minute
      • Signature creation with off-card hash: ECDSA 256: 360 per minute
      • Signature creation with on-card SHA-256 and 1 kb data: RSA 2048; 68 per minute
      • Signature creation with on-card SHA-256 and 1 kb data: ECDSA 256: 125 per minute

      Nitrokey Storage's mass storage: Storing files on the encrypted mass storage is 5-6 MByte/s fast (both read/write).

    • Do Nitrokeys contain a secure chip or just a normal microcontroller?

      Nitrokey Pro, Nitrokey HSM and Nitrokey Storage contain a tamper resistant smart card. To some extent this also applies to Nitrokey U2F but it's of lower quality. Nitrokey Start is implemented in the microprocessor.

    • What is the maximum length of the PIN?

      Nitrokey uses PINs instead of passwords. The main difference is that the hardware limits the amount of tries to three while a limit doesn't exist for passwords. Because of this, a short PIN is still secure and there is not need to choose a long and complex PIN.

      Nitrokey Pro's and Storage's PINs can be up to 20 digits long and can consist of numbers, characters and special characters. Note: When using GnuPG or OpenSC, 32 character long PINs can be used but aren't supported by Nitrokey App.

    • Can I use Nitrokey as a True Random Number Generator (TRNG)?

      Nitrokey HSM: In OpenSC the function C_GenerateRandom is mapped to the random number generator of the device. However, engine-pkcs11 doesn't contain a mapping for OpenSSL to C_GenerateRandom. Hence, it doesn't work yet. It would be required to implement the mapping in engine-pkcs11 to C_GenerateRandom.

      Nitrokey Pro and Nitrokey Storage: Both devices are compatible to the OpenPGP Card, so that scdrand should work (untested).

    • How good is the Random Number Generator (RNG)?

      Nitrokey Pro and Nitrokey Storage:

      Nitrokey Pro and Nitrokey Storage use a True Random Number Generator (TRNG) for generating keys on the device. The entropy generated by the TRNG is used for the entire key length. Therefore the TRNG is compliant to BSI TR-03116.

      Nitrokey HSM:

      Nitrokey HSM uses the TRNG of JCOP 2.4.1r3 which has a quality of DRNG.2 (according to AIS 31 of the BSI).
       

    • Wieviele Datenobjekte (DF, EF) können gespeichert werden?

      Nitrokey HSM:

      Die Anzahl der Datenobjekte (DF, EF) ist auf 65536 beschränkt. Die maximale Größe eines EF beträgt 65535 Byte. Der maximale Speicher von ca. 35 KByte wird dynamisch zwischen Schlüssel- und Datenobjekten geteilt.

    • Is Nitrokey Common Criteria or FIPS certified?

  • Usage and Troubleshooting

    Usage-specific questions and answers.

    • "OpenPGP card not available"

      Linux

      If you experience the following error under Linux:
      $ gpg --card-status OR $ gpg --card-edit
      gpg: selecting openpgp failed: unknown command
      gpg: OpenPGP card not available: general error

      You can execute the following command to solve the problem for the current session only: "pkill -f gnome-keyring-daemon". See this and that discussion to solve the problem permanently.

      Mac OS

      1. Remove your Nitrokey
      2. Execute in the terminal "sudo mv /System/Library/Security/tokend/OpenSC.tokend ~/Desktop"

      Now, plug in your Nitrokey and use it with GnuPG.

      To undo the change in order to use it with OpenSC:

      1. Remove your Nitrokey
      2. Execute in the terminal "sudo mv ~/Desktop/OpenSC.tokend /System/Library/Security/tokend/"
    • How to troubleshoot?

      1. Connect your Nitrokey to your computer and verify if the device is recognized correctly and the driver is loaded. The LED of the stick should flash for a moment and than stop shining.
        • Linux: $ tail -v /var/log/syslog

        • Mac OS: $ tail -f /var/log/system.log

        • Windows: Start -> Preferences -> Control Panel -> System -> Hardware -> Device Manager -> Smart card adapter

      2. Check if GnuPG recognizes the device: gpg --card-status resp. gpg2 --card-status (depending on the version) should deliver some status information of the Nitrokey.

      3. If both GnuPG version 1 and version 2 are installed, verify if your email application uses the correct version of GnuPG. You may modify it in the appropriate preferences.
      4. Verify to use a current version of GnuPG, at least 1.4.10 resp 2.0.18.

      5. Try using GnuPG 1 instead of GnuPG 2.

      6. Remove the packages openct and opensc because they may interfere with GnuPG.

      7. Use 2048 bit keys instead of 3072 or 4096 bit keys.

      8. Test the Nitrokey on another computer or with another operating system.

      9. Reset the device and delete all keys.

      10. Add the following lines to ~/.gnupg/scdaemon.conf and provide the resulting log file for debugging purposes, where <username> is the name of your user account.
        debug 2048
        log-file /home/<username>/scdaemonlog.txt

      Further instructions

      • Gooze provides tutorials to help you implement smartcards under GNU/Linux, Mac OS X and Windows

      • Detailed instructions how to install and setup your Nitrokey with Fedora Linux.

    • Nitrokey Storage doesn't work anymore under Windows after upgrading the firmware

      1. Use this tool to delete all entries with USB Devices ProductID 4109 and VendorID 20A0 in the registry.
      2. Reset the Nitrokey device.
      3. Install and use the latest App.
    • On my MacOS keyboard the keys < and ^ are swapped

      Delete the file /Library/Preferences/com.apple.keyboardtype.plist and restart your computer.

    • How to reset a Nitrokey?

      Nitrokey Pro and Nitrokey Storage:

      Option 1, if the device is not fully locked and if you remember the valid Admin PIN use Nitrokey App:

      Open a terminal (on Windows: Press the Start button and enter "cmd") and start the Nitrokey App with "nitrokey-app --admin". Klick on the Nitrokey App's tray icon, select "Configuration" and "factory settings".

      Option 2, to reset a blocked device, Windows only:

      Use CryptoStickReset.

      Option 3, to reset a blocked device with GnuPG 2 and Windows:

      1. Download and install Gpg4win.
      2. Download and execute this reset script.

      Option 4, to reset a blocked device with GnuPG 2 and Linux:

      1. Download this file
      2. Open a command prompt (terminal) and run "gpg-connect-agent < nitrokey-reset.txt".
        In case of error  "ERR 67108983 No SmartCard daemon <GPG Agent>" please install scdaemon (e.g. "sudo apt install scdaemon").

      Option 5, to reset a blocked device with GnuPG 2.1:

      1. Ensure that you use GnuPG 2.1: "gpg --version"
      2. Reset device: "gpg2 --card-edit" -> "admin" -> "factory-reset"

      Nitrokey Start:

      You can find out the version of your device by executing gpg --card-status

      Nitrokey Start firmware 1.2 and newer:

      1. Ensure that you use GnuPG 2.1: "gpg --version"
      2. Reset device: "gpg2 --card-edit" -> "admin" -> "factory-reset"

      Nitrokey Start firmware 1.0:

      In order to reset a Nitrokey Start 1.0, you need to define a public key for firmware updates beforehand! In case of a blocked device it enables your to perform a firmware update which resets the device.

      You may also define a reset code which enables the reset of the User PIN (not Admin PIN).

      Nitrokey HSM:

      As long as you know the unblocked SO-PIN you can initialize the device as described here. There is no way of resetting the Nitrokey HSM if the SO-PIN is forgotten or entered wrongly 15 times. In such case the device can't be used anymore.

    • How to use the Nitrokey with multiple computers?

      Prerequisite: An initialized Nitrokey with keys being generated.

      On another computer, than the one you generated the keys on, you need to inform GnuPG about the Nitrokey. You have two options for doing so:

      If you published your public key on your website you should program that URL into your smartcard in the "URL of public key" section (gpg --card-edit, admin, url). In addition or instead you may want to publish your public key on a key server. When you get to a new computer, you can insert the card, run "gpg --card-edit", then run "fetch" and GPG will fetch the public key from the URL. If there's no URL entered then it will attempt to retrieve the public key from the keyserver.

      Alternatively, you can copy and import the public key manually from a flash drive for instance. In this case you have to insert the device and run "gpg --card-status". (Now the general key info will be correctly populated, and new pseudo-secret stubs will be created.)

      In any case the keyring file (e.g. ~/.gnupg/pubring.gpg) which contains the public keys of your contacts has to be copied manually.

      See this more detailed description.

    • How to update the firmware of Nitrokey Storage?

      See these instructions.

    • Ubuntu: Tray icon is displayed at the wrong corner of the screen

      Execute the following commands in a terminal.

      $ sudo apt-add-repository ppa:gurqn/systray-utopic
      $ sudo apt-get update
      $ sudo apt-get upgrade

      Logout and login again to your computer account.

    • Key generation fails with Nitrokey Start

    • How to make GnuPG release exclusive smartcard access?

    • Which GnuPG, OpenSC and libccid versions are required?

      GnuPG 2.0.18 or newer. We recommend the 2.0 main version. 2.1 is still a bit unstable in our experience.

      OpenSC 0.16 or newer. Version 0.15 is not sufficient and you would need its nightly builds or compile it from their git repository.

      libccid 1.4.22 or newer.

  • Shop and Delivery

    • Wie lange dauert der Versand?

      Brief:

      • Deutschland: 2-5 Arbeitstage
      • EU: 5-10 Arbeitstage
      • Weltweit: 2-3 Wochen

      Paket:

      • Deutschland: 1-3 Arbeitstage
      • EU: 2-5 Arbeitstage
      • Weltweit: 5-10 Arbeitstage
    • Preise und Umsatzsteuer/Mehrwertsteuer

      Die Nitrokey UG besitzt einen heterogenen Kundenstamm, aus Privat- und Geschäftskunden, aus Deutschland, der EU und dem außereuropäischen Ausland. Wir wollen mit unserer Preisgestaltung sicherstellen, dass alle Kunden eine einheitliche Belastung haben. Zum Beispiel soll ein großer internationaler Konzern genau soviel zahlen wie eine deutsche Privatperson. Deshalb entspricht der Bruttopreis (inkl. USt.) für deutsche Kunden dem Nettopreis (exkl. USt.) außereuropäischer Kunden. Dieser Ansatz wurde steuerrechtlich überprüft und ist einwandfrei.

  • Development