Storing OpenDJ server keys on the Nitrokey HSM

The Nitrokey HSM provides a PKCS#11 hardware security module the form of a USB key. The design is based on open hardware and open software.

This is a low cost option to familiarize yourself with an actual hardware HSM, and to test your procedures. With it, you can demonstrate that OpenDJ servers can in fact use the HSM as a key store. [...]

The current article demonstrates generating and storing keys and certificates on the Nitrokey HSM, and then using they keys to protect OpenDJ server communications.

Using the Nitrokey HSM with GPG in macOS

Getting yourself set up in macOS to sign keys using a Nitrokey HSM with gpg is non-trivial. Allegedly (at least some) Nitrokeys are supported by scdaemon (GnuPG’s stand-in abstraction for cryptographic tokens) but it seems that the version of scdaemon in brew doesn’t have support.

How to Protect Your Digital Self

You can’t lock down all the things all the time—it’s the digital equivalent of hiding in a bunker. Build a personal protection plan that makes sense for you.

python-pkcs11 with the Nitrokey HSM

So my Nitrokey HSM arrived and it works great, thanks to the Nitrokey peeps for sending me one.

Because the OpenSC PKCS #11 module is a little more lightweight than some of the other vendors, which often implement mechanisms that are not actually supported by the hardware (e.g. the Opencryptoki TPM module), I wrote up some documentation on how to use the device, focusing on how to extract the public keys for using outside of PKCS #11, as the Nitrokey doesn’t implement any of the public key functions.

Nitrokey Pro Setup

I got my hands on a Nitrokey pro! I went for Nitrokey over Yubikey since Nitrokey is totally open-source (something I strongly believe in) meaning more control and security.

Nitrokey und Netknights bringen ihre Kompetenzen zusammen

Die beiden Unternehmen Nitrokey und Netknights bringen gemeinsam eine Komplettlösung für eine vertrauenswürdige Zwei-Faktor-Authentifizierung in Unternehmen auf den Markt.

Nitrokey Pro im Praxistest - Digitaler Hausschlüssel

Der Nitrokey Pro verspricht einen sicheren Safe für Passwörter und eine Zwei-Faktor-Authentifizierung. Im Praxistest tritt der Newcomer gegen den Platzhirsch YubiKey an.

Nitrokey – Sicherheit to go

Der Nitrokey ist das Produkt eines Open-Source-Projekts, dass es sich zur Aufgabe gemacht hat, Passwörter und kryptographische Schlüssel sicher zu verwahren.

Für eine sichere Übertragung von Daten im Internet ist die Vertraulichkeit des privaten Schlüssels unabdinglich. Doch genau dieser gerät in Zeiten von Bundestrojanern und immer heimtückischerer Krimineller zusehends in Bedrängnis. Selbiges gilt für Passwörter, die viel zu oft  im Klartext irgendwo auf der Festplatte liegen und nur darauf warten, von Eindringlingen abgegriffen zu werden.

Nitrokey Pro einrichten – generieren der Schlüssel

In einem vorherigen Artikel habe ich den Nitrokey Pro vorgestellt. Diesen habe ich nach und nach für immer mehr Einsatzzwecke verwendet. Die Erfahrungen, die ich dabei gesammelt habe, möchte ich in einer Artikelreihe zusammenfassen um Anderen einige Stunden voller Verzweiflung und wiederholtes Neu-Aufsetzen der Schlüssel ersparen zu können.

Universal 2nd Factor ausprobiert (Facebook, Google, WordPress)

Bin neulich über das Akronym U2F (Universal Second Factor) gestolpert und fand die Tatsache, dass ich einige Dienste über einen USB-Stick absicher kann, doch recht praktisch.
Zwar bieten die meisten großen Anbieter bereits mehrere Methoden (SMS, App etc) zur 2-Faktor-Autorisierung an, aber so ohne Smartphone ist auch ganz praktisch. Glaube ich zumindest bis jetzt.

Nitrokey Review / Test

Ya de ca qq semaines je suis tombé sur une petite chose vraiment très intéressante et je n'ai pas pu m’empêcher d'en commander une pour la tester ...
Vous allez me dire : oui OK c'est bien on est content pour toi ...
Mais c'est quoi cette petite chose qui mérite carrément une review sur le fofo alors que ça a rien a voir avec le sat ???!!!
Et bien c'est une Nitrokey !

Signing a JSON Web Token (JWT) with a smart card or HSM

Security crumbles if hackers manage to get at secret or private keys. The best way to protect your key material is to keep it inaccessible from software, so if the application or the OS gets compromised the keys cannot be extracted. Smart cards and hardware security modules (HSM) provide just that — a dedicated external device for storing keys and performing the actual crypto operations with them. There’s no interface to get at the secret or private key material once it’s saved on the device. Such devices are typically also resistant to tampering, for extra security in case they get lost or stolen.

Using the Nitrokey HSM with GnuTLS applications

The Nitrokey HSM is an open hardware security module, in the form of a smart card token, which is used to isolate a server's private key from the application. That is, if you have an HTTPS server, such a hardware security module will prevent an attacker which temporarily obtained privileged access on the server (e.g., via an exploit like heartbleed), from copying the server's private key, allowing for impersonating it. See my previous post for a more elaborate discussion on that defense mechanism.

LWN: One-time passwords and GnuPG with Nitrokey

A few years ago, the hardware vendor Yubico made a bit of a splash when it introduced its YubiKey line of inexpensive hardware security tokens powered by open-source software. With its most recent product release, however, Yubico has dropped open source and started deploying only proprietary software in its devices. Consequently, many community members have started looking for a viable replacement that will adhere to open-source principles. At present, one of the leading contenders for Yubico's departed customers is Nitrokey, which manufactures a line of hardware tokens capable of generating one-time passwords (OTPs), storing and using OpenPGP keys, and several other features. The devices made by Nitrokey run open-source software and are open hardware as well.

Decrypt/Extract Nitrokey HSM/SmartCard-HSM RSA private keys

This is a guide which shows you how to extract private RSA key material from the Nitrokey HSM / SmartCard-HSM using the DKEK. This way you can get the private key out of the HSM in an unencrypted form. It does require access to the HSM device, all the DKEK share and their passwords. Do note that doing this defeats the entire purpose of a HSM, namely that you never have access to the keys. In the article I'll go over some explanation why this might be a feature you need and why it might be a case of security over convinience.

Use the Nitrokey HSM or SmartCard-HSM with sc-hsm-embedded, mod_nss and Apache (read only module)

This is a guide on using the Nitrokey HSM with sc-hsm-embedded module instead of the PC/SC daemon and OpenSC, mod_nss and the Apache webserver. This is an extension on the earlier guide, with new benchmarks. The sc-hsm-embedded module is not using a global lock like OpenSC, therefore providing better performance. The sc-hsm-embedded module is also a read only module, suitable for embedded systems. Read only also makes it more secure when deployed, even when the user pin leaks out an attacker cannot create new keypairs or delete the current ones.

The HSM allows you to store the private key for a SSL certificate inside the HSM (instead of on the filesystem), so that it can never leave the device and thus never be stolen.

The guide covers the installation of the sc-hsm-embedded module, configuration of and benchmarks from Apache with the HSM and different key sizes.

Nitrokey HSM/SmartCard-HSM and Raspberry Pi web cluster

This article sets up a Nitrokey HSM/SmartCard-HSM web cluster and has a lot of benchmarks. This specific HSM is not a fast HSM since it's very inexpensive and targeted at secure key storage, not performance. But, what if you do want more performance? Then you scale horizontally, just add some more HSM's and a loadbalancer in front.

Storing arbitraty data in the Nitrokey HSM/SmartCard-HSM with Elementary Files (EF)

This is a guide which shows you how to write small elementary files to a nitrokey HSM. This can be usefull if you want to securely store data protected by a user pin. You can enter the wrong pin only three times, so offline brute forcing is out of the picture.

Nitrokey Start: Getting started guide (gnuk openpgp token)

The Nitrokey Start is an OpenPGP USB token. It supports three 2048 bit GPG keys and is based on gnuk version 1.0.4. Gnuk is an implementation of USB cryptographic token for GPG. A cryptographic token is a store of private keys and it computes cryptographic functions on the device. The main difference with other GPG cards like the Nitrokey Pro, Yubikey or the OpenPGP card is that this device does not use a smartcard. Whereas the other devices are basically USB smartcard readers, the Nitrokey Start has everything in it's firmware. Therefore it is a very cheap device ($29) and a great choice if you want token based GPG security but don't want to spend much on an expensive other key.

Use the Nitrokey HSM or SmartCard-HSM with mod_nss and Apache

This is a guide on using the Nitrokey HSM with mod_nss and the Apache webserver. The HSM allows you to store the private key for a SSL certificate inside the HSM (instead of on the filesystem), so that it can never leave the device and thus never be stolen.

The guide covers the installation and configuration of mod_nss, coupling the HSM to NSS, generating the keys and configuring Apache, and last but not least we also do some benchmarks on Apache with the HSM and different key sizes.

Nitrokey HSM EC setup

Following up from my previous writeup on creating an EC CA, let’s talk about key security.

Hardware security modules are physical devices that manage keys. Generally, the rule is that they let you use the keys for operations (e.g. signing) given correct authentication, but don’t let you extract the raw key material. This means that if you’re holding the HSM, you know that no one else is currently abusing your key (though they may have done so in the past).

Get started with the Nitrokey HSM or SmartCard-HSM

This is a guide to get started with the Nitrokey HSM (or SmartCard-HSM). It covers what a HSM is and what it can be used for. It also goes over software installation and initializing the device including backups of the device and keys. Finally we do some actual crypto operatons via pkcs11, OpenSSH, Apache and OpenSSL. We also cover usage in Thunderbird (S/MIME), Elementary Files (EF), a Web cluster with Apache and mod_nss and the decryption of the keys.

Nitrokey, a thumbdrive to encrypt data, emails and logins

Nitrokey is a physical USB thumbdrive developed in Germany to encrypt email with OpenPGP, GnuPG or S/MIME, use One Time Passwords, encrypt your computer hard drive files, manage digital certificates and act as a double authentication token with websites that have adopted the Universal 2dn Factor U2F standard supported by Google services, OpenSSH and WordPress. The hardware design and software code of this encryption thumbdrive has been made open source to allow the review of their security and for developers to be able to integrate their own applications.

Securing GnuPG keys on a Nitrokey Pro

A GnuPG key should always be secured with a passphrase, but if you want to secure it further, then one popular option is to move it off the hard drive, onto a USB device with OpenPGP Card support such as the Nitrokey Pro.

Signing RPMs using the Nitrokey hardware security module (HSM)

The CloudRouter project takes security very seriously. Cryptographic signatures are used to ensure the integrity of the software we distribute. CloudRouter 1.0 beta is a Fedora Remix. Most packages are provided by the Fedora repositories. For details on how these packages are signed, see the Fedora documentation. Additional packages such as OpenDaylight are provided by the CloudRouter repositories. These packages are signed using the CloudRouter Project key.

In order to ensure maximum security for our community, we are using a dedicated signing server with a hardware security module (HSM) that is not connected to the Internet. This drastically reduces the risk of a remote attacker compromising the CloudRouter Project key and attempting to sign malicious packages as legitimate components.

Vorsatz für 2016: Kennwörter auf Hardware auslagern

Schon seit längerem hadere ich mit der Absicherung meiner Kennwörter über eine Smartcard oder einen USB Stick. Das ist zwar unbequem und ich rechne mit einer langen steilen Gewöhnungskurve aber dieses Jahre werde ich mich diesem Bären stellen.

SOPS: Secrets OPerationS

sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP.