The many data breaches over the past few years have made one thing extremely clear: Passwords are not working. Enter the $25 Nitrokey Fido U2F USB security key. The Nitrokey makes it much harder for the bad guys to break into your account by adding a second authentication step to popular services like Google, Twitter, Facebook, and more.
Sicher mit nur einer PIN oder einem schlechten Passwort: Fido-Sticks sollen auf Tastendruck Zwei-Faktor-Authentifizierung oder passwortloses Anmelden ermöglichen. Golem.de hat getestet, ob sie halten, was sie versprechen.
On an infinite timeline of the internet, your email and password will eventually fall into the hands of a unknown party. [...] Having a strong password isn’t enough, that’s why today we’ll look at Nitrokey’s FIDO U2F as a physical device as a second layer of protection.
The goal of this tutorial is to build a relatively secure and cheap PKI for your business, organization or personal use...
Dass Startup Aktien 2019 an der Börse eine wichtige Rolle spielen könnten, wird von kaum einer Seite bestritten. [...] Zuletzt rückten in Deutschland Unternehmen wie Nitrokey [...] aufgrund ihres rasanten Wachstums in den Vordergrund. Wann dort eine Investition möglich ist, lässt sich bislang nicht absehen.
Um Konten zu Hause oder am Arbeitsplatz zu schützen, hat das deutsche IT-Sicherheitsunternehmen Nitrokey den USB-Schlüssel Nitrokey FIDO U2F vorgestellt. Dieser soll die Verwendung einer Zwei-Faktor-Authentifizierung deutlich vereinfachen. Anwender müssen nach der Erstkonfiguration nur noch den Touch-Sensor auf dem Gerät berühren, um sich bei ihren verschiedenen Konten anzumelden.
Do zabezpieczenia swoich danych, w tym wrażliwych danych dostępowych do serwisów czy systemów informatycznych, można podchodzić w różny sposób, implementując określoną politykę bezpieczeństwa i metodę zabezpieczenia kluczowych danych. Zazwyczaj jednak żadna polityka nie zostaje wdrożona i dane są ogólnodostępne, niezabezpieczone przed utratą spowodowaną niezamierzonym lub celowym działaniem człowieka, wyciekiem czy zniszczeniem.
Purism announced Thursday that its highly anticipated Librem Key security key is now available for purchase as the first and only OpenPGP-based smart card to offer a Heads-firmware-integrated tamper-evident boot process for laptops. Developed in partnership with Nitrokey, a company known for manufacturing open-source USB keys that enable secure encryption and signing of data for laptops, Purism's Librem Key is dedicated to Librem laptop users...
A few months ago we announced that we were partnering with Nitrokey to produce a new security token: the Librem Key and I’m pleased to announce that today the Librem Key is available for purchase on our site for $59.
Purism, maker of the security-focused Librem laptops, announced yesterday it has partnered with Nitrokey to create Purekey, "Purism's own OpenPGP security token designed to integrate with its hardware and software. Purekey embodies Purism's mission to make security and cryptography accessible where its customers hold the keys to their own security."
We are happy to announce a new special program sponsored by The Linux Foundation in partnership with Nitrokey -- the developer and manufacturer of smartcard-compatible digital tokens capable of storing private keys and performing PGP operations on-chip.
The best way to completely protect your keys is to move them to a specialized hardware device that is capable of smartcard operations.
This article presents a way of utilising the Nitrokey HSM hardware security token for signing DNSSEC zone files for use with the NSD name server daemon.
One goal of this partnership is to implement a secure login mechanism into our digital inheritance platform for our legal entities using Nitrokey products.
Der oberösterreichische IT-Security-Distributor NESTEC IT-Solutions, mit Standorten in St. Florian bei Linz und Zagreb, hat Vertrieb und Betreuung der Lösungen des Herstellers Nitrokey aus Berlin für Österreich, Südtirol und den ostadriatischen Raum übernommen.
For the HSM, we recommend using Nitrokey hardware, since they are free software/hardware, and provide a wide range of options. Use a separate machine to put the signing keys on HSM. A good HSM will keep an audit trail of how many signatures have been made, so that information could be used to create an automatic auditing process to raise alarms if too many signatures have been made. That could mean that this server was breached and used to sign unauthorized packages.
Im Podcast vom "Chaospott Essen" wird über die Nutzung des Nitrokey berichtet.
Pour un particulier désireux de protéger ses données numériques, la solution la plus connue est la clé USB Yubikey de Yubico. Malheureusement, Yubikey a décidé l’année passée de fermer le code de leurs clés, ce qui est plutôt inquiétant, surtout venant d’une entreprise Américaine. Dans cet article, je vais vous présenter Nitrokey, une société qui offre une alternative libre à Yubico.
The Nitrokey HSM provides a PKCS#11 hardware security module the form of a USB key. The design is based on open hardware and open software.
This is a low cost option to familiarize yourself with an actual hardware HSM, and to test your procedures. With it, you can demonstrate that OpenDJ servers can in fact use the HSM as a key store. [...]
The current article demonstrates generating and storing keys and certificates on the Nitrokey HSM, and then using they keys to protect OpenDJ server communications.
Getting yourself set up in macOS to sign keys using a Nitrokey HSM with gpg is non-trivial. Allegedly (at least some) Nitrokeys are supported by scdaemon (GnuPG’s stand-in abstraction for cryptographic tokens) but it seems that the version of scdaemon in brew doesn’t have support.
So my Nitrokey HSM arrived and it works great, thanks to the Nitrokey peeps for sending me one.
Because the OpenSC PKCS #11 module is a little more lightweight than some of the other vendors, which often implement mechanisms that are not actually supported by the hardware (e.g. the Opencryptoki TPM module), I wrote up some documentation on how to use the device, focusing on how to extract the public keys for using outside of PKCS #11, as the Nitrokey doesn’t implement any of the public key functions.
You can’t lock down all the things all the time—it’s the digital equivalent of hiding in a bunker. Build a personal protection plan that makes sense for you.
I got my hands on a Nitrokey pro! I went for Nitrokey over Yubikey since Nitrokey is totally open-source (something I strongly believe in) meaning more control and security.
Wer mehr Sicherheit haben will, muss Bequemlichkeit dafür hergeben – so lautet ein allgemein behauptetes Manko sicherer IT. Zum Glück bestätigen Ausnahmen die Regel. Die OpenPGP Smartcard ist so eine Ausnahme. Für das Plus an Sicherheit müssen Sie einmal unsere etwas längliche Installationsanleitung befolgen. Aber dann kommen Sie in den Genuss, Ihre Mails ohne weiteres Zutun bequem verschlüsseln und sich ohne Eingabe kryptischer Passphrasen automatisch per SSH einloggen zu können.
Der Nitrokey Pro verspricht einen sicheren Safe für Passwörter und eine Zwei-Faktor-Authentifizierung. Im Praxistest tritt der Newcomer gegen den Platzhirsch YubiKey an.
Bin neulich über das Akronym U2F (Universal Second Factor) gestolpert und fand die Tatsache, dass ich einige Dienste über einen USB-Stick absicher kann, doch recht praktisch. Zwar bieten die meisten großen Anbieter bereits mehrere Methoden (SMS, App etc) zur 2-Faktor-Autorisierung an, aber so ohne Smartphone ist auch ganz praktisch. Glaube ich zumindest bis jetzt.
Ya de ca qq semaines je suis tombé sur une petite chose vraiment très intéressante et je n'ai pas pu m’empêcher d'en commander une pour la tester ...
Vous allez me dire : oui OK c'est bien on est content pour toi ...
Mais c'est quoi cette petite chose qui mérite carrément une review sur le fofo alors que ça a rien a voir avec le sat ???!!!
Et bien c'est une Nitrokey !
Nitrokey is an open source usb smart card that has multiple uses including one time passwords, email encryption, file encryption and computer authentication. The creators decided to create it when they needed a solution to securing their encryption keys on insecure computer systems. In 2009 they released their first product and now in 2016 they have four different products and are on their way to creating another one.
Alle Jahre wieder kommt die schwere Suche nach Geschenken: Apfel, Nuss und Mandelkern haben längst nicht alle Kinder gern – von Mama und Papa ganz zu schweigen.
Vom Himmel hoch kommen sie nicht her: gute Geschenk-Ideen. Doch die c’t-Redaktion macht hoch die Tür, lässt die Jingle Bells erklingen und stellt recht zeitig zur stillen Nacht Geschenktipps vor.
Security crumbles if hackers manage to get at secret or private keys. The best way to protect your key material is to keep it inaccessible from software, so if the application or the OS gets compromised the keys cannot be extracted. Smart cards and hardware security modules (HSM) provide just that — a dedicated external device for storing keys and performing the actual crypto operations with them.
The Nitrokey HSM is an open hardware security module, in the form of a smart card token, which is used to isolate a server's private key from the application. That is, if you have an HTTPS server, such a hardware security module will prevent an attacker which temporarily obtained privileged access on the server (e.g., via an exploit like heartbleed), from copying the server's private key, allowing for impersonating it.
Die beiden Unternehmen Nitrokey und Netknights bringen gemeinsam eine Komplettlösung für eine vertrauenswürdige Zwei-Faktor-Authentifizierung in Unternehmen auf den Markt. Dabei handelt es sich um den USB-Schlüssel Nitrokey, der sich mit dem Mehr-Faktor-Authentifizierungssystem Privacy Idea initialisieren und verwalten lässt. Die gemeinsame Lösung soll als Open Source beziehungsweise als offene Hardware veröffentlicht werden.
In einem vorherigen Artikel habe ich den Nitrokey Pro vorgestellt. Diesen habe ich nach und nach für immer mehr Einsatzzwecke verwendet. Die Erfahrungen, die ich dabei gesammelt habe, möchte ich in einer Artikelreihe zusammenfassen um Anderen einige Stunden voller Verzweiflung und wiederholtes Neu-Aufsetzen der Schlüssel ersparen zu können.
The Nitrokey Start is an OpenPGP USB token. It supports three 2048 bit GPG keys and is based on gnuk version 1.0.4. Gnuk is an implementation of USB cryptographic token for GPG. A cryptographic token is a store of private keys and it computes cryptographic functions on the device. The main difference with other GPG cards like the Nitrokey Pro, Yubikey or the OpenPGP card is that this device does not use a smartcard. Whereas the other devices are basically USB smartcard readers, the Nitrokey Start has everything in it's firmware. Therefore it is a very cheap device ($29) and a great choice if you want token based GPG security but don't want to spend much on an expensive other key.
This article sets up a Nitrokey HSM/SmartCard-HSM web cluster and has a lot of benchmarks. This specific HSM is not a fast HSM since it's very inexpensive and targeted at secure key storage, not performance. But, what if you do want more performance? Then you scale horizontally, just add some more HSM's and a loadbalancer in front.
A few years ago, the hardware vendor Yubico made a bit of a splash when it introduced its YubiKey line of inexpensive hardware security tokens powered by open-source software. With its most recent product release, however, Yubico has dropped open source and started deploying only proprietary software in its devices. Consequently, many community members have started looking for a viable replacement that will adhere to open-source principles. At present, one of the leading contenders for Yubico's departed customers is Nitrokey, which manufactures a line of hardware tokens capable of generating one-time passwords (OTPs), storing and using OpenPGP keys, and several other features. The devices made by Nitrokey run open-source software and are open hardware as well.
This is a guide which shows you how to write small elementary files to a nitrokey HSM. This can be usefull if you want to securely store data protected by a user pin. You can enter the wrong pin only three times, so offline brute forcing is out of the picture.
This is a guide on using the Nitrokey HSM with sc-hsm-embedded module instead of the PC/SC daemon and OpenSC, mod_nss and the Apache webserver. This is an extension on the earlier guide, with new benchmarks. The sc-hsm-embedded module is not using a global lock like OpenSC, therefore providing better performance. The sc-hsm-embedded module is also a read only module, suitable for embedded systems. Read only also makes it more secure when deployed, even when the user pin leaks out an attacker cannot create new keypairs or delete the current ones.
This is a guide which shows you how to extract private RSA key material from the Nitrokey HSM / SmartCard-HSM using the DKEK. This way you can get the private key out of the HSM in an unencrypted form. It does require access to the HSM device, all the DKEK share and their passwords. Do note that doing this defeats the entire purpose of a HSM, namely that you never have access to the keys. In the article I'll go over some explanation why this might be a feature you need and why it might be a case of security over convinience.
This is a guide on using the Nitrokey HSM with mod_nss and the Apache webserver. The HSM allows you to store the private key for a SSL certificate inside the HSM (instead of on the filesystem), so that it can never leave the device and thus never be stolen.
The guide covers the installation and configuration of mod_nss, coupling the HSM to NSS, generating the keys and configuring Apache, and last but not least we also do some benchmarks on Apache with the HSM and different key sizes.
This is a guide to get started with the Nitrokey HSM (or SmartCard-HSM). It covers what a HSM is and what it can be used for. It also goes over software installation and initializing the device including backups of the device and keys. Finally we do some actual crypto operatons via pkcs11, OpenSSH, Apache and OpenSSL. We also cover usage in Thunderbird (S/MIME), Elementary Files (EF), a Web cluster with Apache and mod_nss and the decryption of the keys.
NitroKey Pro ist im Wesentlichen eine Smartcard in Form eines USB-Sticks. In Verbindung mit Standard-Tools wie OpenPGP hilft der Stick, Daten zu verschlüsseln und zu signieren. Zudem beherrscht er die Zwei-Faktor-Authentifizierung mit One-Time-Passwords (OTP), wodurch man etwa den Zugriff auf Web-Dienste absichern kann.
A lot of deployment of Active Directory Certificate Services is never deployed with an Hardware Security Module (HSM). Now this does not have to be a problem depending on the use of the issued certificates. In some deployments however it can be a serious security risk not to incorporate a HSM into the design.
Hardware security modules are physical devices that manage keys. Generally, the rule is that they let you use the keys for operations (e.g. signing) given correct authentication, but don’t let you extract the raw key material. This means that if you’re holding the HSM, you know that no one else is currently abusing your key (though they may have done so in the past).
A GnuPG key should always be secured with a passphrase, but if you want to secure it further, then one popular option is to move it off the hard drive, onto a USB device with OpenPGP Card support such as the Nitrokey Pro.
Der Nitrokey ist das Produkt eines Open-Source-Projekts, dass es sich zur Aufgabe gemacht hat, Passwörter und kryptographische Schlüssel sicher zu verwahren.
Für eine sichere Übertragung von Daten im Internet ist die Vertraulichkeit des privaten Schlüssels unabdinglich. Doch genau dieser gerät in Zeiten von Bundestrojanern und immer heimtückischerer Krimineller zusehends in Bedrängnis. Selbiges gilt für Passwörter, die viel zu oft im Klartext irgendwo auf der Festplatte liegen und nur darauf warten, von Eindringlingen abgegriffen zu werden.
Der Nitrokey Pro ist eine Smartcard für verschiedene Verschlüsselungsaufgaben im handlichen USB-Stick-Format. Er lässt sich etwa zur Mail-Verschlüsselung mit GnuPG nutzen oder aber, um Daten mit TrueCrypt zu chiffrieren. Die geheimen Krypto-Schlüssel verbleiben stets im Smartcard-Chip im Inneren des Sticks, wo sie vor Trojanern sicher sein sollen. Zudem generiert der Nitrokey auch Einmalpasswörter zur Zwei-Faktor-Authentifizierung (OTP) und arbeitet als verschlüsselter Passwort-Tresor.
Schon seit längerem hadere ich mit der Absicherung meiner Kennwörter über eine Smartcard oder einen USB Stick. Das ist zwar unbequem und ich rechne mit einer langen steilen Gewöhnungskurve aber dieses Jahre werde ich mich diesem Bären stellen.
I rarely advertise any products, and even though this is not physically available yet: get your USB Nitrokey Storage at Indiegogo until tomorrow. Realized with Open Hardware and Free Software it will enable secure logins, encryption, backups, ... Further information is available at the Nitrokey web site.
Im Rahmen eines Beitrags zum Hacker-Congress 32c3 des Chaos Computer Clubs berichtet die Nachrichtensendung ZDF Heute auch über den Nitrokey, der als "digitaler Haustürschlüssel" Systeme absichert. Dabei wird erklärt, dass die Software dahinter Open Source ist und inwiefern dies wichtig für die Nachvollziehbarkeit der Sicherheit ist.
With the mounting online security risks, simple one-step security no longer suffices, and people resort to multiple layers of security to thwart increasingly sophisticated attacks on their digital assets and online privacy. An advanced form of security defense often employed in financial sectors and other corporate environments is hardware-based protection, where a tamper-proof physical security key (also known as "security token" or "hardware token") acts as a protection layer for secret software keys or login credentials.
Germany's thriving startup scene is one of the most unique in Europe.
The capital Berlin is home to a mixture of hackers, privacy experts, scientists, and video companies that are making waves in the tech scene.
Here are some underground companies as well as more established names that are worth watching.
In order to ensure maximum security for our community, we are using a dedicated signing server with a hardware security module (HSM) that is not connected to the Internet. This drastically reduces the risk of a remote attacker compromising the CloudRouter Project key and attempting to sign malicious packages as legitimate components. [...] A huge variety of HSMs are available. We went with Nitrokey as it had several key benefits
Nitrokey is a physical USB thumbdrive developed in Germany to encrypt email with OpenPGP, GnuPG or S/MIME, use One Time Passwords, encrypt your computer hard drive files, manage digital certificates and act as a double authentication token with websites that have adopted the Universal 2dn Factor U2F standard supported by Google services, OpenSSH and WordPress. The hardware design and software code of this encryption thumbdrive has been made open source to allow the review of their security and for developers to be able to integrate their own applications.
Mozilla maintains a wide range of services which are secured using different solutions. For internal repositories, our Operations Security team has chosen to use the low-cost, open source and open hardware CryptoStick from the German Privacy Foundation.
An HSM is a Hardware Security Module. It’s a hardware card, stick, device able to perform crypto operations. In general, it stores private keys which are used to sign, encrypt or authenticate. The key itself never leaves the hardware, thus attackers cannot steal the key (i.e., if the hardware is disconnected, the key cannot be used anymore.)
During CeBIT 2011 open source projects such as Crypto Stick, USB stick developed to allow easy and high-secure encryption of emails and more, will have the opportunity to showcase what is currently in active development.
Open-Source-Hardware ist keine Spielerei, das zeigt ein USB-Stick der German Privacy Foundation. Auf dem können bis zu drei Benutzer ihre GPG-Schlüssel, RSA- und PKCS#11-Zertifikate hinterlegen und sich mit Linux und Windows für E-Mails, Browser oder SSH authentifizieren.
