27 October 2017

Sécurisez votre vie numérique : une clé usb pour chiffrer et signer vos données

Pour un particulier désireux de protéger ses données numériques, la solution la plus connue est la clé USB Yubikey de Yubico. Malheureusement, Yubikey a décidé l’année passée de fermer le code de leurs clés, ce qui est plutôt inquiétant, surtout venant d’une entreprise Américaine. Dans cet article, je vais vous présenter Nitrokey, une société qui offre une alternative libre à Yubico.

14 August 2017

Storing OpenDJ server keys on the Nitrokey HSM - Blog of Mark Craig

The Nitrokey HSM provides a PKCS#11 hardware security module the form of a USB key. The design is based on open hardware and open software.

This is a low cost option to familiarize yourself with an actual hardware HSM, and to test your procedures. With it, you can demonstrate that OpenDJ servers can in fact use the HSM as a key store. [...]

The current article demonstrates generating and storing keys and certificates on the Nitrokey HSM, and then using they keys to protect OpenDJ server communications.

07 July 2017

Using the Nitrokey HSM with GPG in macOS - Blog of Danielle

Getting yourself set up in macOS to sign keys using a Nitrokey HSM with gpg is non-trivial. Allegedly (at least some) Nitrokeys are supported by scdaemon (GnuPG’s stand-in abstraction for cryptographic tokens) but it seems that the version of scdaemon in brew doesn’t have support.

04 July 2017

python-pkcs11 with the Nitrokey HSM - Blog of Danielle

So my Nitrokey HSM arrived and it works great, thanks to the Nitrokey peeps for sending me one.

Because the OpenSC PKCS #11 module is a little more lightweight than some of the other vendors, which often implement mechanisms that are not actually supported by the hardware (e.g. the Opencryptoki TPM module), I wrote up some documentation on how to use the device, focusing on how to extract the public keys for using outside of PKCS #11, as the Nitrokey doesn’t implement any of the public key functions.

07 June 2017

How to Protect Your Digital Self - WIRED

You can’t lock down all the things all the time—it’s the digital equivalent of hiding in a bunker. Build a personal protection plan that makes sense for you.

09 May 2017

Nitrokey Pro Setup - Blog

I got my hands on a Nitrokey pro! I went for Nitrokey over Yubikey since Nitrokey is totally open-source (something I strongly believe in) meaning more control and security.

28 April 2017

Multipass - Sichere Kryptografie unter Linux mit der OpenPGP Smartcard - c't Magazin für Computer Technik

Wer mehr Sicherheit haben will, muss Bequemlichkeit dafür hergeben – so lautet ein allgemein behauptetes Manko sicherer IT. Zum Glück bestätigen Ausnahmen die Regel. Die OpenPGP Smartcard ist so eine Ausnahme. Für das Plus an Sicherheit müssen Sie einmal unsere etwas längliche Installationsanleitung befolgen. Aber dann kommen Sie in den Genuss, Ihre Mails ohne weiteres Zutun bequem verschlüsseln und sich ohne Eingabe kryptischer Passphrasen automatisch per SSH einloggen zu können.

01 April 2017

Nitrokey Pro im Praxistest - Digitaler Hausschlüssel - LinuxCommunity

Der Nitrokey Pro verspricht einen sicheren Safe für Passwörter und eine Zwei-Faktor-Authentifizierung. Im Praxistest tritt der Newcomer gegen den Platzhirsch YubiKey an.

28 January 2017

Universal 2nd Factor ausprobiert (Facebook, Google, WordPress) - Blog von Jan-Hendrik Beuth

Bin neulich über das Akronym U2F (Universal Second Factor) gestolpert und fand die Tatsache, dass ich einige Dienste über einen USB-Stick absicher kann, doch recht praktisch. Zwar bieten die meisten großen Anbieter bereits mehrere Methoden (SMS, App etc) zur 2-Faktor-Autorisierung an, aber so ohne Smartphone ist auch ganz praktisch. Glaube ich zumindest bis jetzt.

21 January 2017

Nitrokey Review / Test - Forum article

Ya de ca qq semaines je suis tombé sur une petite chose vraiment très intéressante et je n'ai pas pu m’empêcher d'en commander une pour la tester ...
Vous allez me dire : oui OK c'est bien on est content pour toi ...
Mais c'est quoi cette petite chose qui mérite carrément une review sur le fofo alors que ça a rien a voir avec le sat ???!!!
Et bien c'est une Nitrokey !

30 December 2016

Review: Nitrokey Pro - Blog Bitvoid

Nitrokey is an open source usb smart card that has multiple uses including one time passwords, email encryption, file encryption and computer authentication. The creators decided to create it when they needed a solution to securing their encryption keys on insecure computer systems.  In 2009 they released their first product and now in 2016 they have four different products and are on their way to creating another one.

09 December 2016

Geschenke-Tipps der c't-Redaktion zum Basteln - c't Magazin für Computer Technik

Alle Jahre wieder kommt die schwere Suche nach Geschenken: Apfel, Nuss und Mandelkern haben längst nicht alle Kinder gern – von Mama und Papa ganz zu schweigen.

Vom Himmel hoch kommen sie nicht her: gute Geschenk-Ideen. Doch die c’t-Redaktion macht hoch die Tür, lässt die Jingle Bells erklingen und stellt recht zeitig zur stillen Nacht Geschenktipps vor.

25 November 2016

Signing a JSON Web Token (JWT) with a smart card or HSM - connect2id

Security crumbles if hackers manage to get at secret or private keys. The best way to protect your key material is to keep it inaccessible from software, so if the application or the OS gets compromised the keys cannot be extracted. Smart cards and hardware security modules (HSM) provide just that — a dedicated external device for storing keys and performing the actual crypto operations with them.

13 November 2016

Using the Nitrokey HSM with GnuTLS applications - nmav's Blog

The Nitrokey HSM is an open hardware security module, in the form of a smart card token, which is used to isolate a server's private key from the application. That is, if you have an HTTPS server, such a hardware security module will prevent an attacker which temporarily obtained privileged access on the server (e.g., via an exploit like heartbleed), from copying the server's private key, allowing for impersonating it.

10 November 2016

Nitrokey und Netknights bringen ihre Kompetenzen zusammen - LANline

Die beiden Unternehmen Nitrokey und Netknights bringen gemeinsam eine Komplettlösung für eine vertrauenswürdige Zwei-Faktor-Authentifizierung in Unternehmen auf den Markt. Dabei handelt es sich um den USB-Schlüssel Nitrokey, der sich mit dem Mehr-Faktor-Authentifizierungssystem Privacy Idea initialisieren und verwalten lässt. Die gemeinsame Lösung soll als Open Source beziehungsweise als offene Hardware veröffentlicht werden.

21 September 2016

Nitrokey Pro einrichten – generieren der Schlüssel – Blog

In einem vorherigen Artikel habe ich den Nitrokey Pro vorgestellt. Diesen habe ich nach und nach für immer mehr Einsatzzwecke verwendet. Die Erfahrungen, die ich dabei gesammelt habe, möchte ich in einer Artikelreihe zusammenfassen um Anderen einige Stunden voller Verzweiflung und wiederholtes Neu-Aufsetzen der Schlüssel ersparen zu können.

14 August 2016

Nitrokey Start: Getting started guide (gnuk openpgp token) -

The Nitrokey Start is an OpenPGP USB token. It supports three 2048 bit GPG keys and is based on gnuk version 1.0.4. Gnuk is an implementation of USB cryptographic token for GPG. A cryptographic token is a store of private keys and it computes cryptographic functions on the device. The main difference with other GPG cards like the Nitrokey Pro, Yubikey or the OpenPGP card is that this device does not use a smartcard. Whereas the other devices are basically USB smartcard readers, the Nitrokey Start has everything in it's firmware. Therefore it is a very cheap device ($29) and a great choice if you want token based GPG security but don't want to spend much on an expensive other key.

01 August 2016

Nitrokey HSM/SmartCard-HSM and Raspberry Pi web cluster -

This article sets up a Nitrokey HSM/SmartCard-HSM web cluster and has a lot of benchmarks. This specific HSM is not a fast HSM since it's very inexpensive and targeted at secure key storage, not performance. But, what if you do want more performance? Then you scale horizontally, just add some more HSM's and a loadbalancer in front.

27 July 2016

One-time passwords and GnuPG with Nitrokey -

A few years ago, the hardware vendor Yubico made a bit of a splash when it introduced its YubiKey line of inexpensive hardware security tokens powered by open-source software. With its most recent product release, however, Yubico has dropped open source and started deploying only proprietary software in its devices. Consequently, many community members have started looking for a viable replacement that will adhere to open-source principles. At present, one of the leading contenders for Yubico's departed customers is Nitrokey, which manufactures a line of hardware tokens capable of generating one-time passwords (OTPs), storing and using OpenPGP keys, and several other features. The devices made by Nitrokey run open-source software and are open hardware as well.

17 July 2016

Storing arbitraty data in the Nitrokey HSM/SmartCard-HSM with Elementary Files (EF) -

This is a guide which shows you how to write small elementary files to a nitrokey HSM. This can be usefull if you want to securely store data protected by a user pin. You can enter the wrong pin only three times, so offline brute forcing is out of the picture.

15 July 2016

Use the Nitrokey HSM or SmartCard-HSM with sc-hsm-embedded, mod_nss and Apache (read only module) -

This is a guide on using the Nitrokey HSM with sc-hsm-embedded module instead of the PC/SC daemon and OpenSC, mod_nss and the Apache webserver. This is an extension on the earlier guide, with new benchmarks. The sc-hsm-embedded module is not using a global lock like OpenSC, therefore providing better performance. The sc-hsm-embedded module is also a read only module, suitable for embedded systems. Read only also makes it more secure when deployed, even when the user pin leaks out an attacker cannot create new keypairs or delete the current ones.

13 July 2016

Decrypt/Extract Nitrokey HSM/SmartCard-HSM RSA private keys -

This is a guide which shows you how to extract private RSA key material from the Nitrokey HSM / SmartCard-HSM using the DKEK. This way you can get the private key out of the HSM in an unencrypted form. It does require access to the HSM device, all the DKEK share and their passwords. Do note that doing this defeats the entire purpose of a HSM, namely that you never have access to the keys. In the article I'll go over some explanation why this might be a feature you need and why it might be a case of security over convinience.

21 June 2016

Use the Nitrokey HSM or SmartCard-HSM with mod_nss and Apache -

This is a guide on using the Nitrokey HSM with mod_nss and the Apache webserver. The HSM allows you to store the private key for a SSL certificate inside the HSM (instead of on the filesystem), so that it can never leave the device and thus never be stolen.

The guide covers the installation and configuration of mod_nss, coupling the HSM to NSS, generating the keys and configuring Apache, and last but not least we also do some benchmarks on Apache with the HSM and different key sizes.

19 June 2016

Get started with the Nitrokey HSM or SmartCard-HSM -

This is a guide to get started with the Nitrokey HSM (or SmartCard-HSM). It covers what a HSM is and what it can be used for. It also goes over software installation and initializing the device including backups of the device and keys. Finally we do some actual crypto operatons via pkcs11, OpenSSH, Apache and OpenSSL. We also cover usage in Thunderbird (S/MIME), Elementary Files (EF), a Web cluster with Apache and mod_nss and the decryption of the keys.

29 April 2016

Krypto-Multitool - c't Magazin für Computer Technik

NitroKey Pro ist im Wesentlichen eine Smartcard in Form eines USB-Sticks. In Verbindung mit Standard-Tools wie OpenPGP hilft der Stick, Daten zu verschlüsseln und zu signieren. Zudem beherrscht er die Zwei-Faktor-Authentifizierung mit One-Time-Passwords (OTP), wodurch man etwa den Zugriff auf Web-Dienste absichern kann.

14 April 2016

Certificate Services and Hardware Security Modules - Blog of Chris Petit

A lot of deployment of Active Directory Certificate Services is never deployed with an Hardware Security Module (HSM). Now this does not have to be a problem depending on the use of the issued certificates. In some deployments however it can be a serious security risk not to incorporate a HSM into the design.

26 March 2016

Nitrokey HSM EC setup -

Hardware security modules are physical devices that manage keys. Generally, the rule is that they let you use the keys for operations (e.g. signing) given correct authentication, but don’t let you extract the raw key material. This means that if you’re holding the HSM, you know that no one else is currently abusing your key (though they may have done so in the past).

01 March 2016

Securing GnuPG keys on a Nitrokey Pro - Blog of Søren Poulsen

A GnuPG key should always be secured with a passphrase, but if you want to secure it further, then one popular option is to move it off the hard drive, onto a USB device with OpenPGP Card support such as the Nitrokey Pro.

29 February 2016

Nitrokey – Sicherheit to go - Blog

Der Nitrokey ist das Produkt eines Open-Source-Projekts, dass es sich zur Aufgabe gemacht hat, Passwörter und kryptographische Schlüssel sicher zu verwahren.

Für eine sichere Übertragung von Daten im Internet ist die Vertraulichkeit des privaten Schlüssels unabdinglich. Doch genau dieser gerät in Zeiten von Bundestrojanern und immer heimtückischerer Krimineller zusehends in Bedrängnis. Selbiges gilt für Passwörter, die viel zu oft  im Klartext irgendwo auf der Festplatte liegen und nur darauf warten, von Eindringlingen abgegriffen zu werden.

19 February 2016

Krypto-Stick verschlüsselt Mails und Daten - c't Magazin für Computer Technik

Der Nitrokey Pro ist eine Smartcard für verschiedene Verschlüsselungsaufgaben im handlichen USB-Stick-Format. Er lässt sich etwa zur Mail-Verschlüsselung mit GnuPG nutzen oder aber, um Daten mit TrueCrypt zu chiffrieren. Die geheimen Krypto-Schlüssel verbleiben stets im Smartcard-Chip im Inneren des Sticks, wo sie vor Trojanern sicher sein sollen. Zudem generiert der Nitrokey auch Einmalpasswörter zur Zwei-Faktor-Authentifizierung (OTP) und arbeitet als verschlüsselter Passwort-Tresor.

01 January 2016

Vorsatz für 2016: Kennwörter auf Hardware auslagern - Blog von Hagen Bauer

Schon seit längerem hadere ich mit der Absicherung meiner Kennwörter über eine Smartcard oder einen USB Stick. Das ist zwar unbequem und ich rechne mit einer langen steilen Gewöhnungskurve aber dieses Jahre werde ich mich diesem Bären stellen.

28 December 2015

Nitrokey Storage: USB Security Key for Encryption - Blog of erAck

I rarely advertise any products, and even though this is not physically available yet: get your USB Nitrokey Storage at Indiegogo until tomorrow. Realized with Open Hardware and Free Software it will enable secure logins, encryption, backups, ... Further information is available at the Nitrokey web site.

27 December 2015

Nachrichtensendung 'Heute' des ZDF über den Nitrokey

Im Rahmen eines Beitrags zum Hacker-Congress 32c3 des Chaos Computer Clubs berichtet die Nachrichtensendung ZDF Heute auch über den Nitrokey, der als "digitaler Haustürschlüssel" Systeme absichert. Dabei wird erklärt, dass die Software dahinter Open Source ist und inwiefern dies wichtig für die Nachvollziehbarkeit der Sicherheit ist.

23 December 2015

How to secure your Linux environment with Nitrokey USB smart card - Xmodulo

With the mounting online security risks, simple one-step security no longer suffices, and people resort to multiple layers of security to thwart increasingly sophisticated attacks on their digital assets and online privacy. An advanced form of security defense often employed in financial sectors and other corporate environments is hardware-based protection, where a tamper-proof physical security key (also known as "security token" or "hardware token") acts as a protection layer for secret software keys or login credentials.

22 May 2015

The 17 hottest tech startups in Germany - Business Insider

Germany's thriving startup scene is one of the most unique in Europe.

The capital Berlin is home to a mixture of hackers, privacy experts, scientists, and video companies that are making waves in the tech scene.

Here are some underground companies as well as more established names that are worth watching. 

10 February 2015

Signing RPMs using the Nitrokey hardware security module (HSM) - CloudRouter

In order to ensure maximum security for our community, we are using a dedicated signing server with a hardware security module (HSM) that is not connected to the Internet. This drastically reduces the risk of a remote attacker compromising the CloudRouter Project key and attempting to sign malicious packages as legitimate components. [...] A huge variety of HSMs are available. We went with Nitrokey as it had several key benefits

18 January 2015

Nitrokey, a thumbdrive to encrypt data, emails and logins - Blog of hacker10

Nitrokey is a physical USB thumbdrive developed in Germany to encrypt email with OpenPGP, GnuPG or S/MIME, use One Time Passwords, encrypt your computer hard drive files, manage digital certificates and act as a double authentication token with websites that have adopted the Universal 2dn Factor U2F standard supported by Google services, OpenSSH and WordPress. The hardware design and software code of this encryption thumbdrive has been made open source to allow the review of their security and for developers to be able to integrate their own applications.

13 February 2013

Using CryptoStick as an HSM - Mozilla Blog of Guillaume Destuynder

Mozilla maintains a wide range of services which are secured using different solutions.  For internal repositories, our Operations Security team has chosen to use the low-cost, open source and open hardware CryptoStick from the German Privacy Foundation.
An HSM is a Hardware Security Module. It’s a hardware card, stick, device able to perform crypto operations. In general, it stores private keys which are used to sign, encrypt or authenticate. The key itself never leaves the hardware, thus attackers cannot steal the key (i.e., if the hardware is disconnected, the key cannot be used anymore.)

02 February 2011

CeBIT Open Source 2011 - Project Presentation Crypto Stick - Linux-Pro-Magazine

During CeBIT 2011 open source projects such as Crypto Stick, USB stick developed to allow easy and high-secure encryption of emails and more, will have the opportunity to showcase what is currently in active development.

01 December 2010

Der mit Open-Source-Methoden entwickelte Crypto-USB-Stick - Linux-Magazin

Open-Source-Hardware ist keine Spielerei, das zeigt ein USB-Stick der German Privacy Foundation. Auf dem können bis zu drei Benutzer ihre GPG-Schlüssel, RSA- und PKCS#11-Zertifikate hinterlegen und sich mit Linux und Windows für E-Mails, Browser oder SSH authentifizieren.