GnuPG is required for many use cases. It is a command line tool but usually you don't need to invoke it directly but use another application with user interface.
Don't use GnuPG in parallel with OpenSC or another PKCS#11 driver because both may interfere and unexpected issues may result.
If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.
Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.
Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)
Instructions, how to create a valid X.509 certificate with Nitrokey (1, 2, 3). These are general instructions how to use X.509 certificates.
The recommended PKCS#11 driver is OpenSC. Alternatively, you could use Peter Koch's PKCS#11 driver which has the following limitations:
This Mini Driver allows to integrate Nitrokey with Window's certificate store. Subsequently all applications which use this certificate storage can be used with Nitrokey (e.g. Internet Explorer, Google Chrome web browser, Windows Login). To install the driver, you may need to allow the installation of unsigned drivers first.
All applications of Aloaha are working with the Nitrokey. This includes a middleware to integrate Nitrokey with other PKCS#11 based applications and with Windows as well as applications to encrypt and sign PDFs and the hard disk.
GnuPG is required in many use cases to initialize and use the Nitrokey. It is a command line tool but usually you don't need to invoke it directly.
Instruction how to use Nitrokey with GnuPG (command line). Please note: The Fellowship smart card is similar to the Nitrokey Pro so that this instructions work Nitrokey as well. In general the official documentation is recommendable.
If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.
Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.
Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)
Instructions, how to create a valid X.509 certificate with Nitrokey (1, 2, 3). These are general instructions how to use X.509 certificates.
The recommended PKCS#11 driver is OpenSC. Alternatively, you could use Peter Koch's PKCS#11 driver which has the following limitations:
P11-glue uses PKCS#11 as glue between crypto libraries and security applications on the open source desktop.
GnuPG is required in many use cases to initialize and use the Nitrokey. It is a command line tool but usually you don't need to invoke it directly.
Instruction how to use Nitrokey with GnuPG (command line). Please note: The Fellowship smart card is similar to the Nitrokey Pro so that this instructions work Nitrokey as well. In general the official documentation is recommendable.
If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.
Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.
Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)
Instructions, how to create a valid X.509 certificate with Nitrokey (1, 2, 3). These are general instructions how to use X.509 certificates.
To access Nitrokey devices read-only, download and install this Mini Driver (CSP). If you are using Windows Server you may need to disable the driver signature verification before being able to install the driver. Note that the Mini Driver for Nitrokey Pro may not work yet for write mode.
There exist different ways to use a Nitrokey to logon on Windows:
Select your use case:
You have two options: pam_p11 or Poldi.
Poldi 0.4.1 works flawlessly with Nitrokey for PAM authentication. Besides the installation of poldi (e.g. 'sudo apt-get install libpam-poldi' on Ubuntu) the following steps are needed to get it working.
It is necessary to already have keys generated on the Nitrokey, as the authentication key is used by PAM.
At first you need to find out the "Application ID" of your Nitrokey. You can use "gpg --card-status | grep Application" to find out what's yours. It looks like 'D00600012401020000000000xxxxxxxx' or similiar. Now you have to add a line to /etc/poldi/localdb/users which contains the following information
This could look like 'D00600012401020000000000xxxxxxxx nitrokeyuser'. Now dump the public key from the Nitrokey into poldi local db:
sudo sh -c 'gpg-connect-agent "/datafile /etc/poldi/localdb/keys/<YourApplicationID>" "SCD READKEY --advanced OPENPGP.3" /bye'
Please be aware that you have to insert your Application ID in the line above with the one of your stick!
Then you have to configure PAM. Just add "auth sufficient pam_poldi.so" to pam configuration files according to your needs:
Note: Pam is dangerous to play around with, so make sure you have a way of accessing the machine if you break authentication completely. Remember that booting into rescue mode from Grub requires a root password, so keep that or a live CD which can read your filesystems to hand.
Here you find further instructions (in German, partially outdated).
If you get an error similar to 'ERR 100663414 Invalid ID <SCD>' you should try instead
poldi-ctrl -k > <YourApplicationID>; sudo mv <YourApplicationID> /etc/poldi/localdb/keys
Please be aware that you have to insert your Application ID in the line above with the one of your stick!
One-Time-Passwords (OTP) are used for secure login to websites and local applications.
Two OTP modes exist:
To use One-Time-Passwords with your Nitrokey Pro or Nitrokey Storage, you need to download and install the latest Nitrokey App.
Prior of using the encrypted mobile storage you need to install and initialize the Nitrokey Storage and download the latest Nitrokey App.
The Nitrokey Storage is able to create hidden volumes as well. Please have a look at the corresponding instructions for hidden volumes.
Hidden volumes allow to hide data in the encrypted volume. The data is protected with an additional password. Without the password the data existence's can't be proven. Hidden volumes are not setup by default so that their existence can be denied plausibly. The concept is similar to VeraCrypt's/TrueCrypt's hidden volume but with Nitrokey Storage the entire functionality of hidden volumes is implemented in hardware.
You can configure up to four hidden volumes. Once unlocked, hidden volumes behave like ordinary storage where you can create various partitions, filesystems and store files as you like.
If you decide to configure Hidden Volumes, you can not use the encrypted storage anymore. Because the Hidden Volume is situated on the free space of the encrypted storage, there is the potential of overwriting data in the Hidden Volume. You can say, even the encrypted storage "does not know" that there is a hidden volumes. The general structure is shown in the diagram below. Therefore, please do not write anything in the encrypted storage after creating a hidden volume (you have to unlock it first though).
Configure Hidden Volumes:
In case you use two or more hidden volumes, note that their storage area must not overlap. Otherwise they would override and destroy each other's data. Each hidden volume would require a different password.
Usage of Hidden Volumes:
It is possible to use the Nitrokey on an Android devices in combination with OpenKeychain. This enables one to encrypt/decrypt E-Mails or files via OpenPGP.
Cotech provides Android software with commercial support. Please have a look there, if you like. The following instructions are based on OpenKeychain.
Tested with Nitrokey Start, Pro and Storage in combination with Android 7.1, OpenKeychain 4.5 and K9Mail 5.207.
To import the keys of the Nitrokey you should at first start the OpenKeychain app. Then insert the Nitrokey with the USB OTG cable. OpenKeychain starts a dialog to use the Nitrokey (you may have to accept the usage of the key with OpenKeychain first). Now you can choose between looking for public key on a keyserver or choosing the public key from storage. After the public key got imported you have to tap on 'connect key' to import a reference to the private key of the Nitrokey. That’s basically it.
In the case that no there are no keys on the Nitrokey yet, OpenKeychain will help with the creation of a new key pair instead.
You can use all functions of OpenKeychain and Apps which make use of OpenKeychain. Therefore you can just encrypt/decrypt messages or files by hand using the app directly or for example you combine K9Mail with OpenKeychain to decrypt your mails automatically. It is important to choose the right key in the K9Mail account settings first.
Note that you may have to enable the on-screen keyboard in the android settings to type the PIN as the system recognizes the Nitrokey as a physical keyboard and therefore tries to hide the on-screen keyboard. Go to 'Language and Input' > 'Current Keyboard' > 'Hardware show input method'.
Not yet possible.
There are instructions on gnupg.org about how to use a OpenPGP Card on a UbuntuPhone which should work for the Nitrokey Start, Pro and Storage.
Encrypt your email using the S/MIME industry standard available in all major e-mail clients.
The Nitrokey HSM has been tested to work with Mozilla Thunderbird and Microsoft Outlook. Other email clients with support for PKCS#11 or Microsoft CSP should work as well.
VeraCrypt is a free and Open Source disk encryption software for Windows, macOS, and GNU/Linux. It is the successor of TrueCrypt and thus recommended, although the following instructions should apply to TrueCrypt as well. Follow these steps to use the program with Nitrokey:
Security Consideration: Please note that VeraCrypt doesn't make use of the full security which Nitrokey (and smart cards in general) offer. Instead it stores a keyfile on the Nitrokey which theoretically could be stolen by a computer virus after the user enters the PIN.
Note: Aloaha Crypt is based on TrueCrypt/VeraCrypt but without the described security limitation.
Purism has created a simple script to add the Nitrokey/LibremKey as a way to unlock LUKS partitions (not tested by Nitrokey yet).
This project aims to ease the use of LUKS with the Nitrokey Pro or Storage based on the Password Safe (not tested by Nitrokey yet).
Prerequisite: Please ensure that you installed the device driver, changed the default PINs and generated or imported keys with GnuPG.
An easy to use encrypted file system is EncFS, which is based on FUSE. You may follow these steps to use it with very long passwords and Nitrokey:
Initialization
# Create a key file with random data: $ dd bs=64 count=1 if=/dev/urandom of=keyfile # Encrypt the key file and use the User-ID of your Nitrokey $ gpg --encrypt keyfile # Remove the key file in clear text: $ rm keyfile # you may want to use 'wipe' or 'shred' to securely delete the keyfile # Create mount point: $ mkdir ~/.cryptdir ~/cryptdir # Create the actual encryption folder $ gpg -d keyfile.gpg | encfs -S ~/.cryptdir ~/cryptdir # There may appears an error message about missing permission of fusermount # This message can be ignored # Unmount the new file system: $ fusermount -u ~/cryptdir
Usage
# Mount encrypted file system and enter PIN of Nitrokey: $ gpg -d keyfile.gpg | encfs -S ~/.cryptdir ~/cryptdir # After usage, unmount the file system: $ fusermount -u ~/cryptdir
eCryptfs is a file based transparent encryption file system for Linux which can be used with Nitrokey through a PKCS#11 driver. See these instructions. Alternatively, try ESOSI or follow these steps using OpenSC and OpenVPN:
Warning: This will delete existing keys on your Nitrokey!
# Import the certificate and key to the Nitrokey $ pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key user@example.com.p12 --format pkcs12 --auth-id 3 --verify-pin # Create the file ~/.ecryptfsrc.pkcs11: $ editor ~/.ecryptfsrc.pkcs11 # Enter this content: $ pkcs11-log-level=5 pkcs11-provider1,name=name,library=/usr/lib/opensc-pkcs11.so,cert-private=true $ openvpn --show-pkcs11-ids path to opensc-pkcs11 module Certificate DN: /description=Iv4IQpLO02Mnix9i/CN=user@example.com/emailAddress=user@example.com Serial: 066E04 Serialized id: ZeitControl/PKCS\x2315\x20emulated/000500000c7f/OpenPGP\x20card\x20\x28User\x20PIN\x29/03 # Copy the serialized id for later usage: $ ecryptfs-manager # This will show list option. Choose option "Add public key to keyring" # Choose pkcs11-helper # Enter the serialized ID of step 3 to PKCS#11 ID.
VeraCrypt is a free and Open Source disk encryption software for Windows, macOS, and GNU/Linux. It is the successor of TrueCrypt and thus recommended, although the following instructions should apply to TrueCrypt as well. Follow these steps to use the program with Nitrokey:
Security Consideration: Please note that VeraCrypt doesn't make use of the full security which Nitrokey (and smart cards in general) offer. Instead it stores a keyfile on the Nitrokey which theoretically could be stolen by a computer virus after the user enters the password.
Note: Aloaha Crypt is based on TrueCrypt/VeraCrypt but without the described security limitation. (Not tested with Nitrokey HSM!)
Starting with version 2.1, GnuPG has build-in but limited support for the Nitrokey HSM. Use the gpgsm tool to sign, verify, encrypt and decrypt files or S/MIME messaging using your Nitrokey HSM. Use a signature key on a Nitrokey HSM to sign documents using Acrobat Reader, Open Office / Libre Office or any other PDF reader supporting electronic signatures.
ECC HSM Encryptor is a small application to encrypt and decrypt files with a Nitrokey HSM.
Use the gpgsm tool to sign, verify, encrypt and decrypt files. Use a signature key on a Nitrokey to sign documents using Acrobat Reader, Open Office / Libre Office or any other PDF reader supporting electronic signatures.
The Gnu Privacy Assistant (GPA) recognizes Nitrokey out-of-the-box, has various features to manage keys and cards. It also allows file operations such as file encryption, decryption, signing.
SOPS is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP. You can find it on github.
Aloaha provides several applications to encrypt and sign PDFs. All of them, which allow smart card integration, work with Nitrokey. You can for example import key and certificate by using OpenSC or any other appropriate variant. After this Windows recognize your certificate and you can sign the document as it is shown in the screencast below.
GpgEx integrates smoothly into Windows Explorer to allow encryption and decryption of files. Install it as part of the GPG4Win package.
Before you start to use any of these applications with your Nitrokey, please ensure that you installed the device driver and initialized the device (e.g. generated keys).
Certificate-based login with TLS and web browser is a very secure authentication method but it is only used rarely. If you are unsure what this means, this approach is most likely not relevant for you.
This page refers to websites and applications which support certificate authentication, so that users don't need to enter username and password when login. For instance WebID is a great protocol which makes use of it. Certificate authentication can be used easily with the Nitrokey and also with any other certificate storages.
You need to install the PKCS#11 driver:
Now you are ready to access websites which provide certificate authentication.
Install this Mini Driver for Windows. Now you are ready to access websites which provide certificate authentication.
Under Windows, install this Mini Driver. Under Linux, follow these instructions. Now you are ready to access websites which provide certificate authentication.
WebID is a technology to enable secure and federated social websites. Here is a video (WebM, Ogg video, H.264) which demonstrates how to use Nitrokey to create a WebID profile and subsequently to use it in an Internet cafe in Singapore. Nitrokey protects against computer viruses which might otherwise steel the username and password.
| Web Site | Category |
|---|---|
| CAcert | community-based Certificate Authority |
| PrivaSphere | Secure messaging |
| HM Revenue & Customs | UK's tax administration |
| Application | Category |
|---|---|
| Roundcube (plugin) | Webmail |
| Drupal (WebID, Certificate login) | Content management system |
| Media Wiki (plugin) | Wiki |
| Joomla! | Content management system |
| Apache + mod_ssl | Web server |
| OpenSSH | SSH (remote secure shell) client and server |
| Wordpress (plugin) | Blog and CMS |
| Tivoli | System management framework |
| Globalscape EFT | managed file transfer (MFT) |
| Oracle Identity Manager | I&AM |
| Fuse Source | Middleware |
| Liferay | Blog |
| FusionForge | web-based project-management and collaboration software |
This website is a good read about strong authentication mechanisms, why client certificate authentication isn't popular and better alternatives at the horizon.
Protect access to sensitive information on your website with 2nd factor authentication.
Use a Nitrokey HSM as authentication token via the build-in device authentication PKI or use keys and certificates on a Nitrokey HSM for TLS/SSL client authentication.
The Nitrokey should already have PGP keys installed and the local GnuPG keyring should be aware of the keys, that is to say GPG4Win should be installed on the system (only the core application GnuPG is needed). Furthermore you should install PuTTY.
There are two steps needed to make PuTTY work. At first we need to enable PuTTY support of GnuPG. To achieve this we use the following command:
echo enable-putty-support >> AppData\Roaming\gnupg\gpg-agent.conf
Now we want to make sure, that the gpg-agent is starting automatically in the background (you can start it manually with the command below, if you prefer). We create a shortcut to gpg-connect-agent.exe. Press and hold the Windows-key and press 'R'. Type in "shell:startup" in the opening textfield (see picture below). The Windows-Explorer opens and you right-click on an empty space and choose "New" -> "Shortcut". Now you should insert the actual command and proceed:
"C:\Program Files (x86)\gnupg\bin\gpg-connect-agent.exe" /bye
Reboot your system to make sure the shortcut works. If everything is alright you now can use PuTTY as usual and PuTTY will make use of the Nitrokey automatically.
You can generate an authorized_keys file by running
"C:\Program Files (x86)\gnupg\bin\gpg.exe" --export-ssh-key keyID >> authorized_keys
where 'keyID' is either the fingerprint of your key or just the E-Mail address bind to your key. The Nitrokey must already be known to the local GnuPG keyring. You can now append that file to a remote server's authorized_keys and when you ssh to the server you'll be asked for a pin rather than a passphrase.
The Nitrokey should already have PGP keys installed and the local GnuPG keyring should know the keys.
unset SSH_AGENT_PID if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" fi
pkill gpg-agent and open a new commandline to make sure everything is setgpg2 --card-status on first usage to make sure the gpg-agent gets startedYou can generate an authorized_keys file by running either
gpgkey2ssh keyID >> ~/authorized_keys #(for GnuPG version <= 2.1.11) or gpg2 --export-ssh-key keyID >> ~/authorized_keys #(for newer GnuPG versions)
where
keyID
If you are still asked for a password please make sure that
echo $SSH_AUTH_SOCK
returns something reasonable like '/run/user/1000/gnupg/S.gpg-agent.ssh' or '/home/username/.gnupg/.S.gpg-agent.ssh'. Unfortunately there were some changes in GnuPG in the past so that the actual content can differ from system and GnuPG version. On some systems there may are even multiple folders in this variable saved. You have to adapt the above given code in .bashrc so that the variable SSH_AUTH_SOCK is correct. In doubt look for 'SSH_AUTH_SOCK' in
man gpg-agentto find the actual code for your version/system.
You may check if you have a 'pinentry' program installed via your package manager. You may need to set it in the gpg-agent.conf as well.
You may need to point gpg-agent to the correct TTY.
Protect your domain name resolution using DNSSEC and a Nitrokey HSM as secure key store. It's based on Smartcard-HSM which is why the following resource apply:
With it's unique build-in device authentication PKI, a Nitrokey HSM has a cryptographically protected unique identity that can be verified in a fast authentication protocol. An access control terminal can verify authenticity and identity of the device, create a secure communication channel and perform offline PIN verification. The coolPACS project has all the details.
See this link for further information.
Strong Swan could work using the PKCS#11 driver.
Stunnel works as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code.
CA keys are very sensitive and must not be compromised or lost.
Please see this PDF (p. 30) from heinlein-support.de for summarized instructions in German.
µ-CA-tool is a script based on GnuPG, OpenSC and OpenSSL which helps to perform basic tasks of a CA. It works with Nitrokey Pro and Nitrokey Storage.
CA keys are very sensitive and must not be compromised or lost.
Nitrokey HSM integrates well with industry solutions like EJBCA or XCA.
Please see this PDF (p. 30) from heinlein-support.de for summarized instructions in German.
µ-CA-tool is a script based on GnuPG, OpenSC and OpenSSL which helps to perform basic tasks of a CA. It works with Nitrokey Pro and Nitrokey Storage.
fladnag.net has published a four part instruction on how to use the HSM for a pki.
See this forum post and the video below.
You have the following options:
You can also follow this video (It contains a mistake around time 4:22 which is described later below).
sudo add-apt-repository ppa:jtaylor/keepass sudo apt-get update sudo apt-get install keepass2
sudo apt-get install mono-complete
Tested under Ubuntu 16.10, Nitrokey App v0.6.3 and Nitrokey Storage v0.45.
The Nitrokey FIDO U2F can be used with these browsers:
Open one of the websites supporting U2F. Login to the website and have a look at the settings for enabling two-factor authentication. Touch the Nitrokey FIDO U2F for registering it with your website account when requested to. After successfully configuring the device you need to touch your Nitrokey FIDO U2F for every login to this website.
If you can't find the settings for two-factor authentication, you may have a look at dongleauth.info. In most cases there is a link to the documentation of the supported webservice.
Note: Google only accepts the Chrome browser for registering the Nitrokey FIDO U2F. Logging in with the Nitrokey FIDO U2F works fine with Firefox though.
J.v.d.Bosch wrote a simple, free python program to secure the private key of a Bitcoin wallet in a HSM. See here for further information.
Using the HSM in an Ethereum PoA Chain.
The user comio created a systemd file to use scdrand and thus the TRNG more generally. He created a ebuild for Gentoo, too.
Nitrokey HSM can be used with Botan and TokenTools by using OpenSC as a PKCS#11 driver.
OpenSSL can't use Nitrokey HSM's RNG directly because engine-pkcs11 doesn't contain a mapping for OpenSSL to C_GenerateRandom.
To update the firmware of Nitrokey Storage please read these instructions.