Applications

Nitrokey can be used with a large variety of 3rd party applications. Basically every application which uses GnuPG, Windows certificate store or a PKCS#11 interface can be used with the Nitrokey. This page gives an incomplete overview of the most popular applications and their usages.

Please send us your feedback or instructions if you sucessfully used Nitrokey with applications not listed here.

  • General

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    GnuPG

    GnuPG is required for many use cases. It is a command line tool but usually you don't need to invoke it directly but use another application with user interface.

    Don't use GnuPG in parallel with OpenSC or another PKCS#11 driver because both may interfere and unexpected issues may result.

    1. Install GPG4Win which contains Gnu Privacy Assistant (GPA) and GnuPG (GPG).
    2. Start Gnu Privacy Assistant (GPA) or another application such as your email client to use GnuPG.
      Advanced users could use GnuPG directly (command line). Please note: The Fellowship smart card is similar to the Nitrokey Pro so that this instructions work Nitrokey as well. In general the official documentation is recommendable.

    PKCS#11 Driver

    If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.

    Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.

    Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)

    Instructions, how to create a valid X.509 certificate with Nitrokey (123). These are general instructions how to use X.509 certificates.

    Alternative PKCS#11 Driver:

    The recommended PKCS#11 driver is OpenSC. Alternatively, you could use Peter Koch's PKCS#11 driver which has the following limitations:

    • No import of existing X.509 certificates. (Instead, keys have to be generated on the Nitrokey)
    • The Linux version does not allow to generate keys.
    • Modification of the password/PIN under Linux is not possible.

    Windows Mini Driver

    This Mini Driver allows to integrate Nitrokey with Window's certificate store. Subsequently all applications which use this certificate storage can be used with Nitrokey (e.g. Internet Explorer, Google Chrome web browser, Windows Login). To install the driver, you may need to allow the installation of unsigned drivers first.

    Aloaha

    All applications of Aloaha are working with the Nitrokey. This includes a middleware to integrate Nitrokey with other PKCS#11 based applications and with Windows as well as applications to encrypt and sign PDFs and the hard disk.

  • General

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    GnuPG

    GnuPG is required in many use cases to initialize and use the Nitrokey. It is a command line tool but usually you don't need to invoke it directly.

    Instruction how to use Nitrokey with GnuPG (command line). Please note: The Fellowship smart card is similar to the Nitrokey Pro so that this instructions work Nitrokey as well. In general the official documentation is recommendable.

    PKCS#11 Driver

    If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.

    Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.

    Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)

    Instructions, how to create a valid X.509 certificate with Nitrokey (123). These are general instructions how to use X.509 certificates.

    Alternative PKCS#11 Driver:

    The recommended PKCS#11 driver is OpenSC. Alternatively, you could use Peter Koch's PKCS#11 driver which has the following limitations:

    • No import of existing X.509 certificates. (Instead, keys have to be generated on the Nitrokey)
    • The Linux version does not allow to generate keys.
    • Modification of the password/PIN under Linux is not possible.

    p11-glue

    P11-glue uses PKCS#11 as glue between crypto libraries and security applications on the open source desktop.

    Articles in German

  • General

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    GnuPG

    GnuPG is required in many use cases to initialize and use the Nitrokey. It is a command line tool but usually you don't need to invoke it directly.

    Instruction how to use Nitrokey with GnuPG (command line). Please note: The Fellowship smart card is similar to the Nitrokey Pro so that this instructions work Nitrokey as well. In general the official documentation is recommendable.

    PKCS#11 Driver

    If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.

    Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.

    Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)

    Instructions, how to create a valid X.509 certificate with Nitrokey (123). These are general instructions how to use X.509 certificates.

  • General

    For: Nitrokey HSM
    • OpenSC: Comprehensive instructions exist for OpenSC framework.
    • GnuPG: Nitrokey HSM is supported since GnuPG 2.1.
    • Embedded Systems: For systems with minimal memory footprint a read/only PKCS#11 module is provided by the sc-hsm-embedded project.
      This PKCS#11 module is useful for deployments where key generation at the user's workplace is not required. The PKCS#11 module also supports major electronic signature cards available in the German market.
    • OpenSCDP: The SmartCard-HSM is fully integrated with OpenSCDP, the open smart card development platform. See the public support scripts for details.
  • Computer Login

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    To access Nitrokey devices read-only, download and install this Mini Driver (CSP). If you are using Windows Server you may need to disable the driver signature verification before being able to install the driver.

    To generate keys, create certificates and enroll Nitrokeys to your users, the following instructions, applicable for Nitrokey HSM, may be useful. Note that the Mini Driver for Nitrokey Pro may not work yet for write mode:

  • Computer Login

    For: Nitrokey HSM

    Select your use case:

  • Computer Login

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    Linux Login with PAM

    You have two options: pam_p11 or Poldi.

    Poldi 0.4.1 works flawlessly with Nitrokey for PAM authentication. Besides the installation of poldi (e.g. 'sudo apt-get install libpam-poldi' on Ubuntu) the following steps are needed to get it working.

    It is necessary to already have keys generated on the Nitrokey, as the authentication key is used by PAM.

    At first you need to find out the "Application ID" of your Nitrokey. You can use "gpg --card-status | grep Application" to find out what's yours. It looks like 'D00600012401020000000000xxxxxxxx' or similiar. Now you have to add a line to /etc/poldi/localdb/users which contains the following information

    • <YourApplicationID> <YourUsername>

    This could look like 'D00600012401020000000000xxxxxxxx nitrokeyuser'. Now dump the public key from the Nitrokey into poldi local db:

    sudo sh -c 'gpg-connect-agent "/datafile /etc/poldi/localdb/keys/<YourApplicationID>" "SCD READKEY --advanced OPENPGP.3" /bye'

    Please be aware that you have to insert your Application ID in the line above with the one of your stick!

    Then you have to configure PAM. Just add "auth sufficient pam_poldi.so" to pam configuration files according to your needs:

    • /etc/pam.d/common-auth for graphical user login
    • /etc/pam.d/login for console login
    • /etc/pam.d/sudo for sudo authentication
    • /etc/pam.d/gnome-screensaver for login back from a locked screen
    • etc.

    Note: Pam is dangerous to play around with, so make sure you have a way of accessing the machine if you break authentication completely. Remember that booting into rescue mode from Grub requires a root password, so keep that or a live CD which can read your filesystems to hand.

    Here you find further instructions (in German, partially outdated).

    Troubleshooting

    If you get an error similar to 'ERR 100663414 Invalid ID <SCD>' you should try instead

    poldi-ctrl -k > <YourApplicationID>; sudo mv <YourApplicationID> /etc/poldi/localdb/keys

    Please be aware that you have to insert your Application ID in the line above with the one of your stick!

  • Web Login with One Time Passwords (OTP, 2FA)

    For: Nitrokey Pro, Nitrokey Storage

    One-Time-Passwords (OTP) are used for secure login to websites and local applications.

    Two OTP modes exist:

    • HMAC-based One-time Passwords (HOTP) is used for local applications and computer logins.
    • Time-based One-time Passwords (TOTP) is widely used for websites. If unsure, assume you are using this mode.

    Initial Setup

    1. Download and install the latest Nitrokey App. Please verify that you really use the latest version.
    2. Change the default User PIN and Admin PIN to your own PINs: Start the Nitrokey App, press the tray icon and select "Configure > Change User PIN" and "Configure > Change Admin PIN".

    Configure a Website/Application to use OTP

    1. Login to your website which supports two factor authentication resp. One-Time passwords compatible to Yubikey and Google Authenticator. Usually you find the option to enable two-factor-authentication under your profile or settings. There you will get a base32 string (the secret). Copy this string to the clipboard.
    2. Start the Nitrokey App, press the tray icon and select "Configure > One Time Passwords".
    3. Enter your Admin PIN.
    4. Select either a TOTP (common for websites) or HOTP slot (common for applications) and enter the secret you copied from the website in step 1. Enter a name for the slot. The other options' default values can usually remain unchanged.

    Securely Login to Website/Application

    1. Start the Nitrokey App, press on the tray icon and in the menu select the appropriate slot you configured previously.
    2. Confirm the window and copying the OTP to the clipboard
    3. Enter the OTP from the clipboard into the appropriate prompt/website.

    HMAC-based One-time Passwords - HOTP

    In addition to the usage described above, you can use HOTPs with an USB Keyboard (internal laptop keyboards don't work) directly without using the Nitrokey App.

    1. Configuration: Start the Nitrokey App, press the tray icon and select "Configure > One Time Passwords". Go to "General config" tab and select any of the available keys to trigger your HOTP at double-press.
    2. Usage:
      1. Point the cursor focus to the appropriate password prompt.
      2. Double press the key you configured above (e.g. caps-lock).

    Specific instructions

    For Google login see here.

  • Encrypted Mobile Storage

    For: Nitrokey Storage

    Prior of using the encrypted mobile storage you need to install and initialize the Nitrokey Storage and download the latest Nitrokey App.

    1. Start the Nitrokey App.
    2. Press its tray icon and select "unlock encrypted volume" in the menu.
    3. Enter your User PIN in the appearing popup window.
    4. If this is the first time you may need to create a partition on the encrypted volume. Windows will open an appropriate window and ask you to do so. On Linux and Mac you may need to open a partition manager and create a partition manually. You can create as many partitions as you want. We recommend FAT(32) if you want to access the partition from various operating systems.
    5. Now you can use the encrypted volume as you would use any other ordinary USB drive. But all data stored on it will be encrypted in the Nitrokey hardware automatically.
    6. To remove or lock the encrypted volume you should unmount/eject it first.
    7. Afterwards you can disconnect the Nitrokey or select "lock encrypted volume" from the Nitrokey App menu.

    The Nitrokey Storage is able to create hidden volumes as well. Please have a look at the corresponding instructions for hidden volumes.

  • Smartphone Usage

    For: Nitrokey Pro, Nitrokey Storage

    Android

    It is possible to use the PGP smartcard of the Nitrokey on an Android device in combination with OpenKeychain. This enables one to encrypt/decrypt E-Mails or files.

    Tested with Nitrokey Pro and Storage in combination with Android 7.1, OpenKeychain 4.5 and K9Mail 5.207. Please be aware that this is not supported officially yet. One user reported problems with this setup.

    Prerequisites

    • Android phone which is capable of USB OTG
    • USB OTG cable to connect the Nitrokey with your phone
    • OpenKeychain installed on Device
    • Public key saved on the device or uploaded on a keyserver

    First steps

    To import the keys of the Nitrokey you should at first start the OpenKeychain app. Then insert the Nitrokey with the USB OTG cable. OpenKeychain starts a dialog to use the Nitrokey (you may have to accept the usage of the key with OpenKeychain first). Now you can choose between looking for public key on a keyserver or choosing the public key from storage. After the public key got imported you have to tap on 'connect key' to import a reference to the private key of the Nitrokey. That’s basically it.

    In the case that no there are no keys on the Nitrokey yet, OpenKeychain will help with the creation of a new key pair instead.

    Usage

    You can use all functions of OpenKeychain and Apps which make use of OpenKeychain. Therefore you can just encrypt/decrypt messages or files by hand using the app directly or for example you combine K9Mail with OpenKeychain to decrypt your mails automatically. It is important to choose the right key in the K9Mail account settings first.

    Note that you may have to enable the on-screen keyboard in the android settings to type the PIN as the system recognizes the Nitrokey as a physical keyboard and therefore tries to hide the on-screen keyboard. Go to 'Language and Input' > 'Current Keyboard' > 'Hardware show input method'.

    iPhone

    Not yet possible.

    UbuntuPhone

    There are instructions on gnupg.org about how to use a OpenPGP Card on a UbuntuPhone which should work for the Nitrokey Start, Pro and Storage.

  • Hidden Volumes

    For: Nitrokey Storage

    Hidden volumes allow to hide data in the encrypted volume. The data is protected with an additional password. Without the password the data existence's can't be proven. Hidden volumes are not setup by default so that their existence can be denied plausibly. The concept is similar to VeraCrypt's/TrueCrypt's hidden volume but with Nitrokey Storage the entire functionality of hidden volumes is implemented in hardware.

    You can configure up to four hidden volumes. Once unlocked, hidden volumes behave like ordinary storage where you can create various partitions, filesystems and store files as you like.

    If you decide to configure Hidden Volumes, you can not use the encrypted storage anymore. Because the Hidden Volume is situated on the free space of the encrypted storage, there is the potential of overwriting data in the Hidden Volume. You can say, even the encrypted storage "does not know" that there is a hidden volumes. The general structure is shown in the diagram below. Therefore, please do not write anything in the encrypted storage after creating a hidden volume (you have to unlock it first though).

    Hidden volumes are like containers inside of a container, the encrypted volume.

    Configure Hidden Volumes:

    1. Unlock encrypted volume from the Nitrokey App menu.
    2. Select "setup hidden volume".
    3. Now you need to enter a new password twice to protect your hidden volume. The password strength is indicated below.

      Note: PINs can only be tried three times only which is why they can be short. Passwords like used for hidden devices can potentially be attacked unlimited which is why they need to be sufficiently strong.
       
    4. Next you need to define the storage area being used. Hidden volumes are stored in the empty space of the encrypted volume. This is a critical choice because it could destroy data on the (not-hidden) encrypted volume and reveal the existience of the hidden volume.
      1. You should use one FAT32 partition on your encrypted volume as journaling filesystems, especially NTFS, may destroy the encrypted data.
      2. Copy some files to the encrypted volume prior to creating the hidden volume. Once you configured a hidden volume you shouldn't add or change files on the encrypted volume anymore.
      3. Identify the storage space your files consume on the encrypted volume. For example: 10%
      4. The hiden volume should start after your files on the encrypted volume. For example: 10% files + 10% buffer = 20%
      5. The hidden volume should end in a distance before the end of the storage. For example: 90%

    In case you use two or more hidden volumes, note that their storage area must not overlap. Otherwise they would override and destroy each other's data. Each hidden volume would require a different password.

    Usage of Hidden Volumes:

    1. Select "unlock encrypted volume" and enter your User PIN.
    2. Select "unlock hidden volume" and enter any of the hidden volume's passwords.
    3. If this is the first time you may need to create a partition on the hidden volume. Windows will open an appropriate window and ask you to do so. On Linux and Mac OS you may need to open a partition manager and create a partition manually. You can create as many partitions as you want. We recommend FAT(32) if you want to access the partition from various operating systems.
    4. Make sure to unmount/eject all partitions on the hidden volumes before locking or disconnecting the Nitrokey.

    Also see older but comprehensive Nitrokey Storage manual.

  • Email Encryption

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    Note: Two different email encryption formats exist:

    • OpenPGP / GnuPG is popular among individuals.
    • S/MIME / X.509 is mostly used by enterprises.

    If unsure which format to use, choose OpenPGP.

     

    Mozilla Thunderbird with OpenPGP

    Thunderbird is a popular and open source email client. The add-on Enigmail provides OpenPGP email encryption functionality.

    1. Download and install GPG4Win and Thunderbird.
    2. Download and install Enigmail (instructions).
    3. If you didn't do so already, change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices. (instructions)
    4. Generate new keys or import your existing RSA keys. (instructions)
      Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).

     

    Mozilla Thunderbird with S/MIME

    Thunderbird is a popular and open source email client which can encrypt emails in S/MIME format out-of-the-box.

    1. Download the PKCS#11 driver and configure it in Thunderbird.

     

    GNOME Evolution with OpenPGP or S/MIME

    Evolution is the email client of GNOME which supports OpenPGP- and S/MIME-based email encryption.

     

    Microsoft Outlook with OpenPGP or S/MIME

    OpenPGP:

    • GPG4Win contains the Outlook plugin GpgOL which enables its usage with GnuPG and with Nitrokey (untested).
    • Alternatively you may want to try the new Outlook Privacy Plugin.

    S/MIME:

    • To use S/MIME, install the MiniDriver.

     

    Claws Mail with OpenPGP or S/MIME

    Claws Mail is an email client (and news reader) for Linux and Windows, based on GTK+, with focus on quick response.

     

    Mutt with OpenPGP

    Please have look at this instructions for using Mutt with OpenPGP. For usage with Nitrokey this note should help (reported by a user).

  • Email Encryption

    For: Nitrokey HSM

    Encrypt your e-mail using the S/MIME industry standard available in all major e-mail clients.

    The Nitrokey HSM has been tested to work with Mozilla Thunderbird and Microsoft Outlook. Other e-mail clients with support for PKCS#11 or Microsoft CSP should work as well.

  • Instant Messenger

    Pidgin (plugin), GajimPsi and KDE's Kopiete (plugin) are instant messenger clients for Jabber/XMPP which can encrypt messages with GnuPG and the Nitrokey (untested).

  • Hard Disk Encryption

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    VeraCrypt (formerly TrueCrypt)

    VeraCrypt is a free and Open Source disk encryption software for Windows, macOS, and GNU/Linux. It is the successor of TrueCrypt and thus recommended, although the following instructions should apply to TrueCrypt as well. Follow these steps to use the program with Nitrokey:

    1. Install OpenSC or download the PKCS#11 library.
    2. Choose the library in VeraCrypt under Settings>Preferences>Security Token (location depends on system, e.g. /usr/lib/opensc).
    3. Generate a 64 Byte key file via Tools>Keyfile Generator.
    4. Now you should be able to import the generated key file via Tools>Manage Security Token Keyfiles. You should choose the first Slot ([0] User PIN). The keyfile is then stored on the Nitrokey as 'Private Data Object 1' (PrivDO1).
    5. After this you should wipe the original keyfile on your Computer securely!
    6. Now you can use VeraCrypt with the Nitrokey: Create a container, choose the keyfile on the device as an alternative to a password.

    Security Consideration: Please note that VeraCrypt doesn't make use of the full security which Nitrokey (and smart cards in general) offer. Instead it stores a keyfile on the Nitrokey which theoretically could be stolen by a computer virus after the user enters the password.

    Note: Aloaha Crypt is based on TrueCrypt/VeraCrypt but without the described security limitation.

     

    Hard Disk Encryption on Linux, Based on LUKS/dm-crypt

    Here are excellent instructions how to use Nitrokey to encrypt your hard disk under Linux with LUKS/dm-crypt. Other instruction.

    There is a project on Github, which aims ease the use of LUKS with the Nitrokey Pro or Storage based on the password safe (not tested by Nitrokey yet).

    Storage Encryption on Linux, Based on EncFS

    Prerequisite: Please ensure that you installed the device driver, changed the default PINs and generated or imported keys.

    An easy to use encrypted file system is EncFS, which is based on FUSE. You may follow these steps to use it with very long passwords and Nitrokey:

    Initialization

    # Enter a long passphrase into a key file:
    $ echo "Your long secret passphrase" > keyfile
     
    # Encrypt the key file:
    $ gpg -e keyfile
     
    # Remove the key file in clear text:
    $ rm keyfile
     
    # Create mount point:
    $ mkdir ~/.cryptdir.encfs ~/cryptdir
     
    # Select paranoia mode and enter "Your long secret passphrase" as password:
    $ encfs ~/.cryptdir.crypt ~/cryptdir
     
    # Unmount the new file system:
    $ fusermount -u ~/cryptdir

    Usage

    # Mount encrypted file system and enter PIN of Nitrokey:
    $ gpg -d key.gpg | encfs -S ~/.cryptdir ~/cryptdir
     
    # After usage, unmount the file system:
    $ fusermount -u ~/cryptdir

     

    Storage Encryption on Linux, Based on ECryptFS

    eCryptfs is a file based transparent encryption file system for Linux which can be used with Nitrokey through a PKCS#11 driver. See these instructions. Alternatively, try ESOSI or follow these steps using OpenSC and OpenVPN:

    Warning: This will delete existing keys on your Nitrokey!

    # Import the certificate and key to the Nitrokey
    $ pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key user@example.com.p12 --format pkcs12 --auth-id 3 --verify-pin
     
    # Create the file ~/.ecryptfsrc.pkcs11:
    $ editor ~/.ecryptfsrc.pkcs11
     
    # Enter this content:
    $ pkcs11-log-level=5 
    pkcs11-provider1,name=name,library=/usr/lib/opensc-pkcs11.so,cert-private=true
     
    $ openvpn --show-pkcs11-ids path to opensc-pkcs11 module
    Certificate
        DN: /description=Iv4IQpLO02Mnix9i/CN=user@example.com/emailAddress=user@example.com
        Serial: 066E04
        Serialized id: ZeitControl/PKCS\x2315\x20emulated/000500000c7f/OpenPGP\x20card\x20\x28User\x20PIN\x29/03
     
    # Copy the serialized id for later usage:
    $ ecryptfs-manager
     
    # This will show list option. Choose option "Add public key to keyring"
    # Choose pkcs11-helper
    # Enter the serialized ID of step 3 to PKCS#11 ID.
  • Hard Disk Encryption

    For: Nitrokey HSM

    VeraCrypt (formerly TrueCrypt)

    VeraCrypt is a free and Open Source disk encryption software for Windows, macOS, and GNU/Linux. It is the successor of TrueCrypt and thus recommended, although the following instructions should apply to TrueCrypt as well. Follow these steps to use the program with Nitrokey:

    1. Install OpenSC or download the PKCS#11 library.
    2. Choose the library in VeraCrypt under Settings>Preferences>Security Token (location depends on system, e.g. /usr/lib/opensc).
    3. Generate a 64 Byte key file via Tools>Keyfile Generator.
    4. Now you should be able to import the generated key file via Tools>Manage Security Token Keyfiles. You should choose the first Slot ([0] User PIN). The keyfile is then stored on the Nitrokey as 'Private Data Object 1' (PrivDO1).
    5. After this you should wipe the original keyfile on your Computer securely!
    6. Now you can use VeraCrypt with the Nitrokey: Create a container, choose the keyfile on the device as an alternative to a password.

    Security Consideration: Please note that VeraCrypt doesn't make use of the full security which Nitrokey (and smart cards in general) offer. Instead it stores a keyfile on the Nitrokey which theoretically could be stolen by a computer virus after the user enters the password.

    Note: Aloaha Crypt is based on TrueCrypt/VeraCrypt but without the described security limitation. (Not tested with Nitrokey HSM!)

  • Signing and Encrypting Files and PDF Documents

    For: Nitrokey HSM

    GnuPG

    Starting with version 2.1, GnuPG has build-in but limited support for the Nitrokey HSM. Use the gpgsm tool to sign, verify, encrypt and decrypt files or S/MIME messaging using your Nitrokey HSM. Use a signature key on a Nitrokey HSM to sign documents using Acrobat Reader, Open Office / Libre Office or any other PDF reader supporting electronic signatures.

    ECC HSM Encryptor

    ECC HSM Encryptor is a small application to encrypt and decrypt files with a Nitrokey HSM.

  • Signing and Encrypting Files and PDF Documents

    For: Nitrokey Pro, Nitrokey Storage

    GnuPG

    Use the gpgsm tool to sign, verify, encrypt and decrypt files. Use a signature key on a Nitrokey to sign documents using Acrobat Reader, Open Office / Libre Office or any other PDF reader supporting electronic signatures.

     

    GPA - GNU Privacy Assistant

    The Gnu Privacy Assistant (GPA) recognizes Nitrokey out-of-the-box, has various features to manage keys and cards. It also allows file operations such as file encryption, decryption, signing.

     

    SOPS - Secrect OPerationS

    SOPS is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP. You can find it on github.

     

    Windows Only

    Aloaha

    Aloaha provides several applications to encrypt and sign PDFs. All of them, which allow smart card integration, work with Nitrokey. You can for example import key and certificate by using OpenSC or any other appropriate variant. After this Windows recognize your certificate and you can sign the document as it is shown in the screencast below.

     

    GpgEx for Windows Explorer

    GpgEx integrates smoothly into Windows Explorer to allow encryption and decryption of files. Install it as part of the GPG4Win package.

     

  • Certificate-Based Web Login

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    Before you start to use any of these applications with your Nitrokey, please ensure that you installed the device driver and initialized the stick (e.g. generated keys).

    Certificate-based login with TLS and web browser is a very secure authentication method but it is only used rarely. If you are unsure what this means, this approach is most likely not relevant for you.

    This page refers to websites and applications which support certificate authentication, so that users don't need to enter username and password when login. For instance WebID is a great protocol which makes use of it. Certificate authentication can be used easily with the Nitrokey and also with any other certificate storages.

    Mozilla Firefox

    You need to install the PKCS#11 driver:

    1. Download the PKCS11 driver and store it on your local hard disk or install OpenSC.
    2. Open the Preferences in Firefox and go to  Privacy & Security -> Security (just a headline) -> Button 'Security Devices...'
    3. Press the button Load. Enter "Nitrokey" as the Module Name and press the Browse button to select the previously downloaded PKCS11 driver file. Confirm and close all dialogs.

    Now you are ready to access websites which provide certificate authentication.

    Internet Explorer

    Install this Mini Driver for Windows. Now you are ready to access websites which provide certificate authentication.

    Google Chrome

    Under Windows, install this Mini Driver. Under Linux, follow these instructions. Now you are ready to access websites which provide certificate authentication.

    WebID

    WebID is a technology to enable secure and federated social websites. Here is a video (WebMOgg videoH.264) which demonstrates how to use Nitrokey to create a WebID profile and subsequently to use it in an Internet cafe in Singapore. Nitrokey protects against computer viruses which might otherwise steel the username and password.

    Websites

    Web Site Category
    CAcert community-based Certificate Authority
    PrivaSphere Secure messaging
    StartCom Certificate Authority
    HM Revenue & Customs UK's tax administration

    Software

    Application Category
    Roundcube (plugin) Webmail
    Drupal (WebID, Certificate login) Content management system
    Media Wiki (plugin) Wiki
    Joomla! Content management system
    Apache + mod_ssl Web server
    OpenSSH SSH (remote secure shell) client and server
    Wordpress (plugin) Blog and CMS
    Tivoli System management framework
    Globalscape EFT managed file transfer (MFT)
    Oracle Identity Manager I&AM
    Fuse Source Middleware
    Liferay Blog
    FusionForge web-based project-management and collaboration software

    This website is a good read about strong authentication mechanisms, why client certificate authentication isn't popular and better alternatives at the horizon.

  • Certificate-Based Web Login

    For: Nitrokey HSM

    Protect access to sensitive information on your website with 2nd factor authentication.

    Use a Nitrokey HSM as authentication token via the build-in device authentication PKI or use keys and certificates on a Nitrokey HSM for TLS/SSL client authentication.

  • Enterprise Authentication

    For: Nitrokey Pro, Nitrokey Storage
  • Enterprise Authentication

    For: Nitrokey U2F

    gluu  

  • SSH for Server Administration

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start, Nitrokey HSM

    The Nitrokey should already have PGP keys installed and the local GnuPG keyring should be aware of the keys, that is to say GPG4Win should be installed on the system (only the core application GnuPG is needed). Furthermore you should install PuTTY.

    Preparation on client

    There are two steps needed to make PuTTY work. At first we need to enable PuTTY support of GnuPG. To achieve this we use the following command:

    echo enable-putty-support >> AppData\Roaming\gnupg\gpg-agent.conf

    Now we want to make sure, that the gpg-agent is starting automatically in the background (you can start it manually with the command below, if you prefer). We create a shortcut to gpg-connect-agent.exe. Press and hold the Windows-key and press 'R'. Type in "shell:startup" in the opening textfield (see picture below). The Windows-Explorer opens and you right-click on an empty space and choose "New" -> "Shortcut". Now you should insert the actual command and proceed:

    "C:\Program Files (x86)\gnupg\bin\gpg-connect-agent.exe" /bye

     

    Reboot your system to make sure the shortcut works. If everything is alright you know can use PuTTY as usual and PuTTY will make use of the Nitrokey automatically.

    Preparation for the server

    You can generate an authorized_keys file by running

    "C:\Program Files (x86)\gnupg\bin\gpg.exe" --export-ssh-key keyID >> authorized_keys

    where 'keyID' is either the fingerprint of your key or just the E-Mail address bind to your key. The Nitrokey must already be known to the local GnuPG keyring. You can now append that file to a remote server's authorized_keys and when you ssh to the server you'll be asked for a pin rather than a passphrase.

  • SSH for Server Administration

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start, Nitrokey HSM

    The Nitrokey should already have PGP keys installed and the local GnuPG keyring should know the keys.

    Preparation on client

    • Make sure ~/.gnupg/gpg.conf contains 'use-agent'
    • Add ssh support to gnupg-agent by adding 'enable-ssh-support' to ~/.gnupg/gpg-agent.conf
    • Add the following code to your ~/.bashrc
      unset SSH_AGENT_PID
      if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
      export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
      fi
    • Simply restart your system or try pkill gpg-agent and open a new commandline to make sure everything is set
    • In case of problems, please try gpg2 --card-status on first usage to make sure the gpg-agent gets started

    Preparation for the server

    You can generate an authorized_keys file by running either

    gpgkey2ssh keyID >> ~/authorized_keys #(for GnuPG version <= 2.1.11) or
    gpg2 --export-ssh-key keyID >> ~/authorized_keys #(for newer GnuPG versions)

    where

    keyID
    is the subkey id being used for authentication on your Nitrokey. The Nitrokey must already be known to the local GnuPG keyring. You can now append that file to a remote server's authorized_keys and when you ssh to the server you'll be asked for a pin rather than a passphrase.

     

    Troubleshooting

    If you are still asked for a password please make sure that

    echo $SSH_AUTH_SOCK
    returns something reasonable like '/run/user/1000/gnupg/S.gpg-agent.ssh' or '/home/username/.gnupg/.S.gpg-agent.ssh'. Unfortunately there were some changes in GnuPG in the past so that the actual content can differ from system and GnuPG version. On some systems there may are even multiple folders in this variable saved. You have to adapt the above given code in .bashrc so that the variable SSH_AUTH_SOCK is correct. In doubt look for 'SSH_AUTH_SOCK' in
    man gpg-agent
    to find the actual code for your version/system.

     

  • SSH for Server Administration

    For: Nitrokey U2F

    Read patching OpenSSH with U2F support.

  • DNSSEC

    For: Nitrokey HSM

    Protect your domain name resolution using DNSSEC and a Nitrokey HSM as secure key store. It's based on Smartcard-HSM which is why the following resource apply:

  • Physical Access Control

    For: Nitrokey HSM

    With it's unique build-in device authentication PKI, a Nitrokey HSM has a cryptographically protected unique identity that can be verified in a fast authentication protocol. An access control terminal can verify authenticity and identity of the device, create a secure communication channel and perform offline PIN verification. The coolPACS project has all the details.

  • VPN Access

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start, Nitrokey HSM

    OpenVPN

    See this link for further information.

    IPsec

    Strong Swan could work using the PKCS#11 driver.

    Stunnel

    Stunnel works as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code.

  • PKI / Certificate Authority (CA)

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start, Nitrokey HSM

    CA keys are very sensitive and must not be compromised or lost.

    GnuPG

    Instructions

    OpenSSL

    1. Install OpenSC'S engine_pkcs11
    2. Run the command "pkcs11-tool --list-slots" to list the available slots.
    3. Run the command "openssl> req -engine pkcs11 -new -key slot_X-id_XXXX -keyform engine -x509 -out cert.pem -text" where X is the appropriate slot number and XXXX is the slot ID, e.g. "... -key slot_5-id_c6f280080fb0ed1ebff0480a01d00a98a1b3b89a ..."
    4. Test

    Other

    Nitrokey HSM integrates well with industry solutions like EJBCA or XCA.

    Please see this PDF (p. 30) from heinlein-support.de for summarized instructions in German.

    µ-CA-tool is a script based on GnuPG, OpenSC and OpenSSL which helps to perform basic tasks of a CA. It works with Nitrokey Pro and Nitrokey Storage.

    Nitrokey HSM's Secure Key Backup and Restore (external link)

    Screencast

    Nitrokey HSM's M-of-N Threshold Scheme (external link)

    screencast

  • Password Manager

    For: Nitrokey Pro, Nitrokey Storage

    You have the following options:

    • Use Nitrokey's built-in Password Safe to store passwords securely. For this you need the Nitrokey App. Maximum are 16 passwords.
    • Use Pass (simple commandline password manager for Unix systems, mainly for experts).
    • Use KeePass as described below.

    Protecting KeePass with Nitrokey's One-Time Passwords

    You can also follow this video (It contains a mistake around time 4:22 which is described later below).

    Keepass Installation

    1. Install Keepass 2.3.5.
      For Ubuntu: Because the main repository contains the older 2.3.4, you have to use some other source like this private PPA (please run these commands in terminal):
      sudo add-apt-repository ppa:jtaylor/keepass
      sudo apt-get update
      sudo apt-get install keepass2
    2. Install the OtpKeyProv plugin by downloading the archive, unzipping and copying the content to Keypass' Plugin directory.
      On Linux: sudo cp OtpKeyProv.plgx /usr/lib/keepass2/Plugins/
    3. For Linux, optional: Install mono-complete package if plugin is not detected when running Keepass2 (you can check that in Tools/Plugins):
      sudo apt-get install mono-complete

    Keepass OTP Configuration

    Existing Database

    1. Do a backup of your database and keep it until you are really sure everything works fine!
    2. Make sure you really did a backup. If you mess up, your passwords are lost!
    3. Open database as usual
    4. Select File/Change Master Key...

    New Database

    1. Create new database as usual

    Common

    1. Insert Master Password (optional)
    2. Set Key file / provider: to One-Time Passwords (OATH HOTP)
    3. Click OK
    4. With Nitrokey App: select HOTP slot and generate HOTP secret (it will be copied to clipboard automatically). Note: You may want write down this secret and store it anywhere secure. Otherwise if you lose your Nitrokey or it gets broken your password database is lost as well!!!
    5. Paste the secret to Keepass OTP Plugin window
    6. Make sure the Counter field and digits count are set the same in both windows. Click OK in Nitrokey App to save the slot.
    7. Select secret type: Base32
    8. Set the other settings as you like. Please consult plugin's manual (should be in same downloaded archive). I would recommend to set look-ahead value to non-zero to prevent locking up the database after accidental code request from used HOTP slot. In that case counters on the device and in Keepass would be out of sync and OTP codes will not be the same with expected.

    Unlocking Database

    1. Open database
    2. Insert Master Password (if set)
    3. Key file / provider: to One-Time Passwords (OATH HOTP)
    4. Press OK
    5. Insert HOTP codes by repeatedly choosing proper HOTP slot from the Nitrokey App and pasting the clipboard content to proper field (the order of the codes is important).
    6. Press OK

    Issues

    1. Due to nature of HOTP solution it is possible to get counters desynchronized (by selecting wrong OTP slot during day-to-day use). Using look-ahead plugin's setting should prevent that (value 10 or so should suffice - depends on desired security requirements - this would allow to 10 accidental requests). TOTP is not having that problem.
    2. Setting the OTP protection could be error-prone. There is no secret validation on OtpKeyProv side. In the test movie at 4:22 I have managed to set the Base32 coded secret as Hex (which was not a proper hex value) and it has not complained about it. There is no information what happened to database and how it is now configured. I have not noticed until I have watched the movie.

    Tested under Ubuntu 16.10, Nitrokey App v0.6.3 and Nitrokey Storage v0.45.

  • Secure Web Login (U2F)

    For: Nitrokey U2F
    1. Use one of these browsers:
      1. Google Chrome
      2. Chromium
      3. Firefox with U2F Support Add-on
      4. macOS Safari with Safari-FIDO-U2F plugin
    2. Open one of the websites supporting U2F.
    3. Connect the Nitrokey U2F for registering it with your website account.
    4. Reconnect the Nitrokey U2F after each registration and login.
  • Bitcoin Wallet

    For: Nitrokey HSM

    J.v.d.Bosch wrote a simple, free python program to secure the private key of a Bitcoin wallet in a HSM. See here for further information.

  • True Random Number Generator (TRNG)

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey HSM

    Nitrokey HSM

    In OpenSC the function C_GenerateRandom is mapped to the random number generator of the device. However, engine-pkcs11 doesn't contain a mapping for OpenSSL to C_GenerateRandom. Hence, it doesn't work yet. It would be required to implement the mapping in engine-pkcs11 to C_GenerateRandom.

    Nitrokey Pro and Nitrokey Storage

    Both devices are compatible to the OpenPGP Card, so that scdrand should work. This script may be useful. The TRNG provides about 40 kbit/s.

    The user comio created a systemd file to use scdrand and thus the TRNG more generally. He created a ebuild for Gentoo, too.

  • Development and Integration

    For: Nitrokey Pro
  • Development and Integration

    For: Nitrokey Storage
  • Development and Integration

    For: Nitrokey Start
  • Development and Integration

    For: Nitrokey HSM

There is currently no content classified with this term.

Nitrokey - Made in Berlin