Applications

Nitrokey can be used with a large variety of 3rd party applications. Basically every application which uses GnuPG, Windows certificate store or a PKCS#11 interface can be used with the Nitrokey. This page gives an incomplete overview of the most popular applications and their usages.

Please send us your feedback or instructions if you sucessfully used Nitrokey with applications not listed here.

  • General

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    GnuPG

    GnuPG is required for many use cases. It is a command line tool but usually you don't need to invoke it directly but use another application with user interface.

    Don't use GnuPG in parallel with OpenSC or another PKCS#11 driver because both may interfere and unexpected issues may result.

    1. Install GPG4Win which contains Gnu Privacy Assistant (GPA) and GnuPG (GPG).
    2. Start Gnu Privacy Assistant (GPA) or another application such as your email client to use GnuPG.
      Advanced users could use GnuPG directly (command line). Please note: The Fellowship smart card is similar to the Nitrokey Pro so that this instructions work Nitrokey as well. In general the official documentation is recommendable.

    PKCS#11 Driver

    If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.

    Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.

    Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)

    Instructions, how to create a valid X.509 certificate with Nitrokey (123). These are general instructions how to use X.509 certificates.

    Alternative PKCS#11 Driver:

    The recommended PKCS#11 driver is OpenSC. Alternatively, you could use Peter Koch's PKCS#11 driver which has the following limitations:

    • No import of existing X.509 certificates. (Instead, keys have to be generated on the Nitrokey)
    • The Linux version does not allow to generate keys.
    • Modification of the password/PIN under Linux is not possible.

    Windows Mini Driver

    This Mini Driver allows to integrate Nitrokey with Window's certificate store. Subsequently all applications which use this certificate storage can be used with Nitrokey (e.g. Internet Explorer, Google Chrome web browser, Windows Login). To install the driver, you may need to allow the installation of unsigned drivers first.

    Aloaha

    All applications of Aloaha are working with the Nitrokey. This includes a middleware to integrate Nitrokey with other PKCS#11 based applications and with Windows as well as applications to encrypt and sign PDFs and the hard disk.

  • General

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    GnuPG

    GnuPG is required in many use cases to initialize and use the Nitrokey. It is a command line tool but usually you don't need to invoke it directly.

    Instruction how to use Nitrokey with GnuPG (command line). Please note: The Fellowship smart card is similar to the Nitrokey Pro so that this instructions work Nitrokey as well. In general the official documentation is recommendable.

    PKCS#11 Driver

    If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.

    Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.

    Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)

    Instructions, how to create a valid X.509 certificate with Nitrokey (123). These are general instructions how to use X.509 certificates.

    Alternative PKCS#11 Driver:

    The recommended PKCS#11 driver is OpenSC. Alternatively, you could use Peter Koch's PKCS#11 driver which has the following limitations:

    • No import of existing X.509 certificates. (Instead, keys have to be generated on the Nitrokey)
    • The Linux version does not allow to generate keys.
    • Modification of the password/PIN under Linux is not possible.

    p11-glue

    P11-glue uses PKCS#11 as glue between crypto libraries and security applications on the open source desktop.

    Articles in German

  • General

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    GnuPG

    GnuPG is required in many use cases to initialize and use the Nitrokey. It is a command line tool but usually you don't need to invoke it directly.

    Instruction how to use Nitrokey with GnuPG (command line). Please note: The Fellowship smart card is similar to the Nitrokey Pro so that this instructions work Nitrokey as well. In general the official documentation is recommendable.

    PKCS#11 Driver

    If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.

    Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.

    Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)

    Instructions, how to create a valid X.509 certificate with Nitrokey (123). These are general instructions how to use X.509 certificates.

  • General

    For: Nitrokey HSM
    • OpenSC: Comprehensive instructions exist for OpenSC framework.
    • GnuPG: The latest GnuPG 2.1 supports Nitrokey HSM.
    • Embedded Systems: For systems with minimal memory footprint a read/only PKCS#11 module is provided by the sc-hsm-embedded project.
      This PKCS#11 module is useful for deployments where key generation at the user's workplace is not required. The PKCS#11 module also supports major electronic signature cards available in the German market.
    • OpenSCDP: The SmartCard-HSM is fully integrated with OpenSCDP, the open smart card development platform. See the public support scripts for details.
  • Computer Login

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    To access Nitrokey devices read-only, download and install this Mini Driver (CSP). If you are using Windows Server you may need to disable the driver signature verification before being able to install the driver.

    To generate keys, create certificates and enroll Nitrokeys to your users, the following instructions, applicable for Nitrokey HSM, may be useful. Note that the Mini Driver for Nitrokey Pro may not work yet for write mode:

  • Computer Login

    For: Nitrokey HSM

    Select your use case:

  • Computer Login

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    Linux Login with PAM

    You have two options: pam_p11 or Poldi.

    Poldi 0.4.1 works flawlessly with Nitrokey for PAM authentication, using the default /etc/poldi/poldi.conf

    • auth-method localdb
      log-file /var/log/poldi.log
      debug
      scdaemon-program /usr/bin/scdaemon

    Add one line to /etc/poldi/localdb/users with with Nitrokey's serial number (from gpg --card status | grep Application) :

    • D00600012401020000000000xxxxxxxx <username>

    And then dump the public key from my Crypto Stick into poldi local db:

    • sudo poldi-ctrl -k > /etc/poldi/localdb/keys/D00600012401020000000000xxxxxxxx

    Then you have to configure PAM. Just add "auth sufficient pam_poldi.so" to pam configuration files according to your needs:

    • /etc/pam.d/common-auth for graphical user login
    • /etc/pam.d/login for console login
    • /etc/pam.d/sudo for sudo authentication
    • /etc/pam.d/gnome-screensaver for login back from a locked screen
    • etc..

    Note: Pam is dangerous to play around with, so make sure you have a way of accessing the machine if you break authentication completely. Remember that booting into rescue mode from Grub requires a root password, so keep that or a live CD which can read your filesystems to hand.

    Here you find other instructions.

  • Web Login with One Time Passwords (OTP, 2FA)

    For: Nitrokey Pro, Nitrokey Storage

    One-Time-Passwords (OTP) are used for secure login to websites and local applications.

    Two OTP modes exist:

    • HMAC-based One-time Passwords (HOTP) is used for local applications and computer logins.
    • Time-based One-time Passwords (TOTP) is widely used for websites. If unsure, assume you are using this mode.

    Initial Setup

    1. Download and install the latest Nitrokey App. Please verify that you really use the latest version.
    2. Change the default User PIN and Admin PIN to your own PINs: Start the Nitrokey App, press the tray icon and select "Configure > Change User PIN" and "Configure > Change Admin PIN".

    Configure a Website/Application to use OTP

    1. Login to your website which supports two factor authentication resp. One-Time passwords compatible to Yubikey and Google Authenticator. Usually you find the option to enable two-factor-authentication under your profile or settings. There you will get a base32 string (the secret). Copy this string to the clipboard.
    2. Start the Nitrokey App, press the tray icon and select "Configure > One Time Passwords".
    3. Enter your Admin PIN.
    4. Select either a TOTP (common for websites) or HOTP slot (common for applications) and enter the secret you copied from the website in step 1. Enter a name for the slot. The other options' default values can usually remain unchanged.

    Securely Login to Website/Application

    1. Start the Nitrokey App, press on the tray icon and in the menu select the appropriate slot you configured previously.
    2. Confirm the window and copying the OTP to the clipboard
    3. Enter the OTP from the clipboard into the appropriate prompt/website.

    HMAC-based One-time Passwords - HOTP

    In addition to the usage described above, you can use HOTPs with an USB Keyboard (internal laptop keyboards don't work) directly without using the Nitrokey App.

    1. Configuration: Start the Nitrokey App, press the tray icon and select "Configure > One Time Passwords". Go to "General config" tab and select any of the available keys to trigger your HOTP at double-press.
    2. Usage:
      1. Point the cursor focus to the appropriate password prompt.
      2. Double press the key you configured above (e.g. caps-lock).
  • Encrypted Mobile Storage

    For: Nitrokey Storage

    Prior of using the encrypted mobile storage you need to install and initialize the Nitrokey Storage and download the latest Nitrokey App.

    1. Start the Nitrokey App.
    2. Press its tray icon and select "unlock encrypted volume" in the menu.
    3. Enter your User PIN in the appearing popup window.
    4. If this is the first time you may need to create a partition on the encrypted volume. Windows will open an appropriate window and ask you to do so. On Linux and Mac you may need to open a partition manager and create a partition manually. You can create as many partitions as you want. We recommend FAT(32) if you want to access the partition from various operating systems.
    5. Now you can use the encrypted volume as you would use any other ordinary USB drive. But all data stored on it will be encrypted in the Nitrokey hardware automatically.
    6. To remove or lock the encrypted volume you should unmount/eject it first.
    7. Afterwards you can disconnect the Nitrokey or select "lock encrypted volume" from the Nitrokey App menu.

    Hidden Volumes

    Hidden volumes allow to hide data in the encrypted volume. The data is protected with an additional password. Without the password the data existence's can't be proven. Hidden volumes are not setup by default so that their existence can be denied plausibly. The concept is similar to VeraCrypt's/TrueCrypt's hidden volume but with Nitrokey Storage the entire functionality of hidden volumes is implemented in hardware.

    You can configure up to four hidden volumes. Once unlocked, hidden volumes behave like ordinary storage where you can create various partitions, filesystems and store files as you like.

    Configure Hidden Volumes:

    1. Unlock encrypted volume from the Nitrokey App menu.
    2. Select "setup hidden volume".
    3. Now you need to enter a new password twice to protect your hidden volume. The password strenght is indicated below.
      Note: PINs can only be tried three times only which is why they can be short. Passwords can potentially be attacked unlimited which is why they need to be sufficiently strong.
    4. Next you need to define the storage area being used. Hidden volumes are stored in the empty space of the encrypted volume. This is a critical choice because it could destroy data on the (not-hidden) encrypted volume and reveal the existience of the hidden volume.
      1. You should use one FAT partition on your encrypted volume.
      2. Copy some files to the encrypted volume prior to creating the hidden volume. Once you configured a hidden volume you shouldn't add or change files on the encrypted volume anymore.
      3. Identify the storage space your files consume on the encrypted volume. For example: 10%
      4. The hiden volume should start after your files on the encrypted volume. For example: 10% files + 10% buffer = 20%
      5. The hidden volume should end in a distance before the end of the storage. For example: 90%

    In case you use two or more hidden volumes, note that their storage area must not overlap. Otherwise they would override and destroy each other's data. Each hidden volume would require a different password.

    Usage of Hidden Volumes:

    1. Select "unlock encrypted volume" and enter your User PIN.
    2. Select "unlock hidden volume" and enter any of the hidden volume's passwords.
    3. If this is the first time you may need to create a partition on the hidden volume. Windows will open an appropriate window and ask you to do so. On Linux and Mac OS you may need to open a partition manager and create a partition manually. You can create as many partitions as you want. We recommend FAT(32) if you want to access the partition from various operating systems.
    4. Make sure to unmount/eject all partitions on the hidden volumes before locking or disconnecting the Nitrokey.

     

    Also see older but comprehensive Nitrokey Storage manual.

  • Hidden Volumes

    For: Nitrokey Storage

    Nitrokey Storage allows to configure hidden volumes, similarly to VeraCrypt's hidden volumes but implemented in hardware. Instructions will be added here.

  • Email Encryption

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    Note: Two different email encryption formats exist:

    • OpenPGP / GnuPG is popular among individuals.
    • S/MIME / X.509 is mostly used by enterprises.

    If unsure which format to use, choose OpenPGP.

     

    Mozilla Thunderbird with OpenPGP

    Thunderbird is a popular and open source email client. The add-on Enigmail provides OpenPGP email encryption functionality.

    1. Download and install GPG4Win and Thunderbird.
    2. Download and install Enigmail (instructions).
    3. If you didn't do so already, change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices. (instructions)
    4. Generate new keys or import your existing RSA keys. (instructions)
      Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).

     

    Mozilla Thunderbird with S/MIME

    Thunderbird is a popular and open source email client which can encrypt emails in S/MIME format out-of-the-box.

    1. Download the PKCS#11 driver and configure it in Thunderbird.

     

    GNOME Evolution with OpenPGP or S/MIME

    Evolution is the email client of GNOME which supports OpenPGP- and S/MIME-based email encryption.

     

    Microsoft Outlook with OpenPGP or S/MIME

    OpenPGP:

    • GPG4Win contains the Outlook plugin GpgOL which enables its usage with GnuPG and with Nitrokey (untested).
    • Alternatively you may want to try the new Outlook Privacy Plugin.

    S/MIME:

    • To use S/MIME, install the MiniDriver.

     

    Claws Mail with OpenPGP or S/MIME

    Claws Mail is an email client (and news reader) for Linux and Windows, based on GTK+, with focus on quick response.

  • Email Encryption

    For: Nitrokey HSM

    Encrypt your e-mail using the S/MIME industry standard available in all major e-mail clients.

    The Nitrokey HSM has been tested to work with Mozilla Thunderbird and Microsoft Outlook. Other e-mail clients with support for PKCS#11 or Microsoft CSP should work as well.

  • Instant Messenger

    Pidgin (plugin), GajimPsi and KDE's Kopiete (plugin) are instant messenger clients for Jabber/XMPP which can encrypt messages with GnuPG and the Nitrokey (untested).

  • Hard Disk Encryption

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    TrueCrypt

    TrueCrypt and it's successor VeraCrypt are free and open-source disk encryption software for Window, Mac OS X, and Linux. Follow these steps to use it with Nitrokey:

    1. Configure the PKCS#11 library under Settings>Preferences>Security Token.
      Note: OpenSC seems not to work because of this pending issue.
    2. Choose as token a little keyfile (64 bytes generated via Tools>Keyfile>Keyfile Generator).
    3. Now you should be able to import this key file after the correct PIN via Tools > Manage Security Token Keyfiles. The keyfile is stored on the Nitrokey as 'Private Data Object 3' (don't forget to wipe the original keyfile securely).
    4. Now you can use TrueCrypt with the Nitrokey: Create a container, choose as password the keyfile on the device.

    Security Consideration: Please note that TrueCrypt/VeraCrypt doesn't make use of the full security which Nitrokey (and smart cards in general) offer. Instead it stores a keyfile on the Nitrokey which theoretically could be stolen by a computer virus after the user enters the password.

    Note: Aloaha Crypt is based on TrueCrypt but without the described security limitation.

     

    Hard Disk Encryption on Linux, Based on LUKS/dm-crypt

    Here are excellent instructions how to use Nitrokey to encrypt your hard disk under Linux with LUKS/dm-crypt. Other instruction.

     

    Storage Encryption on Linux, Based on EncFS

    Prerequisite: Please ensure that you installed the device driver, changed the default PINs and generated or imported keys.

    An easy to use encrypted file system is EncFS, which is based on FUSE. You may follow these steps to use it with very long passwords and Nitrokey:

    Initialization

    Enter a long passphrase into a key file:
    $ echo "Your long secret passphrase" > keyfile
    
    Encrypt the key file:
    $ gpg -e keyfile
    
    Remove the key file in clear text:
    $ rm keyfile
    
    Create mount point:
    $ mkdir ~/.cryptdir.encfs ~/cryptdir
    
    Select paranoia mode and enter "Your long secret passphrase" as password:
    $ encfs ~/.cryptdir.crypt ~/cryptdir
    
    Unmount the new file system:
    $ fusermount -u ~/cryptdir
    

    Usage

    # Mount encrypted file system and enter PIN of Nitrokey:
    $ gpg -d key.gpg | encfs -S ~/.cryptdir ~/cryptdir
    
    # After usage, unmount the file system:
    $ fusermount -u ~/cryptdir
    

     

    Storage Encryption on Linux, Based on ECryptFS

    eCryptfs is a file based transparent encryption file system for Linux which can be used with Nitrokey through a PKCS#11 driver. See these instructions. Alternatively, try ESOSI or follow these steps using OpenSC and OpenVPN:

    Warning: This will delete existing keys on your Nitrokey!

    # Import the certificate and key to the Nitrokey
    $ pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key user@example.com.p12 --format pkcs12 --auth-id 3 --verify-pin
    
    # Create the file ~/.ecryptfsrc.pkcs11:
    $ editor ~/.ecryptfsrc.pkcs11
    
    # Enter this content:
    $ pkcs11-log-level=5
        pkcs11-provider1,name=name,library=/usr/lib/opensc-pkcs11.so,cert-private=true
    
    $ openvpn --show-pkcs11-ids path to opensc-pkcs11 module
    Certificate
        DN: /description=Iv4IQpLO02Mnix9i/CN=user@example.com/emailAddress=user@example.com
        Serial: 066E04
        Serialized id: ZeitControl/PKCS\x2315\x20emulated/000500000c7f/OpenPGP\x20card\x20\x28User\x20PIN\x29/03
    
    # Copy the serialized id for later usage:
    $ ecryptfs-manager
    
    # This will show list option. Choose option "Add public key to keyring"
    # Choose pkcs11-helper
    # Enter the serialized ID of step 3 to PKCS#11 ID.
    
  • Hard Disk Encryption

    For: Nitrokey HSM

    TrueCrypt

    TrueCrypt and it's successor VeraCrypt are free and open-source disk encryption software for Window, Mac OS X, and Linux. Follow these steps to use it with Nitrokey:

    1. Configure the PKCS#11 library under Settings>Preferences>Security Token.
      Note: OpenSC seems not to work because of this pending issue.
    2. Choose as token a little keyfile (64 bytes generated via Tools>Keyfile>Keyfile Generator).
    3. Now you should be able to import this key file after the correct PIN via Tools > Manage Security Token Keyfiles. The keyfile is stored on the Nitrokey as 'Private Data Object 3' (don't forget to wipe the original keyfile securely).
    4. Now you can use TrueCrypt with the Nitrokey: Create a container, choose as password the keyfile on the device.

    Security Consideration: Please note that TrueCrypt/VeraCrypt doesn't make use of the full security which Nitrokey (and smart cards in general) offer. Instead it stores a keyfile on the Nitrokey which theoretically could be stolen by a computer virus after the user enters the password.

    Note: Aloaha Crypt is based on TrueCrypt but without the described security limitation. (Not tested with Nitrokey HSM)

  • Signing and Encrypting Files and PDF Documents

    For: Nitrokey HSM

    GnuPG

    Starting with version 2.1, GnuPG has build-in but limited support for the Nitrokey HSM. Use the gpgsm tool to sign, verify, encrypt and decrypt files or S/MIME messaging using your Nitrokey HSM. Use a signature key on a Nitrokey HSM to sign documents using Acrobat Reader, Open Office / Libre Office or any other PDF reader supporting electronic signatures.

    ECC HSM Encryptor

    ECC HSM Encryptor is a small application to encrypt and decrypt files with a Nitrokey HSM.

  • Signing and Encrypting Files and PDF Documents

    For: Nitrokey Pro, Nitrokey Storage

    Aloaha

    Aloaha provides several applications to encrypt and sign PDFs. All of them, which allow smart card integration, work with Nitrokey.

     

    GnuPG

    Use the gpgsm tool to sign, verify, encrypt and decrypt files. Use a signature key on a Nitrokey to sign documents using Acrobat Reader, Open Office / Libre Office or any other PDF reader supporting electronic signatures.

     

    GPA - GNU Privacy Assistant

    The Gnu Privacy Assistant (GPA) recognizes Nitrokey out-of-the-box, has various features to manage keys and cards. It also allows file operations such as file encryption, decryption, signing.

     

    GpgEx for Windows Explorer

    GpgEx integrates smoothly into Windows Explorer to allow encryption and decryption of files. Install it as part of the GPG4Win package.

  • Certificate-Based Web Login

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start

    Before you start to use any of these applications with your Nitrokey, please ensure that you installed the device driver and initialized the stick (e.g. generated keys).

    Certificate-based login with TLS and web browser is a very secure authentication method but it is only used rarely. If you are unsure what this means, this approach is most likely not relevant for you.

    This page refers to websites and applications which support certificate authentication, so that users don't need to enter username and password when login. For instance WebID is a great protocol which makes use of it. Certificate authentication can be used easily with the Nitrokey and also with any other certificate storages.

    Mozilla Firefox

    You need to install the PKCS#11 driver:

    1. Download the PKCS11 driver and store it on your local hard disk.
    2. Open the menu Options -> Advanced -> Encryption -> Security Devices
    3. Press the button Load. Enter "Crypto Stick" as the Module Name and press the Browse button to select the PKCS11 driver file. Confirm and close all dialogs.

    Now you are ready to access websites which provide certificate authentication.

    Internet Explorer

    Install this Mini Driver for Windows. Now you are ready to access websites which provide certificate authentication.

    Google Chrome

    Under Windows, install this Mini Driver. Under Linux, follow these instructions. Now you are ready to access websites which provide certificate authentication.

    WebID

    WebID is a technology to enable secure and federated social websites. Here is a video (WebMOgg videoH.264) which demonstrates how to use Nitrokey to create a WebID profile and subsequently to use it in an Internet cafe in Singapore. Nitrokey protects against computer viruses which might otherwise steel the username and password.

    Websites

    Web Site Category
    CAcert community-based Certificate Authority
    PrivaSphere Secure messaging
    StartCom Certificate Authority
    HM Revenue & Customs UK's tax administration

    Software

    Application Category
    Roundcube (plugin) Webmail
    Drupal (WebID, Certificate login) Content management system
    Media Wiki (plugin) Wiki
    Joomla! Content management system
    Apache + mod_ssl Web server
    OpenSSH SSH (remote secure shell) client and server
    Wordpress (plugin) Blog and CMS
    Tivoli System management framework
    Globalscape EFT managed file transfer (MFT)
    Oracle Identity Manager I&AM
    Fuse Source Middleware
    Liferay Blog
    FusionForge web-based project-management and collaboration software

    This website is a good read about strong authentication mechanisms, why client certificate authentication isn't popular and better alternatives at the horizon.

  • Certificate-Based Web Login

    For: Nitrokey HSM

    Protect access to sensitive information on your website with 2nd factor authentication.

    Use a Nitrokey HSM as authentication token via the build-in device authentication PKI or use keys and certificates on a Nitrokey HSM for TLS/SSL client authentication.

  • Enterprise Authentication

    For: Nitrokey Pro, Nitrokey Storage
  • Enterprise Authentication

    For: Nitrokey U2F

    gluu  

  • SSH for Server Administration

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start, Nitrokey HSM

    SSH with PuTTY / KiTTY

    1. Download and install PuTTY and Gpg4win.
    2. Enable PuTTY support in %appdata%/gnupg/gpg-agent.conf:enable-putty-support
      Now PuTTY will use gpg-agent instead of pageant and can access the Nitrokey.

    Alternative versions of PuTTY can be used as well: KiTTY , Peter Koch's modified PuTTY. Configure KiTTY/PuTTY to load the PKCS#11 driver as displayed in the following screen shot:

     

    Cygwin

    1. Download and insetall Cygwin.
    2. Download and install ssh-pageant.
    3. Edit .bashrc and add eval $(ssh-pageant -r -a /tmp/ssh-pageant-$USERNAME)
      Now SSH uses gpg-agent which allows accessing the Nitrokey.

    git with Windows

    In case ssh-pageant doesn't work with git right away, try the following steps:

    1. Open: Control Panel -> System ->Advanced -> Preferences -> Environment Variables
    2. Enter: GIT_SSH=C:\Program Files (x86)\putty\plink.exe
    3. Logout and login again to your Windows session

    Now git uses PuTTY which uses gpg-agent to access the Nitrokey.

    WinSCP

    WinSCP is a free SFTP client for Windows.

    OpenSSH

    1. Make sure ~/.gnupg/gpg.conf contains use-agent (it should by default)
    2. Add ssh support to gnupg-agent by adding enable-ssh-support to ~/.gnupg/gpg-agent.conf
    3. Log out and back in and you should be ready to use it
    4. You can now generate an authorised_keys file by running gpgkey2ssh 12345678 >> ~/authorized_keys where 12345678 is the subkey id being used for authentication. You can now append that file to a remote server's authorized_keys and when you ssh in you'll be asked for a pin rather than a passphrase.

    Other instructions can be found here and here. Please note: The Fellowship smart card is similar to Nitrokey so that this documentation applies to Nitrokey as well.

    Another instruction is this (Section use eToken with OpenSSH). The tutorial uses a different card, but the same approach applies for Nitrokey. Note: That tutorial export SSH key from Key ID 45 with "pkcs15-tool --read-ssh-key 45 >> .ssh/authorized_keys" but our OpenPGP card will export from Key ID 3 with "pkcs15-tool --read-ssh-key 3"

    Alternatively, information on OpenSSH secure shell and X.509 certificates.

  • SSH for Server Administration

    For: Nitrokey U2F

    Read patching OpenSSH with U2F support.

  • DNSSEC

    For: Nitrokey HSM

    Protect your domain name resolution using DNSSEC and a Nitrokey HSM as secure key store. It's based on Smartcard-HSM which is why the following resource apply:

  • Physical Access Control

    For: Nitrokey HSM

    With it's unique build-in device authentication PKI, a Nitrokey HSM has a cryptographically protected unique identity that can be verified in a fast authentication protocol. An access control terminal can verify authenticity and identity of the device, create a secure communication channel and perform offline PIN verification. The coolPACS project has all the details.

  • VPN Access

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start, Nitrokey HSM

    OpenVPN

    See this link for further information.

    IPsec

    Strong Swan could work using the PKCS#11 driver.

    Stunnel

    Stunnel works as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code.

  • PKI / Certificate Authority (CA)

    For: Nitrokey Pro, Nitrokey Storage, Nitrokey Start, Nitrokey HSM

    CA keys are very sensitive and must not be compromised or lost.

    GnuPG

    Instructions

    OpenSSL

    1. Install OpenSC'S engine_pkcs11
    2. Run the command "pkcs11-tool --list-slots" to list the available slots.
    3. Run the command "openssl> req -engine pkcs11 -new -key slot_X-id_XXXX -keyform engine -x509 -out cert.pem -text" where X is the appropriate slot number and XXXX is the slot ID, e.g. "... -key slot_5-id_c6f280080fb0ed1ebff0480a01d00a98a1b3b89a ..."
    4. Test

    Other

    Nitrokey HSM integrates well with industry solutions like EJBCA or XCA.

    µ-CA-tool is a script based on GnuPG, OpenSC and OpenSSL which helps to perform basic tasks of a CA. It works with Nitrokey Pro and Nitrokey Storage.

  • Password Manager

    For: Nitrokey Pro, Nitrokey Storage

    You have the following options:

    • Use Nitrokey's built-in Password Safe to store passwords securely. For this you need the Nitrokey App. Maximum are 16 passwords.
    • Use KeePass as described below.

    Protecting KeePass with Nitrokey's One-Time Passwords

    You can also follow this video (It contains a mistake around time 4:22 which is described later below).

    Keepass Installation

    1. Install Keepass 2.3.5.
      For Ubuntu: Because the main repository contains the older 2.3.4, you have to use some other source like this private PPA (please run these commands in terminal):
      sudo add-apt-repository ppa:jtaylor/keepass
      sudo apt-get update
      sudo apt-get install keepass2
    2. Install the OtpKeyProv plugin by downloading the archive, unzipping and copying the content to Keypass' Plugin directory.
      On Linux: sudo cp OtpKeyProv.plgx /usr/lib/keepass2/Plugins/
    3. For Linux, optional: Install mono-complete package if plugin is not detected when running Keepass2 (you can check that in Tools/Plugins):
      sudo apt-get install mono-complete

    Keepass OTP Configuration

    Existing Database

    1. Open database as usual
    2. Select File/Change Master Key...

    New Database

    1. Create new database as usual

    Common

    1. Insert Master Password (optional)
    2. Set Key file / provider: to One-Time Passwords (OATH HOTP)
    3. Click OK
    4. With Nitrokey App: select HOTP slot and generate HOTP secret (it will be copied to clipboard automatically).
    5. Paste the secret to Keepass OTP Plugin window
    6. Make sure the Counter field and digits count are set the same in both windows. Click OK in Nitrokey App to save the slot.
    7. Select secret type: Base32
    8. Set the other settings as you like. Please consult plugin's manual (should be in same downloaded archive). I would recommend to set look-ahead value to non-zero to prevent locking up the database after accidental code request from used HOTP slot. In that case counters on the device and in Keepass would be out of sync and OTP codes will not be the same with expected.

    Unlocking Database

    1. Open database
    2. Insert Master Password (if set)
    3. Key file / provider: to One-Time Passwords (OATH HOTP)
    4. Press OK
    5. Insert HOTP codes by repeatedly choosing proper HOTP slot from the Nitrokey App and pasting the clipboard content to proper field (the order of the codes is important).
    6. Press OK

    Issues

    1. Due to nature of HOTP solution it is possible to get counters desynchronized (by selecting wrong OTP slot during day-to-day use). Using look-ahead plugin's setting should prevent that (value 10 or so should suffice - depends on desired security requirements - this would allow to 10 accidental requests). TOTP is not having that problem.
    2. Setting the OTP protection could be error-prone. There is no secret validation on OtpKeyProv side. In the test movie at 4:22 I have managed to set the Base32 coded secret as Hex (which was not a proper hex value) and it has not complained about it. There is no information what happened to database and how it is now configured. I have not noticed until I have watched the movie.

    Tested under Ubuntu 16.10, Nitrokey App v0.6.3 and Nitrokey Storage v0.45.

  • Secure Web Login (U2F)

    For: Nitrokey U2F
    1. Use one of these browsers:
      1. Google Chrome
      2. Chromium
      3. Firefox with U2F Support Add-on
      4. macOS Safari with Safari-FIDO-U2F plugin
    2. Open one of the websites supporting U2F.
    3. Connect the Nitrokey U2F for registering it with your website account.
    4. Reconnect the Nitrokey U2F after each registration and login.
  • Development and Integration

    For: Nitrokey Pro
  • Development and Integration

    For: Nitrokey Storage
  • Development and Integration

    For: Nitrokey Start
  • Development and Integration

    For: Nitrokey HSM
    • Use OpenSC's commandline tools
    • If your application has a PKCS#11 interface, use OpenSC's PKCS#11 driver. Depending on your Linux distribution, the PKCS driver may may be located at /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so for example.
    • In case you use Java, you find a JCE Provider as part of Smart Card Shell.
    • You can find information about the n-of-m scheme here.
    • Secure Messaging can be used with the JCE provider.
    • Please register at the CardContact Developer Network to get access to the user manual and further tools.

Nitrokey - Made in Berlin