Nitrokey can be used with a large variety of 3rd party applications. Basically every application which uses GnuPG, Windows certificate store or a PKCS#11 interface can be used with the Nitrokey. This page gives an incomplete overview of the most popular applications and their usages.
Please send us your feedback or instructions if you sucessfully used Nitrokey with applications not listed here.
GnuPG is required for many use cases. It is a command line tool but usually you don't need to invoke it directly but use another application with user interface.
Don't use GnuPG in parallel with OpenSC or another PKCS#11 driver because both may interfere and unexpected issues may result.
If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.
Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.
Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)
Instructions, how to create a valid X.509 certificate with Nitrokey (1, 2, 3). These are general instructions how to use X.509 certificates.
The recommended PKCS#11 driver is OpenSC. Alternatively, you could use Peter Koch's PKCS#11 driver which has the following limitations:
This Mini Driver allows to integrate Nitrokey with Window's certificate store. Subsequently all applications which use this certificate storage can be used with Nitrokey (e.g. Internet Explorer, Google Chrome web browser, Windows Login). To install the driver, you may need to allow the installation of unsigned drivers first.
All applications of Aloaha are working with the Nitrokey. This includes a middleware to integrate Nitrokey with other PKCS#11 based applications and with Windows as well as applications to encrypt and sign PDFs and the hard disk.
GnuPG is required in many use cases to initialize and use the Nitrokey. It is a command line tool but usually you don't need to invoke it directly.
Instruction how to use Nitrokey with GnuPG (command line). Please note: The Fellowship smart card is similar to the Nitrokey Pro so that this instructions work Nitrokey as well. In general the official documentation is recommendable.
If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.
Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.
Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)
Instructions, how to create a valid X.509 certificate with Nitrokey (1, 2, 3). These are general instructions how to use X.509 certificates.
The recommended PKCS#11 driver is OpenSC. Alternatively, you could use Peter Koch's PKCS#11 driver which has the following limitations:
P11-glue uses PKCS#11 as glue between crypto libraries and security applications on the open source desktop.
GnuPG is required in many use cases to initialize and use the Nitrokey. It is a command line tool but usually you don't need to invoke it directly.
Instruction how to use Nitrokey with GnuPG (command line). Please note: The Fellowship smart card is similar to the Nitrokey Pro so that this instructions work Nitrokey as well. In general the official documentation is recommendable.
If you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software, you should install OpenSC.
Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine. If you want to use Nitrokey with both GnuPG and PKCS#11, generate the keys with GnuPG.
Don't use PKCS#11 in parallel with GnuPG because both may interfere and unexpected issues may result. (There is another promising project scd-pkcs11 in development which may overcome this limitation eventually. Currently it's limit to the authentication certificate and not widely tested yet.)
Instructions, how to create a valid X.509 certificate with Nitrokey (1, 2, 3). These are general instructions how to use X.509 certificates.
To access Nitrokey devices read-only, download and install this Mini Driver (CSP). If you are using Windows Server you may need to disable the driver signature verification before being able to install the driver.
To generate keys, create certificates and enroll Nitrokeys to your users, the following instructions, applicable for Nitrokey HSM, may be useful. Note that the Mini Driver for Nitrokey Pro may not work yet for write mode:
Select your use case:
You have two options: pam_p11 or Poldi.
Poldi 0.4.1 works flawlessly with Nitrokey for PAM authentication. The following steps are needed to get it working.
It is necessary to already have keys generated on the Nitrokey, as the authentication key is used by PAM.
To get it working you first have to register your Nitrokey. Add one line to /etc/poldi/localdb/users with with Nitrokey's serial number (from "gpg --card-status | grep Application"):
And then dump the public key from the Nitrokey into poldi local db:
sudo sh -c 'gpg-connect-agent "/datafile /etc/poldi/localdb/keys/D00600012401020000000000xxxxxxxx" "SCD READKEY --advanced OPENPGP.3" /bye'
Please be aware that you have to change the serial number in the lines above with the one of your stick!
Then you have to configure PAM. Just add "auth sufficient pam_poldi.so" to pam configuration files according to your needs:
Note: Pam is dangerous to play around with, so make sure you have a way of accessing the machine if you break authentication completely. Remember that booting into rescue mode from Grub requires a root password, so keep that or a live CD which can read your filesystems to hand.
Here you find further instructions (in German, partially outdated).
One-Time-Passwords (OTP) are used for secure login to websites and local applications.
Two OTP modes exist:
In addition to the usage described above, you can use HOTPs with an USB Keyboard (internal laptop keyboards don't work) directly without using the Nitrokey App.
For Google login see here.
Prior of using the encrypted mobile storage you need to install and initialize the Nitrokey Storage and download the latest Nitrokey App.
Hidden volumes allow to hide data in the encrypted volume. The data is protected with an additional password. Without the password the data existence's can't be proven. Hidden volumes are not setup by default so that their existence can be denied plausibly. The concept is similar to VeraCrypt's/TrueCrypt's hidden volume but with Nitrokey Storage the entire functionality of hidden volumes is implemented in hardware.
You can configure up to four hidden volumes. Once unlocked, hidden volumes behave like ordinary storage where you can create various partitions, filesystems and store files as you like.
Configure Hidden Volumes:
In case you use two or more hidden volumes, note that their storage area must not overlap. Otherwise they would override and destroy each other's data. Each hidden volume would require a different password.
Usage of Hidden Volumes:
It is possible to use the PGP smartcard of the Nitrokey on an Android device in combination with OpenKeychain. This enables one to encrypt/decrypt E-Mails or files.
Tested with Nitrokey Pro and Storage in combination with Android 7.1, OpenKeychain 4.5 and K9Mail 5.207. Please be aware that this is not supported officially yet. One user reported problems with this setup.
It is recommended to have already created the PGP keys on the Nitrokey as there are still errors when trying to generate keys within OpenKeychain.
To import the keys of the Nitrokey you should at first start the OpenKeychain app. Then insert the Nitrokey with the USB OTG cable. OpenKeychain starts a dialog to use the Nitrokey (you may have to accept the usage of the key with OpenKeychain first). Now you can choose between looking for public key on a keyserver or choosing the public key from storage. After the public key got imported you have to tap on 'connect key' to import a reference to the private key of the Nitrokey. That’s basically it.
You can use all functions of OpenKeychain and Apps which make use of OpenKeychain. Therefore you can just encrypt/decrypt messages or files by hand using the app directly or for example you combine K9Mail with OpenKeychain to decrypt your mails automatically. It is important to choose the right key in the K9Mail account settings first.
Note that you may have to enable the on-screen keyboard in the android settings to type the PIN as the system recognizes the Nitrokey as a physical keyboard and therefore tries to hide the on-screen keyboard. Go to 'Language and Input' > 'Current Keyboard' > 'Hardware show input method'.
Not yet possible.
Nitrokey Storage allows to configure hidden volumes, similarly to VeraCrypt's hidden volumes but implemented in hardware. Instructions will be added here.
Note: Two different email encryption formats exist:
If unsure which format to use, choose OpenPGP.
Thunderbird is a popular and open source email client. The add-on Enigmail provides OpenPGP email encryption functionality.
Thunderbird is a popular and open source email client which can encrypt emails in S/MIME format out-of-the-box.
Evolution is the email client of GNOME which supports OpenPGP- and S/MIME-based email encryption.
OpenPGP:
S/MIME:
Claws Mail is an email client (and news reader) for Linux and Windows, based on GTK+, with focus on quick response.
Encrypt your e-mail using the S/MIME industry standard available in all major e-mail clients.
The Nitrokey HSM has been tested to work with Mozilla Thunderbird and Microsoft Outlook. Other e-mail clients with support for PKCS#11 or Microsoft CSP should work as well.
TrueCrypt and it's successor VeraCrypt are free and open-source disk encryption software for Window, Mac OS X, and Linux. Follow these steps to use it with Nitrokey:
Security Consideration: Please note that TrueCrypt/VeraCrypt doesn't make use of the full security which Nitrokey (and smart cards in general) offer. Instead it stores a keyfile on the Nitrokey which theoretically could be stolen by a computer virus after the user enters the password.
Note: Aloaha Crypt is based on TrueCrypt but without the described security limitation.
Here are excellent instructions how to use Nitrokey to encrypt your hard disk under Linux with LUKS/dm-crypt. Other instruction.
Prerequisite: Please ensure that you installed the device driver, changed the default PINs and generated or imported keys.
An easy to use encrypted file system is EncFS, which is based on FUSE. You may follow these steps to use it with very long passwords and Nitrokey:
Initialization
Enter a long passphrase into a key file: $ echo "Your long secret passphrase" > keyfile Encrypt the key file: $ gpg -e keyfile Remove the key file in clear text: $ rm keyfile Create mount point: $ mkdir ~/.cryptdir.encfs ~/cryptdir Select paranoia mode and enter "Your long secret passphrase" as password: $ encfs ~/.cryptdir.crypt ~/cryptdir Unmount the new file system: $ fusermount -u ~/cryptdir
Usage
# Mount encrypted file system and enter PIN of Nitrokey: $ gpg -d key.gpg | encfs -S ~/.cryptdir ~/cryptdir # After usage, unmount the file system: $ fusermount -u ~/cryptdir
eCryptfs is a file based transparent encryption file system for Linux which can be used with Nitrokey through a PKCS#11 driver. See these instructions. Alternatively, try ESOSI or follow these steps using OpenSC and OpenVPN:
Warning: This will delete existing keys on your Nitrokey!
# Import the certificate and key to the Nitrokey
$ pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key user@example.com.p12 --format pkcs12 --auth-id 3 --verify-pin
# Create the file ~/.ecryptfsrc.pkcs11:
$ editor ~/.ecryptfsrc.pkcs11
# Enter this content:
$ pkcs11-log-level=5
pkcs11-provider1,name=name,library=/usr/lib/opensc-pkcs11.so,cert-private=true
$ openvpn --show-pkcs11-ids path to opensc-pkcs11 module
Certificate
DN: /description=Iv4IQpLO02Mnix9i/CN=user@example.com/emailAddress=user@example.com
Serial: 066E04
Serialized id: ZeitControl/PKCS\x2315\x20emulated/000500000c7f/OpenPGP\x20card\x20\x28User\x20PIN\x29/03
# Copy the serialized id for later usage:
$ ecryptfs-manager
# This will show list option. Choose option "Add public key to keyring"
# Choose pkcs11-helper
# Enter the serialized ID of step 3 to PKCS#11 ID.
TrueCrypt and it's successor VeraCrypt are free and open-source disk encryption software for Window, Mac OS X, and Linux. Follow these steps to use it with Nitrokey:
Security Consideration: Please note that TrueCrypt/VeraCrypt doesn't make use of the full security which Nitrokey (and smart cards in general) offer. Instead it stores a keyfile on the Nitrokey which theoretically could be stolen by a computer virus after the user enters the password.
Note: Aloaha Crypt is based on TrueCrypt but without the described security limitation. (Not tested with Nitrokey HSM)
Starting with version 2.1, GnuPG has build-in but limited support for the Nitrokey HSM. Use the gpgsm tool to sign, verify, encrypt and decrypt files or S/MIME messaging using your Nitrokey HSM. Use a signature key on a Nitrokey HSM to sign documents using Acrobat Reader, Open Office / Libre Office or any other PDF reader supporting electronic signatures.
ECC HSM Encryptor is a small application to encrypt and decrypt files with a Nitrokey HSM.
Aloaha provides several applications to encrypt and sign PDFs. All of them, which allow smart card integration, work with Nitrokey.
Use the gpgsm tool to sign, verify, encrypt and decrypt files. Use a signature key on a Nitrokey to sign documents using Acrobat Reader, Open Office / Libre Office or any other PDF reader supporting electronic signatures.
The Gnu Privacy Assistant (GPA) recognizes Nitrokey out-of-the-box, has various features to manage keys and cards. It also allows file operations such as file encryption, decryption, signing.
GpgEx integrates smoothly into Windows Explorer to allow encryption and decryption of files. Install it as part of the GPG4Win package.
SOPS is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP. You can find it on github.
Before you start to use any of these applications with your Nitrokey, please ensure that you installed the device driver and initialized the stick (e.g. generated keys).
Certificate-based login with TLS and web browser is a very secure authentication method but it is only used rarely. If you are unsure what this means, this approach is most likely not relevant for you.
This page refers to websites and applications which support certificate authentication, so that users don't need to enter username and password when login. For instance WebID is a great protocol which makes use of it. Certificate authentication can be used easily with the Nitrokey and also with any other certificate storages.
You need to install the PKCS#11 driver:
Now you are ready to access websites which provide certificate authentication.
Install this Mini Driver for Windows. Now you are ready to access websites which provide certificate authentication.
Under Windows, install this Mini Driver. Under Linux, follow these instructions. Now you are ready to access websites which provide certificate authentication.
WebID is a technology to enable secure and federated social websites. Here is a video (WebM, Ogg video, H.264) which demonstrates how to use Nitrokey to create a WebID profile and subsequently to use it in an Internet cafe in Singapore. Nitrokey protects against computer viruses which might otherwise steel the username and password.
| Web Site | Category |
|---|---|
| CAcert | community-based Certificate Authority |
| PrivaSphere | Secure messaging |
| StartCom | Certificate Authority |
| HM Revenue & Customs | UK's tax administration |
| Application | Category |
|---|---|
| Roundcube (plugin) | Webmail |
| Drupal (WebID, Certificate login) | Content management system |
| Media Wiki (plugin) | Wiki |
| Joomla! | Content management system |
| Apache + mod_ssl | Web server |
| OpenSSH | SSH (remote secure shell) client and server |
| Wordpress (plugin) | Blog and CMS |
| Tivoli | System management framework |
| Globalscape EFT | managed file transfer (MFT) |
| Oracle Identity Manager | I&AM |
| Fuse Source | Middleware |
| Liferay | Blog |
| FusionForge | web-based project-management and collaboration software |
This website is a good read about strong authentication mechanisms, why client certificate authentication isn't popular and better alternatives at the horizon.
Protect access to sensitive information on your website with 2nd factor authentication.
Use a Nitrokey HSM as authentication token via the build-in device authentication PKI or use keys and certificates on a Nitrokey HSM for TLS/SSL client authentication.
Alternative versions of PuTTY can be used as well: KiTTY , Peter Koch's modified PuTTY. Configure KiTTY/PuTTY to load the PKCS#11 driver as displayed in the following screen shot:
In case ssh-pageant doesn't work with git right away, try the following steps:
Now git uses PuTTY which uses gpg-agent to access the Nitrokey.
WinSCP is a free SFTP client for Windows.
Another instruction is this (Section use eToken with OpenSSH). The tutorial uses a different card, but the same approach applies for Nitrokey. Note: That tutorial export SSH key from Key ID 45 with "pkcs15-tool --read-ssh-key 45 >> .ssh/authorized_keys" but our OpenPGP card will export from Key ID 3 with "pkcs15-tool --read-ssh-key 3"
Alternatively, information on OpenSSH secure shell and X.509 certificates.
Protect your domain name resolution using DNSSEC and a Nitrokey HSM as secure key store. It's based on Smartcard-HSM which is why the following resource apply:
With it's unique build-in device authentication PKI, a Nitrokey HSM has a cryptographically protected unique identity that can be verified in a fast authentication protocol. An access control terminal can verify authenticity and identity of the device, create a secure communication channel and perform offline PIN verification. The coolPACS project has all the details.
See this link for further information.
Strong Swan could work using the PKCS#11 driver.
Stunnel works as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code.
CA keys are very sensitive and must not be compromised or lost.
Nitrokey HSM integrates well with industry solutions like EJBCA or XCA.
µ-CA-tool is a script based on GnuPG, OpenSC and OpenSSL which helps to perform basic tasks of a CA. It works with Nitrokey Pro and Nitrokey Storage.
You have the following options:
You can also follow this video (It contains a mistake around time 4:22 which is described later below).
sudo add-apt-repository ppa:jtaylor/keepass sudo apt-get update sudo apt-get install keepass2
sudo apt-get install mono-complete
Tested under Ubuntu 16.10, Nitrokey App v0.6.3 and Nitrokey Storage v0.45.