Frequently Asked Questions (FAQ)

  • General

    General product-specific questions and answers.

    • What happens if I lose my FIDO device?

      When securing accounts using FIDO (two-factor authentication and passwordless login), you should configure another factor in your account as a backup. Depending on the service this backup factor can be a phone number, an app or even a second Nitrokey FIDO2. If you lose a Nitrokey FIDO2, you can still log in with the second Nitrokey FIDO2 (or with another second factor).

    • Can I backup the internal keys?

      It depends. No one can copy the keys which are stored on the Nitrokey. But depending on the key creation process you can still store a backup of the keys elsewhere.

      If you want to have a backup of your keys, you need to think about it when creating the keys. More information and options for the key creation can be found in our documentation.

    • What can I use the Nitrokey for?

      See the frontpage for an overview of supported use cases.

    • Which operating systems and applications are supported?

      Supported operating systems: Windows, Linux, and Mac OS X.

      Supported applications: See the documentation.

    • How large is the storage capacity?

      Nitrokey Pro, Nitrokey Start, Nitrokey HSM and Nitrokey U2F don't contain storage capability for ordinary data (it can only store cryptographic keys and certificates).

      Nitrokey Storage can store and encrypt 8, 32, or 64 GB of data (depending on particular model).

    • What is the default PIN/password?

      • User PIN: "123456"
      • Administrator PIN: "12345678"
      • Firmware Password (Nitrokey Storage only): "12345678"
      • SO-PIN (Nitrokey HSM only): "3537363231383830"

      We strongly recommend to change these PINs/password to user-chosen values before using the Nitrokey.

    • What is the maximum length of the PIN?

      Nitrokey uses PINs instead of passwords. The main difference is that the hardware limits the amount of tries to three while a limit doesn't exist for passwords. Because of this, a short PIN is still secure and there is not need to choose a long and complex PIN.

      Nitrokey Pro's and Storage's PINs can be up to 20 digits long and can consist of numbers, characters and special characters. Note: When using GnuPG or OpenSC, 32 character long PINs can be used but aren't supported by Nitrokey App.

    • What is user/admin/firmware PIN/password for?

      User PIN

      The user PIN is at least 6-digits long and is used to get access to the contect of the Nitrokey. This is the PIN you will use a lot in every day use e.g. for decrypting messages, for unlocking your encrypted storage (NK Storage only) etc.

      The user PIN can have up to 20 digits and other characters (e.g. alphabetic and special characters). But as the user PIN is blocked as soon three wrong PIN attempts were done, it is sufficiently secure to only have a 6 digits PIN. The default PIN is 123456.

      Admin PIN

      The admin PIN is at least 8-digits long and is used to change contents/settings of the Nitrokey. That is to say after initializing the Nitrokey you probably won't need this PIN too often (e.g. if you want to add another password to the password safe of the Nitrokey Pro or Nitrokey Storage).

      The admin PIN can have up to 20 digits and other characters (e.g. alphabetic and special characters). But as the admin PIN is blocked as soon three wrong PIN attempts were done, it is sufficiently secure to only have 8 digits PIN. The default PIN is 12345678.

      Firmware password

      The firmware password should meet general password recommandations (e.g. use alphabetic characters, digits and special characters or use a usfficiently long password). The firmware password is needed to update the firmware of the Nitrokey Storage. See further instructions for update process here.

      The firmware password is never blocked. An attacker could try to guess the password and would have unlimited attempts. Therefore you must choose a strong password. The default password is 12345678.

      SO PIN

      The SO PIN is used in the Nitrokey HSM only and is something like a "master" PIN with special properties. Please read this instructions carefully to understand the SO PIN of the Nitrokey HSM.

    • How many keys can I store?

      The Nitrokey Pro, Nitrokey Start and Nitrokey Storage can store three RSA key pairs. All keys use the same identity but are used for different purposes: authentication, encryption and signing.

      Nitrokey HSM can store 20 RSA-2048 and 31 ECC-256 key pairs.

      Nitrokey U2F stores a single ECC key pair but can be used with an unlimited amount of user accounts.

    • Which algorithms and maximum key length are supported?

      This is an overview of the capabilities of the Nitrokeys. Please click on the device heading for the factsheet.

        Start Pro + Storage Pro 2 + Storage 2 HSM HSM 2
      NIST-P 192        
      NIST-P 256    
      NIST-P 384-521      
      Brainpool 192      
      Brainpool 256-320    
      Brainpool 384-521      
    • How many data objects (DF, EF) can be stored?

      Nitrokey HSM 2

      76 KB EEPROM total, max. 150 x ECC-521 keys, max. 300 x ECC/AES-256 keys, max. 19 x RSA-4096 keys, max. 38 x RSA-2048 keys

      Nitrokey HSM

      124 dataobjects (DF, EF) can be created. Each EF can have a size of up to 256 byte. The total storage capacity of ca. 32 KByte is shared dynamically among keys and data objects.

    • How fast is encryption and signing?

      In general the encryption and decryption of emails, hard disks and any other type of (large) data with the Nitrokey has almost no performance reduction. This is because of hybrid encryption approach. It means that AES for example is used to encrypt gigabytes of data at the computer and only the session key is send to the Nitrokey to be decrypted with RSA.

      Nitrokey HSM:

      • Key generation on-card: RSA 2048: 2 per minute
      • Key generation on-card: ECC 256: 10 per minute.
      • Signature creation with off-card hash: RSA 2048; 100 per minute
      • Signature creation with off-card hash: ECDSA 256: 360 per minute
      • Signature creation with on-card SHA-256 and 1 kb data: RSA 2048; 68 per minute
      • Signature creation with on-card SHA-256 and 1 kb data: ECDSA 256: 125 per minute

      Nitrokey Storage's mass storage: Storing files on the encrypted mass storage is 5-6 MByte/s fast (both read/write).

      Nitrokey Pro and Storage (v1)

      Internal performance for a single 16 byte block without input/output to the smart card:

      • 100 decryptions: AES 128: 169 milliseconds
      • 100 decryptions: AES 192: 162 milliseconds
      • 100 decryptions: AES 256: 170 milliseconds
      • 100 encryptions: AES 128: 147 milliseconds
      • 100 encryptions: AES 192: 158 milliseconds
      • 100 encryptions: AES 256: 168 milliseconds

      Nitrokey Pro and Storage (v2)

      Encryption of 50kiB of data:

      • 256 bit AES, 2048 bytes per command -> 880 bytes per second
      • 128 bit AES, 2048 bytes per command -> 893 bytes per second
      • 256 bit AES, 240 bytes per command -> 910 bytes per second
      • 128 bit AES, 240 bytes per command -> 930 bytes per second
    • Do Nitrokeys contain a secure chip or just a normal microcontroller?

      Nitrokey Pro, Nitrokey HSM and Nitrokey Storage contain a tamper resistant smart card. To some extent this also applies to Nitrokey U2F but it's of lower quality. Nitrokey Start is implemented in the microprocessor.

    • How good is the Random Number Generator (RNG)?

      Nitrokey Pro and Nitrokey Storage:

      Nitrokey Pro and Nitrokey Storage use a True Random Number Generator (TRNG) for generating keys on the device. The entropy generated by the TRNG is used for the entire key length. Therefore the TRNG is compliant to BSI TR-03116.

      The TRNG provides about 40 kbit/s.

      Nitrokey HSM:

      Nitrokey HSM uses the TRNG of JCOP 2.4.1r3 which has a quality of DRNG.2 (according to AIS 31 of the BSI).


      Please see here.

    • Is Nitrokey Common Criteria or FIPS certified?

      Nitrokey's products as a whole aren't Common Criteria or FIPS certified but are available as Open Source for own evaluations.

      Nitrokey Storage (1 and 2)

      Cure53 has performed an independent security audit of the Nitrokey Storage's hardware, firmware, and Nitrokey App.

      The security controler's hardware is Common Criteria certified (Report; See here, click "ICs, Smart Cards and Smart Card-Related Devices and Systems" and search for "NXP Smart Card Controller P5CD081V1A and its major configurations P5CC081V1A, P5CN081V1A, P5CD041V1A, P5CD021V1A and P5CD016V1A each with IC dedicated Software").

      Nitrokey Pro (1 and 2)

      The security controler's hardware is Common Criteria certified (Report; See here, click "ICs, Smart Cards and Smart Card-Related Devices and Systems" and search for "NXP Smart Card Controller P5CD081V1A and its major configurations P5CC081V1A, P5CN081V1A, P5CD041V1A, P5CD021V1A and P5CD016V1A each with IC dedicated Software").

      Nitrokey HSM 1

      The security controler's hardware and operating system are Common Criteria certified (Report; See here, click "ICs, Smart Cards and Smart Card-Related Devices and Systems" and search for "NXP J3A080 v2.4.1 Secure Smart Card Controller (JCOP v2.4.1)").

      Nitrokey HSM 2

      The security controler's hardware and operating system are Common Criteria certified (Security Target; Report; See here, click "ICs, Smart Cards and Smart Card-Related Devices and Systems" and search for "NXP JCOP 3 P60").

  • Development

  • Shop and Delivery

    • How long does the shipping take?

      Letter and Registered Mail:

      • Germany: 2-5 business days
      • EU: 5-10 business days
      • World wide: 2-3 weeks


      • Germany: 1-3 business days
      • EU: 2-5 business days
      • World wide: 5-10 business days
    • Pricing and VAT

      The Nitrokey GmbH has a heterogeneous customer base, private and enterprise customers, from Germany as well as inside and outside of the EU. With the pricing we want to ensure that all customers pay a uniform rate. For example, a large international corporation should pay just as much as a German private customer. Accordingly, the gross price (incl. VAT) for German private customers equals the net price (excluding VAT) for EU enterprise customers and all customers outside of the EU. This approach has been audited and is legally correct.

    • How is the Bitcoin exchange rate calculated?

      At the time of ordering, our system takes the exchange rate from and adds 10% on top of it. The 10% are for our handling fees (exchanging Bitcoins back to Euro) and for the risk implicated by floating exchange rate.

    • Returning goods

      To return a goods (e.g. Nitrokey):

      1. In case of a hardware defect, you can contact us and we will send you a shipping label.
      2. Pack the device in an air cushion envelope (not in an ordinary envelope!).
      3. Include the delivery slip or printout of the invoice with the shipment.
      4. Add a note of the reason for the return, e.g. "Withdrawal of the purchase" or "Exchange due to defect". It is sufficient to note the reason in handwriting on the enclosed invoice or delivery note.
      5. Address the mailing to our address.
  • Usage and Troubleshooting

    Usage-specific questions and answers.

    • "OpenPGP card not available"


      If you experience the following error under your GNU/Linux system:

      $ gpg --card-status OR $ gpg --card-edit
      gpg: selecting openpgp failed: unknown command
      gpg: OpenPGP card not available: general error

      There are several things which might went wrong. If you just starting using the Nitrokey and never did before, have look at the UDEV rules section below at first. If you used the device for some time there are may programs which try to use the Nitrokey exclusively and thus are blocking the OpenPGP Card, thus look at the other options below. Last but not least: it might help to unplug und plug in the Nitrokey once.

      UDEV rules are missing

      The easiest way to fix this, is to install the Nitrokey App. If you the Nitrokey App in version 1.2 or higher, you should be fine.

      If you prefer manually installing the UDEV rules please use the following commands:

      sudo mv 41-nitrokey.rules /etc/udev/rules.d/


      You can execute the following command to solve the problem for the current session only: "pkill -f gnome-keyring-daemon".
      See this and that discussion to solve the problem permanently.

      Other applications

      Have look at applications you installed for use with the Nitrokey and check if they may are blocking the Nitrokey. For example OpenSC can make your Nitrokey stop working. After finding out what program provokes this kind of behaviour you are maybe able to fix the problem. You can ask for help in the forum as well.

      Mac OS

      1. Remove your Nitrokey
      2. Execute in the terminal sudo mv /System/Library/Security/tokend/OpenSC.tokend ~/Desktop

      Now, plug in your Nitrokey and use it with GnuPG.

      To undo the change in order to use it with OpenSC:

      1. Remove your Nitrokey
      2. Execute in the terminal sudo mv ~/Desktop/OpenSC.tokend /System/Library/Security/tokend/
    • How to troubleshoot?

      Troubleshooting related to GnuPG

      1. Connect your Nitrokey to your computer and verify if the device is recognized correctly and the driver is loaded. The LED of the stick should flash for a moment and than stop shining.
        • Linux: $ tail -v /var/log/syslog

        • Mac OS: $ tail -f /var/log/system.log

        • Windows: Start -> Preferences -> Control Panel -> System -> Hardware -> Device Manager -> Smart card adapter

      2. Check if GnuPG recognizes the device: gpg --card-status resp. gpg2 --card-status (depending on the version) should deliver some status information of the Nitrokey.

      3. If both GnuPG version 1 and version 2 are installed, verify if your email application uses the correct version of GnuPG. You may modify it in the appropriate preferences.
      4. Verify to use a current version of GnuPG, at least 1.4.10 resp 2.0.18.

      5. Try using GnuPG 1 instead of GnuPG 2.

      6. Remove the packages openct and opensc because they may interfere with GnuPG.

      7. Use 2048 bit keys instead of 3072 or 4096 bit keys.

      8. Test the Nitrokey on another computer or with another operating system.

      9. Reset the device and delete all keys.

      10. Add the following lines to ~/.gnupg/scdaemon.conf and provide the resulting log file for debugging purposes, where <username> is the name of your user account.
        debug 2048
        log-file /home/<username>/scdaemonlog.txt

      Troubleshooting related to OpenSC with Nitrokey HSM

      1. Set the environment variable OPENSC_DEBUG=9 or configure it in opensc.conf
      2. Provide OpenSC's log file.
    • Nitrokey Storage doesn't work anymore under Windows after upgrading the firmware

      1. Repeat the steps in section "Update the Firmware with the Update Tool".
      2. Use this tool to delete all entries with USB Devices ProductID 4109 and VendorID 20A0 in the registry.
      3. Reset the Nitrokey device.
      4. Install and use the latest App.
    • On my MacOS keyboard the keys < and ^ are swapped

      Delete the file /Library/Preferences/ and restart your computer.

    • How to reset a Nitrokey?

      Warning: When resetting the Nitrokey all information on the device get lost! If you have multiple devices or other smart card reader please make sure only the one you want to reset is connected!

      Nitrokey Pro and Nitrokey Storage:

      Option 1, if the device is not fully blocked and if you remember the valid Admin PIN use Nitrokey App to reset the Nitrokey.

      Open a terminal (for example on Windows: press the Start button and enter "cmd") and start the Nitrokey App with "nitrokey-app --admin". Klick on the Nitrokey App's tray icon, select "Configure" and "Factory reset".

      Option 2, to reset a blocked device with GnuPG 2.1 or newer:

      1. Download and install GnuPG (Linux), GPG Suite (macOS), or Gpg4win (Windows).
      2. Ensure that you use GnuPG 2.1 or newer: "gpg2 --version"
      3. Reset device: "gpg2 --card-edit" -> "admin" -> "factory-reset"
      4. Open the Nitrokey App and choose to Menu -> Configure -> "Destroy encrypted data".

      Option 3, to reset a blocked device using OpenSC:

      1. Install OpenSC and execute "openpgp-tool --erase" in a terminal.
      2. Open the Nitrokey App and choose to Menu -> Configure -> "Destroy encrypted data".

      Nitrokey Start:

      You can find out the version of your device by executing gpg --card-status (the version number is behind 'FSIJ' in the 'Reader' field). To upgrade your device see this instructions (admin PIN needed!).

      Nitrokey Start firmware 1.2.6 and newer:

      1. Ensure that you use GnuPG 2.1 or higher: "gpg --version"
      2. Reset device: "gpg2 --card-edit" -> "admin" -> "factory-reset"

      Nitrokey Start firmware 1.2.2 to 1.2.4:

      If and only if the device is not blocked (PIN wasn't typed in wrong too often) you can use the same procedure as in newer firmware (see above). You need the reset code to unblock device or you can not use the device anymore!

      Nitrokey Start firmware 1.0:

      In order to reset a Nitrokey Start 1.0, you need to define a public key for firmware updates beforehand! In case of a blocked device it enables your to perform a firmware update which resets the device.

      You may also define a reset code which enables the reset of the User PIN (not Admin PIN).

      Nitrokey HSM:

      As long as you know the unblocked SO-PIN you can initialize the device as described here. There is no way of resetting the Nitrokey HSM if the SO-PIN is forgotten or entered wrongly 15 times. In such case the device can't be used anymore.

    • Why is TOTP not working for me?

      A Time-based One-time Password (TOTP) is created based on the systems time the Nitrokey is used on. When logging in into a service with TOTP as a second factor, both entities - that are the web service and the Nitrokey App - calculate a TOTP based on their current time. The web service compares the TOTP that the user has provided with the one that it has calculated itself. The authentication only succeeds if the TOTP codes are identical.

      If your computer does not have the correct date and/or time, the TOTPs will differ. This is the most often problem when using TOTP codes. Therefore, please make sure to have a correctly synchronized system time if you have problems logging in into a web service. Most operating system synchronize the time by itself.

    • How to use the Nitrokey with multiple computers?

      Prerequisite: An initialized Nitrokey with keys being generated.

      On another computer, than the one you generated the keys on, you need to inform GnuPG about the Nitrokey. You have two options for doing so:

      If you published your public key on your website you should program that URL into your smartcard in the "URL of public key" section (gpg --card-edit, admin, url). In addition or instead you may want to publish your public key on a key server. When you get to a new computer, you can insert the card, run "gpg --card-edit", then run "fetch" and GPG will fetch the public key from the URL. If there's no URL entered then it will attempt to retrieve the public key from the keyserver.

      Alternatively, you can copy and import the public key manually from a flash drive for instance. In this case you have to insert the device and run "gpg --card-status". (Now the general key info will be correctly populated, and new pseudo-secret stubs will be created.)

      In any case the keyring file (e.g. ~/.gnupg/pubring.gpg) which contains the public keys of your contacts has to be copied manually.

      See this more detailed description.

    • How to update the firmware of Nitrokey Storage?

      See these instructions.

    • How to update the firmware of Nitrokey Start?

      See these instructions (on GitHub).

    • How to update the firmware of Nitrokey HSM?

      The Nitrokey HSM 2 can be updated as described here.

    • Ubuntu: Tray icon is displayed at the wrong corner of the screen

      Execute the following commands in a terminal.

      $ sudo apt-add-repository ppa:gurqn/systray-utopic
      $ sudo apt-get update
      $ sudo apt-get upgrade

      Logout and login again to your computer account.

    • Key generation fails with Nitrokey Start

      Nitrokey Start doesn't support overriding keys in firmware version prior to 1.2 (see 'gpg --card-status', the number after "FSIJ-" is the firmware version). Once keys were generated or written, you should use the Python script to remove keys.

      On firmware versions higher or equal 1.2 you can override the keys. But please note that your PIN gets reset with factory defaults when overriding the keys!

    • How to make GnuPG release exclusive smartcard access?

      GnuPG blocks the smart card so that other applications can't access it in "parallel" (within several minutes or within the same user session).


      1. This gives up on the card immediately:
      "gpgconf --kill scdaemon"
      On Unix you may also execute "pkill scdaemon".
      2. This delays the smart card release until all scdaemon clients have sent a disconnect:
      Put "card-timeout 1" int scdaemon.conf and run "gpg-connect-agent disconnect /bye" if you do not need the OpenPGP card anymore.
      3. Patch GnuPG itself and recompile:



        err = pcsc_connect (reader_table[slot].pcsc.context,


        err = pcsc_connect (reader_table[slot].pcsc.context,


      • GPG1.4: Once in g10/apdu.c:1278
      • GPG2.0: Once in scd/apdu.c and twice in scd/pcsc-wrapper.c
      • GPG2.1: Once in scd/apdu.c
    • Which GnuPG, OpenSC and libccid versions are required?

      GnuPG 2.1.17 or newer.

      OpenSC 0.18 or newer. We provide builds for Linux systems which does not have a recent version.

      libccid 1.4.22 or newer.

    • How to use Nitrokey with VMware or other virtualization systems?

      Nitrokey Pro and Nitrokey Storage expose a USB Human Interface Device (HID) which some virtualization systems don't pass to the guest systems by default. Hence the VM needs to be configured appropriately. How to do this for VMware is described here.

    • Latest device driver missing on older Linux distribution

      This step is required if the latest device driver isn't included in your Linux distributions (ccid version < 1.4.21. Edit the file /etc/libccid_Info.plist (e.g. "sudo gedit /etc/libccid_Info.plist") and add the following bold lines.

            <string>Nitrokey Pro</string>
            <string>Nitrokey Storage</string>
            <string>Nitrokey Start</string>
            <string>Nitrokey HSM</string>
    • NitroPad shows less RAM and storage than ordered/available

      When using QubesOS, tools like top, htop and when looking at /proc/mem directly, show only RAM of a single VM. The total RAM can be seen with `xl info`. Also available mass storage is more than reported.