Installation

Please select a product and then an operating system.

Windows

  1. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically.
    Note: Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning.
  2. Download and start the Nitrokey App. There won't open a window, but an icon appears in the system tray (see screenshot below). Please right-click on this icon to use all the options of the App.
  3. Follow the instructions to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

 

Optional: OpenPGP Email Encryption

Optional step, if you want to use OpenPGP/GnuPG email encryption. Skip this step if unsure.

  1. Install Gpg4Win which contains Gnu Privacy Assistant (GPA) and GnuPG (GPG).
  2. Start Gnu Privacy Assistant (GPA) or Thunderbird with Enigmail (instructions in German). Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).
  3. Initialization: Change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices. Generate new keys or import your existing RSA keys (after backup!).

 

Optional: S/MIME Email Encryption, X.509 and PKCS#11

Optional step, if you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL/TLS authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software. Skip this step if unsure.

  1. Install OpenSC
  2. Initialization: If you didn't do so already, change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices using OpenSC. Generate new keys or import your existing RSA keys.

Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine.

GNU/Linux

  1. To access the OpenPGP smart card of the Nitrokey, install the package libccid.
    On Debian/Ubuntu based Distributions type in terminal: sudo apt-get update && sudo apt-get install libccid

    Note: If your distribution has a rather old version of libccid (<1.4.21) you have to add the device information by yourself (for example if you are using Ubuntu 14.04 or older). In this case please follow these instructions.
  2. Download and start the Nitrokey App. Follow the instructions to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

 

Optional: OpenPGP Email Encryption

Optional step, if you want to use OpenPGP/GnuPG email encryption. Skip this step if unsure.

  1. Install scdaemon ("sudo apt install scdaemon")
  2. Install Gnu Privacy Assistant (GPA) or Thunderbird with Enigmail (instructions in German). Ensure that scdaemon is installed. Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).
  3. Initialization: Change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices. Generate new keys or import your existing RSA keys (after backup!).

 

Optional: S/MIME Email Encryption, X.509 and PKCS#11

Optional step, if you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL/TLS authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software. Skip this step if unsure.

  1. Install OpenSC
  2. Initialization: If you didn't do so already, change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices using OpenSC. Generate new keys or import your existing RSA keys. Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine.

Mac OS X

  1. Important: Once you plug in the Nitrokey, your computer will start the Keyboard Setup Assistant. Don't run through this assistant but exit it right away.

  2. Download and start the Nitrokey App. Follow the instructions to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Note: For some Versions of MacOS it is necessary to install custom ccid driver (for information see here), but in general MacOS should have the driver onboard.

 

Optional: OpenPGP Email Encryption

Optional step, if you want to use OpenPGP/GnuPG email encryption. Skip this step if unsure.

  1. Install GnuPG from GPG Tools. Advanced users may use Fink alternatively.

  2. Use GPG for Mail (which has been installed as part of GPG Tools) or Thunderbird with Enigmail (instructions in German). Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).

  3. Initialization: Change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices. Generate new keys or import your existing RSA keys (after backup!).

 

Optional: S/MIME Email Encryption, X.509 and PKCS#11

Optional step, if you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL/TLS authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software. Skip this step if unsure.

  1. Install OpenSC
  2. Initialization: If you didn't do so already, change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices using OpenSC. Generate new keys or import your existing RSA keys. Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine.

Windows

  1. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically.

    Note: Windows Vista, 7, 8 and 10 may fail to install an additional device driver for the smart card. Its safe to ignore this warning.
     
  2. Download and start the Nitrokey App. Perhaps you want to store it on the unencrypted partition of your Nitrokey Storage. There won't open a window, but an icon appears in the system tray (see screenshot below). Please right-click on this icon to use all the options of the App.
  3. Open the About window from Nitrokey App's menu and check if you have the latest firmware installed. If it's not the latest, please update.
  4. Use the Nitrokey App to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.
  5. Brand-new Nitrokey Storage need to be initialized first. Use the Nitrokey App and select "initialize device". This process generates AES keys and formats the entire volume with random data. Because this is a security-critical aspect we decided that users should perform it themselves. The process may take long (2.5h for 64 GB) but is only required once.
  6. Use the Nitrokey App to unlock the encrypted storage which doesn't contain a partition and filesystem yet. Windows will prompt you to format the storage. You can use any filesystem but FAT32 is most common for mobile storages.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

 

Optional: OpenPGP Email Encryption

Optional step, if you want to use OpenPGP/GnuPG email encryption. Skip this step if unsure.

  1. Install Gpg4win which contains Gnu Privacy Assistant (GPA) and GnuPG (GPG).
  2. Start Gnu Privacy Assistant (GPA) or Thunderbird with Enigmail (instructions in German). Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).
  3. Initialization: Change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices. Generate new keys or import your existing RSA keys (after backup!).

 

Optional: S/MIME Email Encryption, X.509 and PKCS#11

Optional step, if you want to use S/MIME email encryption with Thunderbird, TrueCrypt, certificate-based SSL/TLS authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software. Skip this step if unsure.

  1. Install OpenSC
  2. Initialization: If you didn't do so already, change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices using OpenSC. Generate new keys or import your existing RSA keys. Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine.

GNU/Linux

  1. To access the OpenPGP smart card of the Nitrokey, install the package libccid.
    On Debian/Ubuntu based Distributions type in terminal: sudo apt-get update && sudo apt-get install libccid

    Note: If your distribution has a rather old version of libccid (<1.4.21) you have to add the device information by yourself (for example if you are using Ubuntu 14.04 or older). In this case please follow these instructions.

  2. Download and start the Nitrokey App.
  3. Open the About window from Nitrokey App's menu and check if you have the latest firmware installed. If it's not the latest, please update.
  4. Use the Nitrokey App to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.
  5. Brand-new Nitrokey Storage need to be initialized first. Use the Nitrokey App and select "initialize device". This process generates AES keys and formats the entire volume with random data. Because this is a security-critical aspect we decided that users should perform it themselves. The process may take long (2.5h for 64 GB) but is only required once.
  6. Use the Nitrokey App to unlock the encrypted storage which doesn't contain a partition and filesystem yet. Use your operating system's tool to create a partition and file system. You can use any filesystem but FAT32 is most common for mobile storages.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

 

Optional: OpenPGP Email Encryption

Optional step, if you want to use OpenPGP/GnuPG email encryption. Skip this step if unsure.

  1. Install scdaemon ("sudo apt install scdaemon")
  2. Install Gnu Privacy Assistant (GPA) or Thunderbird with Enigmail (instructions in German). Ensure that scdaemon is installed. Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).
  3. Initialization: Change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices. Generate new keys or import your existing RSA keys (after backup!).

 

Optional: S/MIME Email Encryption, X.509 and PKCS#11

Optional step, if you want to use S/MIME email encryption with Thunderbird, TrueCrypt, certificate-based SSL/TLS authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software. Skip this step if unsure.

  1. Install OpenSC
  2. Initialization: If you didn't do so already, change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices using OpenSC. Generate new keys or import your existing RSA keys. Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine.

Mac OS X

  1. Important: Once you plug in the Nitrokey, your computer will start the Keyboard Setup Assistant. Don't run through this assistant but exit it right away.
  2. Download and start the Nitrokey App. Perhaps you want to store it on the unencrypted partition of your Nitrokey Storage.
  3. Open the About window from Nitrokey App's menu and check if you have the latest firmware installed. If it's not the latest, please update.
  4. Use the Nitrokey App to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.
  5. Brand-new Nitrokey Storage need to be initialized first. Use the Nitrokey App and select "initialize device". This process generates AES keys and formats the entire volume with random data. Because this is a security-critical aspect we decided that users should perform it themselves. The process may take long (2.5h for 64 GB) but is only required once.
  6. Use the Nitrokey App to unlock the encrypted storage which doesn't contain a partition and filesystem yet. Use your operating system's tool to create a partition and file system. You can use any filesystem but FAT32 is most common for mobile storages.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Note: For some Versions of MacOS it is necessary to install custom ccid driver (for information see here), but in general MacOS should have the driver onboard.

 

Optional: OpenPGP Email Encryption

  1. If you want to use OpenPGP/GnuPG encrypted emails or if you are unsure: Install GnuPG from GPG Tools. Advanced users may use Flink alternatively.

  2. Initialize your Nitrokey by using GPG for Mail (which has been installed as part of GPG Tools) or Thunderbird with Enigmail (instructions in German). Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended). Initializing means to change the default user- and admin-PINs and to generate new keys or import existing keys (after backup!).

 

Optional: S/MIME Email Encryption, X.509 and PKCS#11

Optional step, if you want to use S/MIME email encryption with Thunderbird, TrueCrypt, certificate-based SSL/TLS authentication with FireFox, PuTTY/KiTTY, OpenSSH, OpenVPN, OpenSSL, or StrongSwan you should perform the following instead or in addition to step 2:

  1. Install OpenSC

  2. If you didn't do so in step 2, initialize your Nitrokey by using OpenSC. Initializing means to change the default user- and admin-PINs and to generate new keys or import existing keys. Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP but the other way around works fine.

Now your Nitrokey is ready to use. See here how to use Nitrokey with various applications.

Windows

  1. Install Gpg4win on your Computer (https://www.gpg4win.org).
  2. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically.
    Note: Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning.
  3. Use GnuPG to create new keys or import existing ones. See recommended instructions using subkeys and backup or simpler main key method (not recommended).

    Note: It is indeed necessary to first import or create new keys and change the PINs afterwards. Otherwise changing User PIN will fail! Furthermore overriding keys results in PIN reset (default values), please keep this in mind!
     
  4. Change the Admin PIN (default: 12345678) and then the User PIN (default: 123456) to your own choices. Use 'gpg --card-edit' -> 'admin' -> 'passwd' to achieve this. (Please be careful to change admin PIN first and user PIN second! Otherwise the admin-less mode got activated, see this instructions for further information.)

    Firmware version 1.2.5 or below: In case you forget a PIN or enter it wrongly three times you need the reset code to unblock the PIN. Otherwise the device wouldn't be usable anymore! Therefore please set the reset code as well when initialising the key!

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

GNU/Linux

  1. Install scdaemon and GnuPG 2.1 or higher by using your package manager (e. g. apt update && apt install scdaemon gpg2 on Ubuntu).
  2. Connect your Nitrokey Start to your computer.
  3. Use GnuPG to create new keys or import existing ones. See recommended instructions using subkeys and backup or simpler main key method (not recommended).

    Note: It is indeed necessary to first import or create new keys and change the PINs afterwards. Otherwise changing User PIN will fail! Furthermore overriding keys results in PIN reset (default values), please keep this in mind!
     
  4. Change the Admin PIN (default: 12345678) and then the User PIN (default: 123456) to your own choices. Use 'gpg --card-edit' -> 'admin' -> 'passwd' to achieve this. (Please be careful to change admin PIN first and user PIN second! Otherwise the admin-less mode got activated, see this instructions for further information.)

    Firmware version 1.2.5 or below: In case you forget a PIN or enter it wrongly three times you need the reset code to unblock the PIN. Otherwise the device wouldn't be usable anymore! Therefore please set the reset code as well when initialising the key!

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Troubleshooting

On some GNU/Linux systems it is necessary to insert the UDEV rules for the Nitrokey device manually. If you followed the above instructions and get the message: 
gpg: OpenPGP card not available: No such device
please install the Nitrokey App or type the following commands in the terminal to download and install the UDEV rules: 
wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
sudo mv 41-nitrokey.rules /etc/udev/rules.d/

Mac OS X

  1. Install GnuPG 2.1 or higher (https://gpgtools.org/).
  2. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically.
  3. Use GnuPG to create new keys or import existing ones. See recommended instructions using subkeys and backup or simpler main key method (not recommended).

    Note: It is indeed necessary to first import or create new keys and change the PINs afterwards. Otherwise changing User PIN will fail! Furthermore overriding keys results in PIN reset (default values), please keep this in mind!
     
  4. Change the Admin PIN (default: 12345678) and then the User PIN (default: 123456) to your own choices. Use 'gpg --card-edit' -> 'admin' -> 'passwd' to achieve this. (Please be careful to change admin PIN first and user PIN second! Otherwise the admin-less mode got activated, see this instructions for further information.)

    Firmware version 1.2.5 or below: In case you forget a PIN or enter it wrongly three times you need the reset code to unblock the PIN. Otherwise the device wouldn't be usable anymore! Therefore please set the reset code as well when initialising the key!

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Windows

  1. Install OpenSC.
  2. If you didn't do so already, change the default SO-PIN ("3537363231383830") to your own choices. See these instructions. Afterwards you can begin to generate new keys.

Alternatively, install this driver (source).

GNU/Linux

  1. Install OpenSC.
  2. If you didn't do so already, change the default SO-PIN ("3537363231383830") to your own choices. See these instructions. Afterwards you can begin to generate new keys.

 

Alternatively, install this driver (source).

Mac OS X

  1. Install OpenSC.
  2. If you didn't do so already, change the default SO-PIN ("3537363231383830") to your own choices. See these instructions. Afterwards you can begin to generate new keys.

 

Alternatively, install this driver (source).

Windows

  1. Release the key from the surrounding plastic card.
  2. Release the tape, flip the red arrow around and press it until it is fixed.
  3. Use one of these browsers:
    1. Google Chrome
    2. Chromium
    3. Firefox with U2F Support Add-on
  4. Open one of the websites supporting U2F.
  5. Connect the Nitrokey U2F for registering it with your website account.
  6. Reconnect the Nitrokey U2F after each registration and login.

GNU/Linux

  1. Release the key from the surrounding plastic card.
  2. Release the tape, flip the red arrow around and press it until it is fixed.
  3. Copy this file 41-nitrokey.rules to /etc/udev/rules.d/
    If you use OpenSUSE you may need this rules file instead. Afterwards you need to add your user to the group "dialout".
  4. Restart udev:   sudo service udev restart
  5. Use one of these browsers:
    1. Google Chrome
    2. Chromium
    3. Firefox with U2F Support Add-on
  6. Open one of the websites supporting U2F.
  7. Connect the Nitrokey U2F for registering it with your website account.
  8. Reconnect the Nitrokey U2F after each registration and login.

Mac OS X

  1. Release the key from the surrounding plastic card.
  2. Release the tape, flip the red arrow around and press it until it is fixed.
  3. Use one of these browsers:
    1. Google Chrome
    2. Chromium
    3. Firefox with U2F Support Add-on
    4. macOS Safari with Safari-FIDO-U2F plugin
  4. Open one of the websites supporting U2F.
  5. Connect the Nitrokey U2F for registering it with your website account.
  6. Reconnect the Nitrokey U2F after each registration and login.

Nitrokey - Made in Berlin