Installation

Please select a product and then an operating system.

Windows

  1. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically.
    Note: Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning.
  2. Download and start the Nitrokey App. Follow the instructions to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

 

Optional: OpenPGP Email Encryption

Optional step, if you want to use OpenPGP/GnuPG email encryption. Skip this step if unsure.

  1. Install Gpg4Win which contains Gnu Privacy Assistant (GPA) and GnuPG (GPG).
  2. Start Gnu Privacy Assistant (GPA) or Thunderbird with Enigmail (instructions in German). Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).
  3. Initialization: Change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices. Generate new keys or import your existing RSA keys (after backup!).

 

Optional: S/MIME Email Encryption, X.509 and PKCS#11

Optional step, if you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL/TLS authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software. Skip this step if unsure.

  1. Install OpenSC
  2. Initialization: If you didn't do so already, change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices using OpenSC. Generate new keys or import your existing RSA keys.

Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine.

GNU/Linux

  1. To access the OpenPGP smart card of the Nitrokey, install the package libccid.
  2. This step is required as long as the latest device driver isn't included in major Linux distributions. Edit the file /etc/libccid_Info.plist (e.g. "sudo gedit /etc/libccid_Info.plist") and add the following bold lines.
       <key>ifdVendorID</key>
       <array>
          <string>0x20A0</string>
          <string>0x20A0</string>
          <string>0x20A0</string>
          <string>0x20A0</string>
    
       <key>ifdProductID</key>
       <array>
          <string>0x4108</string>
          <string>0x4109</string>
          <string>0x4211</string>
          <string>0x4230</string>
    
       <key>ifdFriendlyName</key>
       <array>
          <string>Nitrokey Pro</string>
          <string>Nitrokey Storage</string>
          <string>Nitrokey Start</string>
          <string>Nitrokey HSM</string>
  3. For non-RPM based distributions only: Copy this file 41-nitrokey.rules to /etc/udev/rules.d/ and restart your system or restart udev:
    sudo service udev restart
  4. Download and start the Nitrokey App. Follow the instructions to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

 

Optional: OpenPGP Email Encryption

Optional step, if you want to use OpenPGP/GnuPG email encryption. Skip this step if unsure.

  1. Install scdaemon ("sudo apt install scdaemon")
  2. Install Gnu Privacy Assistant (GPA) or Thunderbird with Enigmail (instructions in German). Ensure that scdaemon is installed. Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).
  3. Initialization: Change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices. Generate new keys or import your existing RSA keys (after backup!).

 

Optional: S/MIME Email Encryption, X.509 and PKCS#11

Optional step, if you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL/TLS authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software. Skip this step if unsure.

  1. Install OpenSC
  2. Initialization: If you didn't do so already, change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices using OpenSC. Generate new keys or import your existing RSA keys. Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine.

Mac OS X

  1. Important: Once you plug in the Nitrokey, your computer will start the Keyboard Setup Assistant. Don't run through this assistant but exit it right away.

  2. Download and start the Nitrokey App. Follow the instructions to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Note: For some Versions of MacOS it is necessary to install custom ccid driver (for information see here), but in general MacOS should have the driver onboard.

 

Optional: OpenPGP Email Encryption

Optional step, if you want to use OpenPGP/GnuPG email encryption. Skip this step if unsure.

  1. Install GnuPG from GPG Tools. Advanced users may use Fink alternatively.
  2. Use GPG for Mail (which has been installed as part of GPG Tools) or Thunderbird with Enigmail (instructions in German). Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).

  3. Initialization: Change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices. Generate new keys or import your existing RSA keys (after backup!).

 

Optional: S/MIME Email Encryption, X.509 and PKCS#11

Optional step, if you want to use S/MIME email encryption with Thunderbird, to use TrueCrypt/VeraCrypt, certificate-based SSL/TLS authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software. Skip this step if unsure.

  1. Install OpenSC
  2. Initialization: If you didn't do so already, change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices using OpenSC. Generate new keys or import your existing RSA keys. Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine.

Windows

  1. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically.

    Note: Windows Vista, 7, 8 and 10 may fail to install an additional device driver for the smart card. Its safe to ignore this warning.
     
  2. Download and start the Nitrokey App. Perhaps you want to store it on the unencrypted partition of your Nitrokey Storage.
  3. Open the About window from Nitrokey App's menu and check if you have the latest firmware installed. If it's not the latest, please update.
  4. Use the Nitrokey App to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.
  5. Brand-new Nitrokey Storage need to be initialized first. Use the Nitrokey App and select "initialize device". This process generates AES keys and formats the entire volume with random data. Because this is a security-critical aspect we decided that users should perform it themselves. The process may take long (2.5h for 64 GB) but is only required once.
  6. Use the Nitrokey App to unlock the encrypted storage which doesn't contain a partition and filesystem yet. Windows will prompt you to format the storage. You can use any filesystem but FAT32 is most common for mobile storages.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

 

Optional: OpenPGP Email Encryption

Optional step, if you want to use OpenPGP/GnuPG email encryption. Skip this step if unsure.

  1. Install Gpg4win which contains Gnu Privacy Assistant (GPA) and GnuPG (GPG).
  2. Start Gnu Privacy Assistant (GPA) or Thunderbird with Enigmail (instructions in German). Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).
  3. Initialization: Change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices. Generate new keys or import your existing RSA keys (after backup!).

 

Optional: S/MIME Email Encryption, X.509 and PKCS#11

Optional step, if you want to use S/MIME email encryption with Thunderbird, TrueCrypt, certificate-based SSL/TLS authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software. Skip this step if unsure.

  1. Install OpenSC
  2. Initialization: If you didn't do so already, change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices using OpenSC. Generate new keys or import your existing RSA keys. Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine.

GNU/Linux

  1. To access the OpenPGP smart card of the Nitrokey, install the package libccid.
  2. This step is required as long as the latest device driver isn't included in major Linux distributions. Edit the file /etc/libccid_Info.plist (e.g. "sudo gedit /etc/libccid_Info.plist") and add the following bold lines.
       <key>ifdVendorID</key>
       <array>
          <string>0x20A0</string>
          <string>0x20A0</string>
          <string>0x20A0</string>
          <string>0x20A0</string>
    
       <key>ifdProductID</key>
       <array>
          <string>0x4108</string>
          <string>0x4109</string>
          <string>0x4211</string>
          <string>0x4230</string>
    
       <key>ifdFriendlyName</key>
       <array>
          <string>Nitrokey Pro</string>
          <string>Nitrokey Storage</string>
          <string>Nitrokey Start</string>
          <string>Nitrokey HSM</string>
  3. For non-RPM based distributions only: Copy this file 41-nitrokey.rules to /etc/udev/rules.d/ and restart your system or restart udev:
    sudo service udev restart
  4. Download and start the Nitrokey App. Perhaps you want to store it on the unencrypted partition of your Nitrokey Storage.
  5. Open the About window from Nitrokey App's menu and check if you have the latest firmware installed. If it's not the latest, please update.
  6. Use the Nitrokey App to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.
  7. Brand-new Nitrokey Storage need to be initialized first. Use the Nitrokey App and select "initialize device". This process generates AES keys and formats the entire volume with random data. Because this is a security-critical aspect we decided that users should perform it themselves. The process may take long (2.5h for 64 GB) but is only required once.
  8. Use the Nitrokey App to unlock the encrypted storage which doesn't contain a partition and filesystem yet. Use your operating system's tool to create a partition and file system. You can use any filesystem but FAT32 is most common for mobile storages.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

 

Optional: OpenPGP Email Encryption

Optional step, if you want to use OpenPGP/GnuPG email encryption. Skip this step if unsure.

  1. Install scdaemon ("sudo apt install scdaemon")
  2. Install Gnu Privacy Assistant (GPA) or Thunderbird with Enigmail (instructions in German). Ensure that scdaemon is installed. Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).
  3. Initialization: Change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices. Generate new keys or import your existing RSA keys (after backup!).

 

Optional: S/MIME Email Encryption, X.509 and PKCS#11

Optional step, if you want to use S/MIME email encryption with Thunderbird, TrueCrypt, certificate-based SSL/TLS authentication with Firefox, PuTTY/KiTTY, OpenSSH, OpenSSL, or any other PKCS#11 compatible software. Skip this step if unsure.

  1. Install OpenSC
  2. Initialization: If you didn't do so already, change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices using OpenSC. Generate new keys or import your existing RSA keys. Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP. But the other way around works fine.

Mac OS X

  1. Important: Once you plug in the Nitrokey, your computer will start the Keyboard Setup Assistant. Don't run through this assistant but exit it right away.
  2. Download and start the Nitrokey App. Perhaps you want to store it on the unencrypted partition of your Nitrokey Storage.
  3. Open the About window from Nitrokey App's menu and check if you have the latest firmware installed. If it's not the latest, please update.
  4. Use the Nitrokey App to change the default User PIN (default: 123456) and Admin PIN (default: 12345678) to your own choices.
  5. Brand-new Nitrokey Storage need to be initialized first. Use the Nitrokey App and select "initialize device". This process generates AES keys and formats the entire volume with random data. Because this is a security-critical aspect we decided that users should perform it themselves. The process may take long (2.5h for 64 GB) but is only required once.
  6. Use the Nitrokey App to unlock the encrypted storage which doesn't contain a partition and filesystem yet. Use your operating system's tool to create a partition and file system. You can use any filesystem but FAT32 is most common for mobile storages.

Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Note: For some Versions of MacOS it is necessary to install custom ccid driver (for information see here), but in general MacOS should have the driver onboard.

 

Optional: OpenPGP Email Encryption

  1. If you want to use OpenPGP/GnuPG encrypted emails or if you are unsure: Install GnuPG from GPG Tools. Advanced users may use Flink alternatively.

  2. Initialize your Nitrokey by using GPG for Mail (which has been installed as part of GPG Tools) or Thunderbird with Enigmail (instructions in German). Advanced users could use the command line tool GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended). Initializing means to change the default user- and admin-PINs and to generate new keys or import existing keys (after backup!).

 

Optional: S/MIME Email Encryption, X.509 and PKCS#11

Optional step, if you want to use S/MIME email encryption with Thunderbird, TrueCrypt, certificate-based SSL/TLS authentication with FireFox, PuTTY/KiTTY, OpenSSH, OpenVPN, OpenSSL, or StrongSwan you should perform the following instead or in addition to step 2:

  1. Install OpenSC

  2. If you didn't do so in step 2, initialize your Nitrokey by using OpenSC. Initializing means to change the default user- and admin-PINs and to generate new keys or import existing keys. Note that a Nitrokey initialized with OpenSC doesn't work with GnuPG/OpenPGP but the other way around works fine.

Now your Nitrokey is ready to use. See here how to use Nitrokey with various applications.

Windows

  1. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically.

    Note: Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning.
     
  2. Install GnuPG 2.1, not an older version!
  3. Use GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).
  4. Change the default User PIN (default: 123456), Admin PIN (default: 12345678) to your own choices.
    Older version 1.0 only: In case you forget a PIN or enter it wrongly three times you need the reset code to change the PIN. Otherwise the device wouldn't be usable anymore. Therefore please change the reset code.
  5. Generate new keys or import your existing RSA keys.
  6. Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

GNU/Linux

  1. Install scdaemon and GnuPG 2.1, not an older version!
  2. Use GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).
  3. Change the default User PIN (default: 123456), Admin PIN (default: 12345678) to your own choices.
    Older version 1.0 only: In case you forget a PIN or enter it wrongly three times you need the reset code to change the PIN. Otherwise the device wouldn't be usable anymore. Therefore please change the reset code.
  4. Generate new keys or import your existing RSA keys.
  5. Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Mac OS X

  1. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically.
  2. Install GnuPG 2.1, not an older version! Advanced users may use Flink alternatively.
  3. Use GnuPG, see recommended instructions using subkeys and backup or simpler main key method (not recommended).
  4. Change the default User PIN (default: 123456), Admin PIN (default: 12345678) to your own choices.
    Older version 1.0 only: In case you forget a PIN or enter it wrongly three times you need the reset code to change the PIN. Otherwise the device wouldn't be usable anymore. Therefore please change the reset code.
  5. Generate new keys or import your existing RSA keys.
  6. Your Nitrokey is now ready to use. Checkout the various use cases and supported applications.

Windows

  1. Install OpenSC
  2. If you didn't do so already, change the default SO-PIN ("3537363231383830") to your own choices. See these instructions. Generate new keys

Alternatively, install this driver (source).

GNU/Linux

  1. Install OpenSC
  2. If you didn't do so already, change the default SO-PIN ("3537363231383830") to your own choices. See these instructions. Generate new keys

Alternatively, install this driver (source).

Mac OS X

  1. Install OpenSC
  2. If you didn't do so already, change the default SO-PIN ("3537363231383830") to your own choices. See these instructions. Generate new keys

Alternatively, install this driver (source).

Windows

  1. Release the key from the surrounding plastic card.
  2. Release the tape, flip the red arrow around and press it until it is fixed.
  3. Use one of these browsers:
    1. Google Chrome
    2. Chromium
    3. Firefox with U2F Support Add-on
  4. Open one of the websites supporting U2F.
  5. Connect the Nitrokey U2F for registering it with your website account.
  6. Reconnect the Nitrokey U2F after each registration and login.

GNU/Linux

  1. Release the key from the surrounding plastic card.
  2. Release the tape, flip the red arrow around and press it until it is fixed.
  3. Copy this file 41-nitrokey.rules to /etc/udev/rules.d/
    If you use OpenSUSE you may need this rules file instead. Afterwards you need to add your user to the group "dialout".
  4. Restart udev:   sudo service udev restart
  5. Use one of these browsers:
    1. Google Chrome
    2. Chromium
    3. Firefox with U2F Support Add-on
  6. Open one of the websites supporting U2F.
  7. Connect the Nitrokey U2F for registering it with your website account.
  8. Reconnect the Nitrokey U2F after each registration and login.

Mac OS X

  1. Release the key from the surrounding plastic card.
  2. Release the tape, flip the red arrow around and press it until it is fixed.
  3. Use one of these browsers:
    1. Google Chrome
    2. Chromium
    3. Firefox with U2F Support Add-on
    4. macOS Safari with Safari-FIDO-U2F plugin
  4. Open one of the websites supporting U2F.
  5. Connect the Nitrokey U2F for registering it with your website account.
  6. Reconnect the Nitrokey U2F after each registration and login.

Nitrokey - Made in Berlin