Nitrokey is an USB key to enable highly secure encryption and signing of emails and data, as well as login to the Web, networks and computers. Other than ordinary software solutions, the secret keys are always stored securely inside the Nitrokey. Their extraction is impossible which makes Nitrokey immune to computer viruses and Trojan horses. The user-chosen PIN and the tamper-proof smart card protect in case of loss and theft. Hardware and software are both available as Open Source to allow verifying the security and integration with other applications.
- Secure weblogin via One Time Passwords (OTP) (e.g. Google, Dropbox, more)
- Hardware encrypted 64 GB mass storage with hidden volumes to enable plausible deniability.
- Email encryption based on S/MIME and OpenPGP (e.g. Outlook, Thunderbird, Evolution)
- Encryption of files and hard drives (e.g. TrueCrypt).
- User authentication on local computers (e.g. Windows, Linux) and networks (e.g. Firefox, OpenSSH, OpenVPN, IPSec, OpenID).
Advantages over ordinary software solutions
- Secret keys are always stored securely inside the Nitrokey. Their extraction is impossible. All sensitive cryptographic operations are securely computed in the Nitrokey.
- User-chosen PIN protects in case of loss and theft against brute force attacks.
- Immune to computer viruses, Trojan horses, phishing attacks and other malicious software.
- Tamper-proof design prevents sophisticated physical attacks with laboratory equipment.
- Secret keys can be generated securely on the Nitrokey to prevent its compromisation by attackers.
Advantages over proprietary security devices
- Secure implementation can be verified by client and independent third parties to ensure the absence of back doors and security flaws.
- Secret keys can be generated securely by yourself rather than to trust a vendor doing so
- Compatible to a large variety of software applications such as Outlook, GnuPG, Enigmail, Mozilla Thunderbird, OpenSSH for instance.
- Own custom applications can be integrated easily due to open interfaces and open drivers
- Lack of vendor lock-in increases security of investment
- Security does not depend on secrets stored centrally at the vendor (remember RSA's SecurID hack)
- Growing acceptance and user base supports continuously improvement and ensures high security due to peer reviews.
- Transparent and open development process as an open source project
- Windows, Linux, and MacOS X are supported.
- Additional administrator PIN enables hierarchical use cases.
- Three independent RSA keys, max. length 4096 bit each.
- Import of existing keys and backup of keys possible.
- High security due to embedded smart card which is based on Common Criteria 5-high certification.
Proprietary "security" isn't secure
- The NSA intercepts harddisks and other equipment sent from the vendor to clients and implants backdoors into it. With Nitrokey you can export the installed firmware and verify its integrity (or flash your own firmware).
- In 2011 RSA Inc has been hacked and secret keys of all their securID token been stolen, which allows to crack the devices.
- FIPS 140-2 Level 2 certified USB storage devices from Kingston, SanDisk, Verbatim, MXI, and PICO could easily be accessed by using a default password (revealed in 2010).
Serious security flaws were also found in the following products:
- Western Digital (2015)
- Xystec (2012)
- Corsair's Padlock (2010)
- Raidon‘s Staray-S-Serie (2009)
- All USB storage devices from 9Pay, A-Data and Transcend which use fingerprint readers based on the USBest UT176 and UT169 from Afa Technology (2008)
- Digittrade (2008)
- Excelstor’s GStor Plus (2005)
- Lexar JumpDrive (2004)
- eyeDisk (2019)
Don't trust proprietary vendors. Security requires to be open source.