OpenPGP Email Encryption

There are two widely used standards for email encryption.

  • OpenPGP/GnuPG is popular among individuals,
  • S/MIME/X.509 is mostly used by enterprises.

If you are in doubt which one to choose, you should use OpenPGP. While this page describes the usage of OpenPGP, S/MIME is described here.

Please familiarize yourself with the general concept behind the OpenPGP standard first, for example by reading this info graphic of the Free Software Foundation.

Key Generation

If you do not have OpenPGP keys yet, you need to generate them first.

  • Generate keys on Nitrokey - this is the best option if you are unexperienced, but you won't have a backup of your keys and therefore won't be able to mitigate the loss of the Nitrokey
  • Generate keys on Nitrokey with different algorithm or key size - this is as secure as the previous option and thus you won't have a backup as well, but you can change the key attributes (that is the algorithm and key size)
  • Generate keys locally and copy them to Nitrokey - this is the most flexible, expert option, but only secure if your system is not compromised, because you can create a backup key outside your Nitrokey

Importing Existing Keys

If you already have OpenPGP keys you may want to use them with your Nitrokey, instead of generating new ones. Importing exsiting keys works basically the same as generating keys locally first and copy them to the Nitrokey (see above). Therefore, please have a look at the corresponding instructions. Note that you probably want to generate another subkey for authentication to your existing key. See at the same instructions for subkey generation.


You can find further information about the usage on these pages:

Nitrokey - Made in Berlin