New Firmware: Multiple Identities and PGP Keys With a Single Nitrokey Start

From now on you can use a long awaited feature with your Nitrokey Start use: With the new multi-ID support of the firmware RTM.10 for Nitrokey Start you have for the first time the possibility to securely store and use multiple identities with different PGP keys. This is convenient if you use keys from different contexts regularly, e.g. private, professional, project-related. This eliminates the need to use multiple Nitrokeys or other storage locations.

This makes Nitrokey Start the only device on the market that allows you to use multiple identities. Three virtual, independent smart cards in one Nitrokey Start, supporting three identities, each with three pairs of keys and different PINs. This multi-ID support is still compatible with GnuPG and requires no software customization.

With a single command you can switch to one of three IDs (0,1 and 2):

nitropy start set-identity <ID>


In the following we will show you how to use the Multi-ID support feature.

Preparation

To switch between the different identities on Nitrokey Start, we first install our nitropy utility. The installation under Windows is described here. Under Linux the installation is done by means of :

sudo apt install python3-pip
pip3 install --user pynitrokey


In addition, the Nitrokey Start must have the new firmware version RTM.10 and be updated if necessary.

Example

  1. Now let's first check the current status of the Nitrokey start and the PGP key we created some time ago ([email protected]):
    gpg --card-status
     
    	Reader ...........: 20A0:4211:FSIJ-1.2.15-48479234:0
    	Application ID ...: D276000124010200FFFE484792340000
    	Application type .: OpenPGP
    	Version ..........: 2.0
    	Manufacturer .....: unmanaged S/N range
    	Serial number ....: 48479234
    	Name of cardholder: [not set]
    	Language prefs ...: [not set]
    	Salutation .......:
    	URL of public key : [not set]
    	Login data .......: [not set]
    	Signature PIN ....: forced
    	Key attributes ...: rsa2048 rsa2048 rsa2048
    	Max. PIN lengths .: 127 127 127
    	PIN retry counter : 3 3 3
    	Signature counter : 4
    	KDF setting ......: off
    	Signature key ....: 0765 27AF F2FC 32CA 1E76 B968 8089 A281 3611 5B29
    	created ....: 2020-07-02 14:03:02
    	Encryption key....: 12C4 0590 7FC3 9D96 0CB0 3955 81EC 8A55 B7B0 6333
    	created ....: 2020-07-02 14:03:02
    	Authentication key: 40F4 6EC1 4DEB 9AA0 98F5 69DF 9D5A A879 1BD3 13EB
    	created ....: 2020-07-02 14:03:02
    	General key info..: pub rsa2048/8089A28136115B29 2020-07-02 Alice (Office) <office@example.com>
    	sec> rsa2048/8089A28136115B29 created: 2020-07-02 expires: 2021-07-02
    	card-no: FFFE 48479234
    	ssb> rsa2048/9D5AA8791BD313EB created: 2020-07-02 expires: 2021-07-02
    	card-no: FFFE 48479234
    	ssb> rsa2048/81EC8A55B7B06333 created: 2020-07-02 expires: 2021-07-02
    	card-no: FFFE 48479234
  2. We now change the ID on the Nitrokey Start using our nitropy utility. Since ID 0 is already occupied by our existing PGP key, we switch to ID 1:
    nitropy start set-identity 1
  3. We create a new PGP key pair (private and public key) using GnuPG. For this we enter in the terminal:
    gpg --card-edit
  4. Now 'gpg/card' appears. Here we enter the following command:
    admin

    The terminal's outputting:
    Admin commands are allowed
  5. Then we enter the command:
    generate
  6. We follow the further instructions regarding key backup, key name, key length, validity period, etc. that GnuPG outputs in the terminal to create our new PGP key pair.
  7. After we have created our new PGP key, we look at the status of the currently selected ID 1 with the additionally created PGP key ([email protected]):
    gpg --card-status
     
    	Reader ...........: 20A0:4211:FSIJ-1.2.15-48479234:0
    	Application ID ...: D276000124010200FF01484792340000
    	Application type .: OpenPGP
    	Version ..........: 2.0
    	Manufacturer .....: unmanaged S/N range
    	Serial number ....: 48479234
    	Name of cardholder: [not set]
    	Language prefs ...: [not set]
    	Salutation .......:
    	URL of public key : [not set]
    	Login data .......: [not set]
    	Signature PIN ....: forced
    	Key attributes ...: rsa2048 rsa2048 rsa2048
    	Max. PIN lengths .: 127 127 127
    	PIN retry counter : 3 3 3
    	Signature counter : 4
    	KDF setting ......: off
    	Signature key ....: 37DB 86EA 9F0D 1A2B CE76 DBDB C746 E60A 541B 899E
    	created ....: 2020-07-02 14:59:05
    	Encryption key....: 886C 82FE EC53 AFA7 9117 A13D 5178 5F88 DD7C EC4C
    	created ....: 2020-07-02 14:59:05
    	Authentication key: 9C33 6A76 4ED4 8798 6CB8 80D4 0973 389D FDB1 EAB7
    	created ....: 2020-07-02 14:59:05
    	General key info..: pub rsa2048/C746E60A541B899E 2020-07-02 Alice (Home) <home@example.com>
    	sec> rsa2048/C746E60A541B899E created: 2020-07-02 expires: 2021-07-02
    	card-no: FF01 48479234
    	ssb> rsa2048/0973389DFDB1EAB7 created: 2020-07-02 expires: 2021-07-02
    	card-no: FF01 48479234
    	ssb> rsa2048/51785F88DD7CEC4C created: 2020-07-02 expires: 2021-07-02
    	card-no: FF01 48479234
  8. Now we switch back to ID 0:
    nitropy start set-identity 0
  9. The status of ID 0 is still unchanged:
    gpg --card-status
     
    	Reader ...........: 20A0:4211:FSIJ-1.2.15-48479234:0
    	Application ID ...: D276000124010200FFFE484792340000
    	Application type .: OpenPGP
    	Version ..........: 2.0
    	Manufacturer .....: unmanaged S/N range
    	Serial number ....: 48479234
    	Name of cardholder: [not set]
    	Language prefs ...: [not set]
    	Salutation .......:
    	URL of public key : [not set]
    	Login data .......: [not set]
    	Signature PIN ....: forced
    	Key attributes ...: rsa2048 rsa2048 rsa2048
    	Max. PIN lengths .: 127 127 127
    	PIN retry counter : 3 3 3
    	Signature counter : 4
    	KDF setting ......: off
    	Signature key ....: 0765 27AF F2FC 32CA 1E76 B968 8089 A281 3611 5B29
    	created ....: 2020-07-02 14:03:02
    	Encryption key....: 12C4 0590 7FC3 9D96 0CB0 3955 81EC 8A55 B7B0 6333
    	created ....: 2020-07-02 14:03:02
    	Authentication key: 40F4 6EC1 4DEB 9AA0 98F5 69DF 9D5A A879 1BD3 13EB
    	created ....: 2020-07-02 14:03:02
    	General key info..: pub rsa2048/8089A28136115B29 2020-07-02 Alice (Office) <office@example.com>
    	sec> rsa2048/8089A28136115B29 created: 2020-07-02 expires: 2021-07-02
    	card-no: FFFE 48479234
    	ssb> rsa2048/9D5AA8791BD313EB created: 2020-07-02 expires: 2021-07-02
    	card-no: FFFE 48479234
    	ssb> rsa2048/81EC8A55B7B06333 created: 2020-07-02 expires: 2021-07-02
    	card-no: FFFE 48479234

Similar to the above, we can also create another new PGP key pair under ID 2. Of course it is also possible to import existing key pairs. Namely, each ID behaves like an independent smart card that can be configured and used individually. Accordingly, the PINs for each ID are also individual, but of course the same PINs can be configured. Likewise, a factory reset only resets the selected ID.

25.7.2024

Comments

Will OpenKeychain be able to use all three identities? Will there be an app to switch identities on a mobile phone? Or is it only possible to use the identity previously set with "nitropy start set-identity"?
Plant Ihr das Feature auch in anderen Nitrokey Modellen anzubieten?
Ja, früher oder später im Nitrokey 3. Allerdings hätten wir das zuvor gerne in der OpenPGP Card Spezifikation festgelegt. Darauf warten wir derzeit.
I was planning on buying a Nitrokey Storage soon-ish (with no prior personal experience with Nitrokeys so far) and I was asking myself given this news, whether this upgrade will come to other Nitrokeys eventually by means of a firmware updates, or if this is only possible for Nitrokey Start right now, given a difference in the used underlying hardware components. If the hardware is in fact too different that a simple firmware update cannot bring this feature to other Nitrokeys, will there be new versions of the other keys, that include multiple PGP keys anytime soon?
This will only come to Nitrokey 3 in the future.

Add new comment

Fill in the blank.