NitroPad: Secure Laptop With Unique Tamper Detection

Do you think your computer hardware is secure? Can you rule out that in your absence no one has manipulated your computer? In a world, where most users do not have any real control over their hardware and have to blindly trust the security promises of vendors, NitroPad unlocks a refreshingly new security experience. NitroPad X230 is significantly more secure than normal computers. With NitroPad, you'll have more control over your hardware than ever before while maintaining ease of use.

 

Features

Tamper Detection Through Measured Boot
Thanks to the combination of the open source solutions Coreboot, Heads and Nitrokey USB hardware, you can verify that your laptop hardware has not been tampered with in transit or in your absence (so-called evil maid attack). The integrity of the TPM, the firmware and the operating system is effectively checked by a separate Nitrokey USB key. Simply connect your Nitrokey to the NitroPad while booting and a green LED on the Nitrokey will show that your NitroPad has not been tampered with. If the LED should turn red one day, it indicates a manipulation.
 

Deactivated Intel Management Engine
Vulnerable and proprietary low-level hardware parts are disabled to make the hardware more robust against advanced attacks.
The Intel Management Engine (ME) is some kind of separate computer within all modern Intel processors (CPU). The ME acts as a master controller for your CPU and has broad access to your computer (system memory, screen, keyboard, network). Intel controls the code of the ME and severe vulnerabilities have been found in the ME enabling local and remote attacks. Therefore ME can be considered as a backdoor and has been deactivated in NitroPad.
 

Preinstalled Ubuntu Linux With Full-Disk Encryption
NitroPad ships with a preinstalled Ubuntu Linux 18.04 LTS with full-disk encryption. Ubuntu is one of the most popular, stable and easiest to use Linux distributions. Switching from Windows to Linux has never been easier.
 

Optional: Preinstalled Qubes OS For Highest Security Requirements
Instead of Ubuntu Linux, on request you can get your NitroPad with preinstalled Qubes OS 4.0 and full-disk encryption.
Qubes OS enables highly isolated working by means of virtual machines (VM). A separate VM is started for each application or workspace. This approach isolates applications and processes much more than conventional operating systems. Qubes OS keeps your system secure, even if a vulnerability has been exploited in one of the software applications used. Example: If your PDF viewer or web browser has been successfully attacked, the attacker cannot compromise the rest of the system and will be locked out once the VM is closed.
In addition, separate virtual workspaces can be used, such as an offline workspace for secret data and an online workspace for communication. NitroPad with Qubes OS is technically similar to SINA clients (for governments), but remains transparent thanks to open source. Qubes OS is for users who want maximum security.
 

Keys Under Your Control
All individual cryptographic keys are generated directly on the NitroPad exclusively during installation and are not stored by us. However, all individual keys can be replaced by you. Unlike "Secure Boot", the keys for securing the operating system remain under your control and do not depend on the consent of the vendor.
 

Nitrokey USB Key Included
NitroPad comes with a Nitrokey Pro 2 or a Nitrokey Storage 2. Their security features include for example email encryption (PGP, S/MIME), secure server administration (SSH) and two-factor authentication through one-time passwords (OTP). The Nitrokey Storage 2 additionally contains an encrypted mass storage with hidden volumes.
 

Professional ThinkPad Hardware
Based on Lenovo ThinkPad X230, the hardware finish and robustness meet professional quality standards. The famous ThinkPad keyboard with background lighting and TrackPoint allows comfortable working. The used laptops have been refurbished.
 

Out-of-the-Box User Experience
With NitroPad, you don't need to take care of opening the hardware casing to flash the BIOS chip, installing and configuring Linux, or pairing the Nitrokey Pro/Storage. We do this work for you. The Nitrokey is already configured with your NitroPad so that it can be used for tamper detection without any further configuration effort.
 

Security Conscious Shipping
To make it more difficult to intercept and manipulate your NitroPad, the NitroPad and the Nitrokey USB key can be shipped in two separate shipments if desired.

 

Use Cases

For Everyone
NitroPad enables you to detect hardware tampering. For example, if your laptop is being inspected while crossing the border or if you leave your device unattended in a hotel or during travelling, you can check the integrity of your NitroPad with the help of the Nitrokey.
 

For Enterprises
NitroPad can serve as a hardened workstation for certificate authorities and other use cases requiring high-security computers. On business trips, the NitroPad protects against evil maid attacks while the computer is unattended in a hotel or baggage.
 

For Governments
Governments can use NitroPad to protect themselves against advanced persistent threats (APT) without relying on foreign proprietary technology.
 

For Journalists
If you as an investigative journalist are serious about protecting your confidential sources, NitroPad helps you getting there.

 

NitroPad X230 is now available in our Online Shop.

 

More details are available in the product factsheet.

9.2.2021

Comments

Submitted by Joao on 7. January 2020 - 15:07
Nice idea the of Nitropad. It would be also a good idea to make the same kind of device as "Tiny Hardware Firewall VPN Client" that is only available to USA buyers. They have several devices. Nitrokey can have at least a device with Wi-Fi (2.4GHz/ 5 GHz) (a/ b/ g/ n/ ac/ ax) to capture the signal and WAN port (10/ 100/ 1000 Mbps), and Wi-Fi to distribute the Secure Wi-Fi (2.4GHz/ 5 GHz) (a/ b/ g/ n/ ac/ ax) and also 4 or more LAN ports (10/ 100/ 1000 Mbps). WPA2 and WPA3 enable for the Secure Wi-Fi. No WPS or similar. Wi-Fi Passwords by default at least like these: 74102-nxbbg-63135-jcynk-69351, and to access the device also things like username: wjghog-495535 and password: jsdsjb-244644 just to make life a little harder by default to attackers. Of course OpenVPN that allows multiple profiles, and also to have multiple jumps between different OpenVPN providers to make it harder for any of them individually to spy on the user, and a nice visual interface to show if any of them is not working and why the device it is not working (not reach the server, local network block, wrong credentials, etc.). And of course technology to allow to bypass attempts to prevent OpenVPN connections (bridges, obfuscation, etc.). Onion ("Tor") network also available. Compatible with login portals (captive portal friendly). With some sort of internal battery that can be easily replaced (say "21700 battery" or something else) and allow external power for even extended periods like "Powerbanks" and/ or directly connected to the electricity network.
Submitted by Alexander on 10. January 2020 - 22:45
I think I heard of this on LTT. I haven't watched the video though, Maybe I should.
Submitted by JL on 22. February 2020 - 11:44
W Does it make sense to install the NitroPad distro on other machines? Is there a procedure available? Regrettably there are just few open bios machines out there. Does it also work with TPM enabled machines?
Submitted by Jan Suhr on 24. February 2020 - 9:02
We don't have any own Linux distribution, but customized Qubes and Ubuntu images. https://github.com/Nitrokey/ubuntu-oem/ https://github.com/Nitrokey/qubes-oem We didn't publish instructions how to flash Heads, but you can follow the documentation of Coreboot and Heads instead. Heads works on TPM enabled computers.
Submitted by Anonymous on 6. March 2020 - 19:40
Fantastic work guys. Insurgo looked too costly and I wanted to buy a secure hardware laptop. Thank you so much ! It's ridiculous to live in a world where each device has hardware backdoors and there are hacking laws.
Submitted by Penthotal on 11. March 2020 - 13:42
What about the last Intel chip flaw and CSME ?
Submitted by UNLTD on 20. March 2020 - 15:32
I think is similar to PURISM hardware -> no problem. See news on the website of pursim.
Submitted by Prospective buy... on 26. April 2020 - 11:17
I wonder if Qubes OS does work fast with several virtual machines or if there are any problems because of the old CPU and the old RAM. Is there anyone who has got experience with another Qubes OS running laptop? | Ich frage mich, ob Qubes OS trotz der alten CPU und dem alten RAM flüssig mit einigen Virtuellen Maschinen läuft. Hat jemand Erfahrung und eventuell einen Vergleich zu einem anderen Laptop?
Submitted by My name on 20. May 2020 - 20:57
It does. On X230 go for i7 and 16GB RAM.
Submitted by matt on 12. May 2020 - 10:47
Your webstore is down as of 5/12/2020 0447
Submitted by Jan Suhr on 12. May 2020 - 10:49
We updated the system which is why our shop went down for a few minutes. It's available now.
Submitted by Anonymous on 23. May 2020 - 18:12
Can you get others OS installs for Nitropad than Ubuntu,Mint and Qubes? Can you get a tutorial for changing the OS of Nitropad with all the required steps?
Submitted by Jan Suhr on 27. May 2020 - 14:35
The answer depends on the actual operating system. For instance, Debian can't be installed as of now: https://github.com/osresearch/heads/issues/699
Submitted by gcrl on 25. May 2020 - 12:27
Really should come with a WiFi card that uses Free drivers. Free Software Foundation recommended OSes won't accept the currently built-in proprietary WiFi card('s drivers), and for good reasons. This is a security concern in itself, built in NitroPad's hardware. ME switched off, Heads, Qubes OS et cetera - all very nice; but including a proprietary WiFi card is a serious security risk that should (have) be(en) eliminated by default, i.e. before purchase. Ubuntu is NOT A SECURE OS, too: It contains spyware (data leaking to Canonical and Amazon), nonfree software (and recommends more of it). It should be avoided at all costs, if one cares about her privacy. Vanilla Debian, Parabola, Trisquel (is it still actively developed?), Qubes OS, Tails would be acceptable alternatives - and they are as user friendly, besides Qubes OS perhaps. Otherwise, quite nicely done of course. Thank you for doing this.
Submitted by Jan Suhr on 27. May 2020 - 14:37
Indeed, we are considering adding a better WIFI card. Our Ubuntu 18.04 installation is customized and we removed the Amazon integration. Ubuntu 20.04 doesn't come with Amazon anymore by default. Debian can't be used with Heads as of now, unfortunately.
Submitted by DocDre on 21. November 2021 - 19:04
Do you have free drivers for the wifi module in the meantime?
Submitted by meissner on 21. November 2021 - 19:18
The ath9k option is as open-source-ish as possible, AR9462 designs have been reported to run without binary blobs. But we've not explicitly verified this in detail within the distributions.
Submitted by JR on 20. July 2020 - 16:04
I really love your products, I have bought quite a bunch of Nitrokeys over the years, and I was very close to buying a Qubes Nitropad a few days ago, but it felt a bit too painful to pay around 850$ for a near full specification X230... Could you consider offering a "Nitropad2" or something like that, based for example on a ThinkpadT490 or similar with Intel ME disabled, Qubes installed, and the same boot timing and GPG signing safety features? I would be ready to pay 1500-2500$ for such a machine with full specs without thinking twice, and I think that I am not alone there. Anything that may be drastically less secure than the X230, given ME has been de-activated?
Submitted by Jan Suhr on 20. July 2020 - 16:08
We don't plan to offer any other ThinkPad model soon. This space of Intel Boot Guard and custom firmware is really difficult and it's not that we have many other hardware options. However, we are interested to add other models in the future, if this becomes possible...
Submitted by Mike on 30. July 2020 - 18:16
Why do you use Lenovo ThinkPads? The Chinese government has been installing backdoors into them for several years now.
Submitted by Jan Suhr on 31. July 2020 - 6:00
That's why we are replacing Lenovo's BIOS/firmware with our own (Heads + coreboot).
Submitted by Anonymous on 31. July 2020 - 19:27
Can we install any OS in virtual box on a nitro pad with Ubuntu?
Submitted by Jan Suhr on 31. July 2020 - 19:28
yes
Submitted by Hotdog on 30. August 2020 - 10:35
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Are you working with the Qubes team on the future version 4.1? Can you guarantee us the compatibility of your X230 with 4.1 today? -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTugWZs8PdShPP6eVZiJvXjaaomZAUCX0tkcgAKCRBiJvXjaaom ZLnqAP9DjLqvjcdKAZNLwJCrNyH62SXAgnNYHTTN+cmUHCH3awEAgJEQsMllyJKK +RQYAdqYgpsN9ahfKlQ7CQ54R6LJ0Ag= =aSKW -----END PGP SIGNATURE-----
Submitted by Jan Suhr on 1. September 2020 - 8:20
Yes, NitroPads are Qubes-certified and therefore tested well.
Submitted by June on 7. September 2020 - 4:33
How do I reset a nitro pad and the nitrokey pro to original state out of your shop without knowing the pins.
Submitted by Jan Suhr on 7. September 2020 - 10:39
https://docs.nitrokey.com/x230/qubes/factory-reset.html
Submitted by Thomas on 12. September 2020 - 11:54
Do you also plan 17,3 notebook with these security features?
Submitted by Jan Suhr on 14. September 2020 - 9:55
No plan for such, as of now.
Submitted by RW on 14. October 2020 - 17:19
How can Intel be on your customers list? Don't they trust their own Management Engine?
Submitted by Zap on 3. December 2020 - 9:02
Is it possible to have no blobs installed to use this, I wanted to use Hyperbola as my operating system. Its a very interesting distribution focused on simplicity, stability, security, and freedom. Not in that order I might add. :) Also, is Hyperbola usable with heads? Can you test?
Submitted by Jan Suhr on 3. December 2020 - 9:15
Do you refer to firmware blobs? We neutralize Intel ME in the firmware already. We don't have time to test Hyperbola in particular but in general every Linux distribution should work and we are not aware of any which doesn't work.
Submitted by zap on 4. December 2020 - 0:45
Ah, okay, what about the ethernet blob?
Submitted by Jan Suhr on 4. December 2020 - 16:38
We use the standard blob for the Ethernet driver. If you don't want to use the built-in Ethernet, you would need to connect an external Ethernet adapter.
Submitted by zap on 6. December 2020 - 8:43
Oh okay, that wouldn't be a problem whatsoever, I have a few of those. :) I am curious though, is the intel me really unable to do anything remote after its disabled?
Submitted by Jan Suhr on 7. December 2020 - 10:10
According to the current publich knowledge, Intel ME is fully neutralized. What we do is we disable Intel ME by setting the HAP bit and we remove the parts of Intel ME blob which can be removed.
Submitted by zap on 7. December 2020 - 16:57
Ah okay, so the backdoor has been rendered both harmless and ineffective. Is it broken beyond repair also? That would be cool.
Submitted by Jan Suhr on 7. December 2020 - 17:52
What do you mean?
Submitted by zap on 8. December 2020 - 8:04
Well, I meant when you say its fully neutralized, your saying it can't do anything whatsoever, especially remote damage, as in over the net. correct?
Submitted by Jan Suhr on 8. December 2020 - 8:40
Yes, that's the whole point of neutralizing ME, to prevent any remote access or damaging.
Submitted by zap on 9. December 2020 - 7:28
By the way on an old related note, Is this option to not have the ethernet blob added possible? I have a usb to ethernet dongle available.
Submitted by Jan Suhr on 9. December 2020 - 9:30
We don't offer this as of now. I will see if we can add it in the future...
Submitted by zap on 26. January 2021 - 5:37
What about this vulnerability? SA-00086 Apparently, intel me being disabled still has this issue... :/ I found out about this vulnerability on wikipedia. And there is a link to it...
Submitted by zap on 29. January 2021 - 13:01
One other question though, when the ethernet blob is enabled, is it a remote issue and if so how significant?
Submitted by zap on 7. December 2020 - 5:59
I thought of one other question, will there be an option to update the firmware via nitrokey in bios?
Submitted by Jan Suhr on 7. December 2020 - 10:03
Yes, firmware can be updated. See: https://docs.nitrokey.com/x230/qubes/firmware-update.html
Submitted by zap on 7. December 2020 - 16:55
But I mean like, regardless of the operating system... Is there a place where I can compile it from source, or is all this not important because you attach the firmware into the usb directly and then maneuver from there in the bios, etc...
Submitted by Jan Suhr on 7. December 2020 - 17:54
You can download binaries and sources from: https://github.com/Nitrokey/heads/releases/latest To update the firmware, you store the firmware file on a USB drive and open it from Heads/firmware menu and trigger the update.
Submitted by zap on 8. December 2020 - 8:07
Good to know, that solves my problem for now. :)
Submitted by Nitropad User on 10. December 2020 - 9:42
Can you guys please make a plan for a laptop that can have more than 16gb of ram please. Speed is very important nowadays as we move into a virtual life. 32, 64, and even 128 gb of ram are becoming ever more important, example for professional software. Please make a plan for that option.

Pages

Add new comment

Fill in the blank.