NitroKey, encryption, gpg
I've used the following commands to get my NitroKey Pro running on Manjaro Linux.
I use my NitroKey mainly for pass, the "standard unix password manager", to keep my very important passwords top secret.
So I don't really use FIDO2 or other features of a YubiKey. NitroKey provides a comparison sheet for their different keys, and as you can see you have to decide between gpg or FIDO2. Too bad.
1. Controversy about gpg
It was published on January 28. A fixed libgcrypt version (1.9.1) was published the next day.
golem.de said the main developer,
Werner Koch, reacted in an unprofessional way to the suggestion to introduce a CI.
My opinion: They (the ticket author Hanno and Werner Koch) seem to know each other and I don't give too much about decency. Nobody was hurt.
However, gpg is the only OpenPGP implementation I know of which supports smartcards.
It might be of poor code quality, it might be missing a CI.
While I usually insist on good test coverage and everything automated, I don't really have a choice here.
Beside, I can't really judge gpg about those things, because I haven't taken a closer look.
So for me, I will continue using it.
If anybody knows any alternative which works with smartcards, please let me know.
I've ordered my NitroKey bundled with a tiny USB-A to -C adapter.
3. NitroKey setup
sudo pacman -S ccid sudo wget -O /etc/udev/rules.d/41-nitrokey.rules https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
gpg --card-status should return something similar to this:
$ gpg --card-status Reader ...........: 20A0:4108:00000000000000000000AAAA:0 Application ID ...: D27600011111111100050000AAAA0000 Application type .: OpenPGP Version ..........: 3.3 Manufacturer .....: ZeitControl Serial number ....: 0000AAAA Name of cardholder: [nicht gesetzt] Language prefs ...: de Salutation .......: URL of public key : [nicht gesetzt] Login data .......: [nicht gesetzt] Signature PIN ....: zwingend Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 64 64 64 PIN retry counter : 3 0 3 Signature counter : 0 KDF setting ......: off Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none]
4. GPG test file
Let's assume you have both, the public and secret key, in your local gpg ring. No NitroKey in play, yet.
Here are some basic commands to encrypt and decrypt a file with your key.
gpg --list-public-keys gpg --list-secret-keys echo test > test.txt # Encryption gpg --output test.txt.gpg --encrypt --recipient username@email test.txt # Decryption gpg --output test.decrypted.txt --decrypt test.txt.gpg
5. Move the secret key to the NitroKey
gpg --edit-key --expert username@email
It will show you some info, then type the
keytocard command to transfer the key to the NitroKey.
I had to enter the admin PIN twice (default: 12345678).
After this, type
quit and confirm.
After this, the
gpg --list-secret-keys command should show some output like this:
$ gpg --list-secret-keys /home/user/.gnupg/pubring.kbx ------------------------------- sec> rsa4096 1999-01-01 [SC] BE6B9238A3F73D41599A474AE430E46A820299F6 Kartenseriennr. = 0005 0000AAAA uid [ unbekannt ] username@email ssb> rsa4096 1999-01-01 [E]
As you can see, the Kartenseriennr (english: card serial number) is shown. That means the reference to the NitroKey was successfully installed. Good work.
Try to run the decryption command from above again. It should now ask you for your PIN (default: 123456), and the NitroKey is queried by gpg.
6. On a different computer
On a new computer, run
gpg --card-edit, then enter
quit to import
the reference to the secret key on the NitroKey.
Note: The public key must be known to gpg at this point. It is not possible to just import the public key from the NitroKey itself, because some information is missing.
If your public key is not on some server, please see the steps below how to export your key.
Afterwards, you can run
gpg --import file.
7. Exporting keys with gpg
7.1. Public key
gpg --output public.asc --armor --export username@email
armor makes the output file a ASCII-Armor-Format, a 7-bit copy-pastable file.
7.2. Secret key
gpg --output private.asc --armor --export-secret-key username@email
If you run this on a key which was already moved to the NitroKey, this command will not fail, but only copies the reference to the private key. There is no (gpg) way to get access to the private key anymore. That's why you own a NitroKey, right?
I've scraped these sites during my setup: