This is a text-only version of the following page on https://raymii.org:
---
Title       :   Three new NitroKeys! Nitrokey Pro 2, Storage 2 and a FIDO-U2F Nitrokey
Author      :   Remy van Elst
Date        :   08-11-2018
URL         :   https://raymii.org/s/tutorials/Three_New_Nitrokeys_Pro_2_Storage_2_and_Fido_u2f.html
Format      :   Markdown/HTML
---



![][1]

Last week I received several newsletters from Nitrokey. As you might know, I'm a fan of their (mostly open source) hardware security devices. I've written articles on the [NitroKey HSM][2] (even on [extracting private key material][3]), on the [NitroKey Start][4] and some [firmware][5] [update][6] guides.

Their newsletters introduced two new keys, the Nitrokey Pro 2 and the Nitrokey
FIDO-U2F key. On their website I also saw the Nitrokey Storage Pro 2. This
article is a summary of the newsletters and goes over the new features in the
new hardware. It boils down to a new OpenPGP smartcard version (3.3, it was 2.1)
in the Nitrokey Pro 2 and Storage 2. The FIDO-U2F device is an entirely new
Nitrokey (with a button).

<p class="ad"> <b>Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:</b><br><br> <a href="https://leafnode.nl">I'm developing an open source monitoring app called  Leaf Node Monitoring, for windows, linux & android. Go check it out!</a><br><br> <a href="https://github.com/sponsors/RaymiiOrg/">Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.</a><br><br> <a href="https://www.digitalocean.com/?refcode=7435ae6b8212">You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. </a><br><br> </p>


I recommend you get a Nitrokey. The [open hardware and mostly open software][8]
part is what I like the most, next to the pricing and their support. I've been
in contact with the company a few times, both with the CEO Jan and a developer
Szczepan. That guy is active on the Gnuk mailing list and does, as far as I can
tell, most of their embedded development.

If you ask me if I prefer a Nitrokey over a yubikey, then I would choose the
Nitrokey. The yubikey is closed source all together, relying on their
infrastructure in the default (otp) mode. The nitrokey gives you more freedom.
The nitrokey is a full USB A plug as well, where as the yubikey is half, or in
the USB slot all together. So, the Nitrokey is more durable.

In the past I got hardware sponsored from Nitrokey. Not for this article.

### What are Nitrokeys?

NitroKey creates hardware security tokens. The Nitrokey Pro is a OpenPGP
smartcard in a USB stick with a companion application. It allows you to securely
store your GPG key, among other things.

The Nitrokey HSM is a hardware security module. It is also a smartcard in a USB
key, but this time it utilizes different firmware to present itself as a
[Smartcard-HSM][9], using PKCS-11 (cryptoki) as the protocol.

The Nitrokey Start is a soft-token (meaning no smartcard). It uses the
[gnuk][10] firmware to also be a OpenPGP-token. That hardware and software is
fully open source, the Pro and HSM are up until the smartcard software.

The Nitrokey storage is a Nitrokey Pro with USB storage that is encrypted (by
the smartcard). I haven't used a Nitrokey Storage, so no experience with that.

### Nitrokey Pro 2

The feature most exciting in this new hardware version is ECC support. Copying
from their newsletter, all the new features:

#### Support of elliptic curve cryptography (ECC)

> > In addition to RSA (2048-4096 bit), Nitrokey Pro 2 supports elliptic curve
cryptography (ECC. Brainpool and NIST). Because RSA-2048 is not considered [safe
for use beyond 2022][11], ECC is becoming increasingly important as a fast and
secure alternative. [See instructions][12]. This feature requires the new
Nitrokey Pro 2 hardware and cannot be installed by upgrading the firmware.

Editors addition: the ECC key length is between 256 and 512 bit. Bernstein's
Curve 25519 is not supported do to lack of support in the smartcard. The
[Nitrokey start does support 25519][13].

#### Improved keystore support for Windows

> > It is now possible to [roll out company certificates via Active
Directory][12] on Windows devices. These certificates can be used for Windows
logon and for e-mail encryption using S/MIME. In addition, OpenPGP and S/MIME
email encryption can be easily used in parallel on a single Nitrokey Pro 2. This
feature requires the new Nitrokey Pro 2 hardware and cannot be installed by
upgrading the firmware.

#### Integrity verification of Purism laptops

> > The Nitrokey Pro 2 can be used as a part of the tamper-evident boot
protection which Purism integrates into their Librem Linux laptops. [Read
more][12].

#### Hardware differences?

Reading through the [forum][14], the exact hardware change is a new version of
the OpenPGP smartcard (namely, version 3). On the [gnupg site][15] you can
download the [specification for 3.3][16] as well as the [specification for
2.2][17]. Major difference is support for ECC crypto, as is reflected in the new
nitrokey.

#### GnuPG version

An important note is that you do need a recent version of Gnupg (> 2.1.16). The
version with Ubuntu 16.04 or 16.10 will not work and you manually need to
upgrade it. Either by installing newer packages (not recommended) or by
compiling the newer version of GnuPG yourself. You could also update your entire
distro to at least 18.04.

More information and getting started with ECC can be found [here][12]

### Nitrokey Storage 2

This was the first of the new hardware, available since June as far as I can
see. Since the NitroKey Storage is based on the Nitrokey pro (it is an OpenPGP
card), the above new features (ECC support and Active Directory integration) are
new in the hardware of the Storage 2 as well. (The storage 2 also has an OpenPGP
3 smartcard). The nitrokey storage has an extra SD card which houses the
encrypted storage part, whereas the Smartcard does the encryption of said
storage. You can read [more in the manual][18] on how the exact storage
encryption works.

The new features exclusive to the Nitrokey Storage are, as you might expect,
related to it's storage functions. In addition to what I listed above, here are
the new features for the Storage 2:

#### Manual initialization of the storage is not necessary

> > On delivery, the device's storage is already initialized with random numbers
and an encrypted partition is set up. This eliminates manual setup and Nitrokey
Storage 2 can be used immediately.

#### Protection of unencrypted storage

> > The Nitrokey App for Windows, macOS and Linux (AppImage) is now pre-
installed on the unencrypted storage. In addition, the unencrypted storage is
read-only, which can only be changed with the Admin PIN (requires Nitrokey App
1.3.1). This prevents the unintentional distribution of viruses and the
unintentional storage of sensitive data on the unencrypted storage. This
function is particularly interesting for enterprise customers who configure
Nitrokey Storage 2 centrally and whose employees only use the user PIN.

[Read the full announcement here][19]

### Nitrokey Fido U2F

![][20]

> Early dev version of the Nitrokey U2F

The Nitrokey Fido U2F is an entirely new key. It's based on the [U2F Zero][21],
It is open hardware and the software is open source as well. It differs
physically from the other nitrokey devices in that it has a touch button.

With the Nitrokey FIDO U2F, after the initial configuration, you just need to
touch the button on the device each time you are logging in to your various
accounts.

Universal Second Factor, or FIDO U2F is a standard for 2 factor auth with USB
dongles. It is developed by Google and Yubico There is [a site][22] with more
information and a list of supported sites. There is also an [unofficial FAQ
here][23].

[This PDF][24] states that the Nitrokey FIDO U2F supports the FIDO Universal 2nd
Factor (U2F) 1.2 standard. The Nitrokey Fido U2F also supports [WebAuthn][25].
At the moment there is no support for FIDO2.

More information [on the site][26]

#### FIDO U2F, FIDO2 and WebAuthN???

FIDO U2F and FIDO2 and WebAuthn are not the same. This Nitrokey does not support
FIDO2 at the moment, but I suspect it could be added in a later firmware
version. I'll try to give a simple explanation of the FIDO's:

 * FIDO U2F is for second factor only (next to a username/password).
 * FIDO2 is for both second factor, as well as replacing a username/password completely (with a public/private keypair)
 * WebAuthn is the Web and browser API for authentication. It supports both FIDO U2F (CTAP1) and FIDO2 (CTAP2). (CTAP == Client to Authenticator Protocol)

Websites can utilize the WebAuthn standard together with a protocol like CTAP1
or CTAP2 to provide functionality so that the user can use their USB token to
authenticate.

A more technical explanation of CTAP can [be found here][27]

I have not used this standard (u2f) before but it seems to be comparable with
the Yubikey process (press a button for 2 factor). It is the cheapest of
Nitrokeys so far (22 euro's) and works with all major operating systems
(Windows, Linux, OS X and BSD (but which bsd?)) and all major browsers,
including Opera.

There is a lot of documentation [on the security and key generation][28] here.

  [1]: https://raymii.org/s/inc/img/nitrokey-u2f.jpg
  [2]: https://raymii.org/s/articles/Get_Started_With_The_Nitrokey_HSM.html
  [3]: https://raymii.org/s/articles/Decrypt_NitroKey_HSM_or_SmartCard-HSM_private_keys.html
  [4]: https://raymii.org/s/articles/Nitrokey_Start_Getting_started_guide.html
  [5]: https://raymii.org/s/tutorials/Nitrokey_gnuk_firmware_update_via_DFU.html
  [6]: https://raymii.org/s/tutorials/FST-01_firmware_upgrade_via_usb.html
  [7]: https://www.digitalocean.com/?refcode=7435ae6b8212
  [8]: https://github.com/Nitrokey
  [9]: https://www.smartcard-hsm.com/
  [10]: http://www.fsij.org/doc-gnuk/
  [11]: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf;jsessionid=064DAA7AD3195C1C87B1C71B2760DB4E.1_cid360?__blob=publicationFile&v=7
  [12]: https://www.nitrokey.com/documentation/elliptic-curves-ecc-support-nitrokey-storage-2-and-pro-2
  [13]: https://www.nitrokey.com/news/2017/nitrokey-start-supports-elliptic-curves-ecc
  [14]: https://support.nitrokey.com/t/what-is-the-difference-between-prov1-and-pro-v2/1406
  [15]: https://gnupg.org/ftp/specs/
  [16]: https://raymii.org/s/inc/downloads/OpenPGP-smart-card-application-3.3.1.pdf
  [17]: https://raymii.org/s/inc/downloads/OpenPGP-smart-card-application-2.2.pdf
  [18]: https://raymii.org/s/inc/downloads/nitrokey-storage-Manual.pdf
  [19]: https://www.nitrokey.com/news/2018/nitrokey-storage-2-released
  [20]: https://raymii.org/s/inc/img/nitrokey-u2f-2.jpg.png
  [21]: https://github.com/conorpp/u2f-zero/
  [22]: https://www.dongleauth.info/
  [23]: https://web.archive.org/web/20181107115126/https://medium.com/@nparlante/the-unofficial-fido-u2f-faq-9201fa5cb4da
  [24]: https://raymii.org/s/inc/downloads/Nitrokey_FIDO_U2F_factsheet.pdf
  [25]: https://en.wikipedia.org/wiki/WebAuthn
  [26]: https://www.nitrokey.com/news/2018/new-nitrokey-fido-u2f
  [27]: https://web.archive.org/web/20181107114622/https://www.imperialviolet.org/2018/03/27/webauthn.html
  [28]: https://github.com/Nitrokey/nitrokey-fido-u2f-firmware/blob/master/doc/security_architecture.md

---

License:
All the text on this website is free as in freedom unless stated otherwise.
This means you can use it in any way you want, you can copy it, change it
the way you like and republish it, as long as you release the (modified)
content under the same license to give others the same freedoms you've got
and place my name and a link to this site with the article as source.

This site uses Google Analytics for statistics and Google Adwords for
advertisements. You are tracked and Google knows everything about you.
Use an adblocker like ublock-origin if you don't want it.

All the code on this website is licensed under the GNU GPL v3 license
unless already licensed under a license which does not allows this form
of licensing or if another license is stated on that page / in that software:

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.

Just to be clear, the information on this website is for meant for educational
purposes and you use it at your own risk. I do not take responsibility if you
screw something up. Use common sense, do not 'rm -rf /' as root for example.
If you have any questions then do not hesitate to contact me.

See https://raymii.org/s/static/About.html for details.

You are viewing proxied material from raymii.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.