Securely encrypt passwords with Nitrokey Pro 2
Locked

The Nitrokey Pro 2 is a small device that covers a wide range of cryptographic functions.
The small and inconspicuous Nitrokey Pro 2 is a digital door opener: You can use the Nitrokey's password safe to securely lock up your access credentials, and you can generate one-time passwords for more secure logins to online services. An integrated OpenPGP card lets you encrypt and sign emails. (See the article on the OpenPGP smartcard starting on p. 18 in this issue.)
You can purchase the Nitrokey Pro 2 for around EUR50 via the manufacturer's online shop [1] (Figure 1). The online shop is also where you will find the Nitrokey Storage 2, which provides the same functions as the Nitrokey Pro 2 but also includes encrypted storage capacity ranging from 16 to 64GB. Depending on how much storage you need, the Nitrokey Storage 2 costs somewhere between EUR109 and EUR199.

Configuration
To set up the Nitrokey, you also need the Nitrokey App [2], which is available for various operating systems. For Linux, the manufacturer offers packages for various distributions on its website, as well as the source code, which you can compile yourself.
Once you have purchased the Nitrokey and installed the app on your computer, plug the stick into the computer and start the software with the nitrokey-app
command in the shell or by clicking on the icon in the application menus.
Access to the Nitrokey is protected by a PIN. The PIN keeps your data safe, even if you lose the stick. To change the settings, you first need to enter the Admin PIN (see the "Start PIN" box). Before you start working, the first thing to do is to set your own PIN and Admin PIN. Select Menu | Configure | Change User PIN and Change Admin PIN in the Nitrokey App (Figure 2).

Start PIN
The Nitrokey's start PIN is always 123456
, and the startup Admin PIN is always 12345678
. You will want to change the PIN immediately before using the Nitrokey for the first time. To change the PIN, select Menu | Configure in the Nitrokey App.
You can now use the password safe to store important access credentials. Unlock the safe in the app via Menu | Unlock Password Safe and enter the PIN. Then click on the Password Safe tab, where you can store up to 16 passwords and credentials. Select a slot on the list, assign a name, and enter the login information and password.
If you are just logging in to an online service, the app will help you choose a new password after clicking Generate random password. The storage space on the Nitrokey is limited, so you will see the maximum number of characters to the right of each field. Once all the data is entered, don't forget to press Save.
Unlocking
Once you have captured the passwords, you can use them anytime you need them. Provided that the Nitrokey is plugged in and the password safe is unlocked, you will find a list of passwords stored on your Nitrokey in Menu | Passwords. After you click on the desired entry, the program copies the appropriate password to the clipboard of the desktop environment. You can then paste it onto the login screen.
Note that this is a weak point: The password is sent in plain text to the clipboard, where it would theoretically be possible for an attacker to intercept it. Caution is therefore advisable when working on a computer that you do not own.
To prevent your password from staying in the clipboard indefinitely, use the Settings tab in the app to set the time at which the password is deleted from the clipboard. The default is 60 seconds, but 30 seconds is usually long enough. After that, the password disappears from the clipboard. This feature can be an issue if you use a clipboard manager. In the test, the copied passwords remained in the clipboard manager's history.
One-Time Passwords
To improve login security, online services often use one-time passwords that are sent to the user by text. For many online services, you can simply generate a one-time password using the Nitrokey App so that you do not have to rely on the provider's app for each user account. Look for instructions at the Nitrokey website [3].
The basic principle is the same for all services: enable two-factor authentication for the service and enter the secret key, which will actually be used to generate one-time passwords via the provider's own app, in the Nitrokey App.
For example, log in to your Google account via https://myaccount.google.com
. Then click Security on the left and, under Sign in to Google, opt for Confirm in two steps. When you get there, first set up your smartphone. After that, the system will show you different ways to use your smartphone for two-factor authentication. By default, Google sends you one-time passwords as text messages.
Select Authenticator App from the list of options and click Setup. You don't really want to use the Authenticator App, but that's the only way Google will hand over the private key you're after. Now a barcode appears on the page, which you would scan with the Authenticator App if you were using it. But don't do that; instead click on You can't scan it.
Google will then show you the private key. Switch to the Nitrokey App and call up the Disposable passwords entries tab. Now, assign a name for the entry, in this case, Google. Enter the private key in the Secret field and click Save. This step completes the setup in the Nitrokey App. Switch back to the Google account because there the configuration goes a little further.
In the dialog from which you just copied the private key, click Next. Google will ask you for a six-digit code, which will be shown to you by the Authenticator App. You can now directly test whether everything is set up correctly in the Nitrokey App.
Launch the Nitrokey App and click Menu | Passwords | Google. The Nitrokey App will then generate a one-time password and copy it to the clipboard. From there, paste it into the dialog box in your Google account. This completes the setup of your Google account, and from now on, you can use the Nitrokey App to generate one-time passwords to log in.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.
-
openSUSE Leap 15.5 Beta Now Available
The final version of the Leap 15 series of openSUSE is available for beta testing and offers only new software versions.
-
Linux Kernel 6.2 Released with New Hardware Support
Find out what's new in the most recent release from Linus Torvalds and the Linux kernel team.
-
Kubuntu Focus Team Releases New Mini Desktop
The team behind Kubuntu Focus has released a new NX GEN 2 mini desktop PC powered by Linux.