Securely encrypt passwords with Nitrokey Pro 2
Locked
The Nitrokey Pro 2 is a small device that covers a wide range of cryptographic functions.
The small and inconspicuous Nitrokey Pro 2 is a digital door opener: You can use the Nitrokey's password safe to securely lock up your access credentials, and you can generate one-time passwords for more secure logins to online services. An integrated OpenPGP card lets you encrypt and sign emails. (See the article on the OpenPGP smartcard starting on p. 18 in this issue.)
You can purchase the Nitrokey Pro 2 for around EUR50 via the manufacturer's online shop [1] (Figure 1). The online shop is also where you will find the Nitrokey Storage 2, which provides the same functions as the Nitrokey Pro 2 but also includes encrypted storage capacity ranging from 16 to 64GB. Depending on how much storage you need, the Nitrokey Storage 2 costs somewhere between EUR109 and EUR199.
Configuration
To set up the Nitrokey, you also need the Nitrokey App [2], which is available for various operating systems. For Linux, the manufacturer offers packages for various distributions on its website, as well as the source code, which you can compile yourself.
Once you have purchased the Nitrokey and installed the app on your computer, plug the stick into the computer and start the software with the nitrokey-app
command in the shell or by clicking on the icon in the application menus.
Access to the Nitrokey is protected by a PIN. The PIN keeps your data safe, even if you lose the stick. To change the settings, you first need to enter the Admin PIN (see the "Start PIN" box). Before you start working, the first thing to do is to set your own PIN and Admin PIN. Select Menu | Configure | Change User PIN and Change Admin PIN in the Nitrokey App (Figure 2).
Start PIN
The Nitrokey's start PIN is always 123456
, and the startup Admin PIN is always 12345678
. You will want to change the PIN immediately before using the Nitrokey for the first time. To change the PIN, select Menu | Configure in the Nitrokey App.
You can now use the password safe to store important access credentials. Unlock the safe in the app via Menu | Unlock Password Safe and enter the PIN. Then click on the Password Safe tab, where you can store up to 16 passwords and credentials. Select a slot on the list, assign a name, and enter the login information and password.
If you are just logging in to an online service, the app will help you choose a new password after clicking Generate random password. The storage space on the Nitrokey is limited, so you will see the maximum number of characters to the right of each field. Once all the data is entered, don't forget to press Save.
Unlocking
Once you have captured the passwords, you can use them anytime you need them. Provided that the Nitrokey is plugged in and the password safe is unlocked, you will find a list of passwords stored on your Nitrokey in Menu | Passwords. After you click on the desired entry, the program copies the appropriate password to the clipboard of the desktop environment. You can then paste it onto the login screen.
Note that this is a weak point: The password is sent in plain text to the clipboard, where it would theoretically be possible for an attacker to intercept it. Caution is therefore advisable when working on a computer that you do not own.
To prevent your password from staying in the clipboard indefinitely, use the Settings tab in the app to set the time at which the password is deleted from the clipboard. The default is 60 seconds, but 30 seconds is usually long enough. After that, the password disappears from the clipboard. This feature can be an issue if you use a clipboard manager. In the test, the copied passwords remained in the clipboard manager's history.
One-Time Passwords
To improve login security, online services often use one-time passwords that are sent to the user by text. For many online services, you can simply generate a one-time password using the Nitrokey App so that you do not have to rely on the provider's app for each user account. Look for instructions at the Nitrokey website [3].
The basic principle is the same for all services: enable two-factor authentication for the service and enter the secret key, which will actually be used to generate one-time passwords via the provider's own app, in the Nitrokey App.
For example, log in to your Google account via https://myaccount.google.com
. Then click Security on the left and, under Sign in to Google, opt for Confirm in two steps. When you get there, first set up your smartphone. After that, the system will show you different ways to use your smartphone for two-factor authentication. By default, Google sends you one-time passwords as text messages.
Select Authenticator App from the list of options and click Setup. You don't really want to use the Authenticator App, but that's the only way Google will hand over the private key you're after. Now a barcode appears on the page, which you would scan with the Authenticator App if you were using it. But don't do that; instead click on You can't scan it.
Google will then show you the private key. Switch to the Nitrokey App and call up the Disposable passwords entries tab. Now, assign a name for the entry, in this case, Google. Enter the private key in the Secret field and click Save. This step completes the setup in the Nitrokey App. Switch back to the Google account because there the configuration goes a little further.
In the dialog from which you just copied the private key, click Next. Google will ask you for a six-digit code, which will be shown to you by the Authenticator App. You can now directly test whether everything is set up correctly in the Nitrokey App.
Launch the Nitrokey App and click Menu | Passwords | Google. The Nitrokey App will then generate a one-time password and copy it to the clipboard. From there, paste it into the dialog box in your Google account. This completes the setup of your Google account, and from now on, you can use the Nitrokey App to generate one-time passwords to log in.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome OS Adopting systemd-sysupdate
Gnome OS is about to undergo a major under-the-hood change that promises enhanced security.
-
Endless OS 6 has Arrived
After more than a year since the last update, the latest release of Endless OS is now available for general usage.
-
Fedora Asahi 40 Remix Available for Macs with Apple Silicon
If you've been anticipating KDE's Plasma 6 for your Apple Silicon-powered Mac, then you're in luck.
-
Red Hat Adds New Deployment Option for Enterprise Linux Platforms
Red Hat has re-imagined enterprise Linux for an AI future with Image Mode.
-
OSJH and LPI Release 2024 Open Source Pros Job Survey Results
See what open source professionals look for in a new role.
-
Proton 9.0-1 Released to Improve Gaming with Steam
The latest release of Proton 9 adds several improvements and fixes an issue that has been problematic for Linux users.
-
So Long Neofetch and Thanks for the Info
Today is a day that every Linux user who enjoys bragging about their system(s) will mourn, as Neofetch has come to an end.
-
Ubuntu 24.04 Comes with a “Flaw"
If you're thinking you might want to upgrade from your current Ubuntu release to the latest, there's something you might want to consider before doing so.
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.