Securely encrypt passwords with Nitrokey Pro 2


Article from Issue 252/2021

The Nitrokey Pro 2 is a small device that covers a wide range of cryptographic functions.

The small and inconspicuous Nitrokey Pro 2 is a digital door opener: You can use the Nitrokey's password safe to securely lock up your access credentials, and you can generate one-time passwords for more secure logins to online services. An integrated OpenPGP card lets you encrypt and sign emails. (See the article on the OpenPGP smartcard starting on p. 18 in this issue.)

You can purchase the Nitrokey Pro 2 for around EUR50 via the manufacturer's online shop [1] (Figure 1). The online shop is also where you will find the Nitrokey Storage 2, which provides the same functions as the Nitrokey Pro 2 but also includes encrypted storage capacity ranging from 16 to 64GB. Depending on how much storage you need, the Nitrokey Storage 2 costs somewhere between EUR109 and EUR199.

Figure 1: Use the Nitrokey Pro 2 like an OpenPGP smartcard. You can also generate one-time passwords and store access credentials. If you opt for the Nitrokey Storage 2, you will have access to encrypted storage of up to 64GB. © Nitrokey GmbH


To set up the Nitrokey, you also need the Nitrokey App [2], which is available for various operating systems. For Linux, the manufacturer offers packages for various distributions on its website, as well as the source code, which you can compile yourself.

Once you have purchased the Nitrokey and installed the app on your computer, plug the stick into the computer and start the software with the nitrokey-app command in the shell or by clicking on the icon in the application menus.

Access to the Nitrokey is protected by a PIN. The PIN keeps your data safe, even if you lose the stick. To change the settings, you first need to enter the Admin PIN (see the "Start PIN" box). Before you start working, the first thing to do is to set your own PIN and Admin PIN. Select Menu | Configure | Change User PIN and Change Admin PIN in the Nitrokey App (Figure 2).

Figure 2: Set up a PIN to keep your passwords safe.

Start PIN

The Nitrokey's start PIN is always 123456, and the startup Admin PIN is always 12345678. You will want to change the PIN immediately before using the Nitrokey for the first time. To change the PIN, select Menu | Configure in the Nitrokey App.

You can now use the password safe to store important access credentials. Unlock the safe in the app via Menu | Unlock Password Safe and enter the PIN. Then click on the Password Safe tab, where you can store up to 16 passwords and credentials. Select a slot on the list, assign a name, and enter the login information and password.

If you are just logging in to an online service, the app will help you choose a new password after clicking Generate random password. The storage space on the Nitrokey is limited, so you will see the maximum number of characters to the right of each field. Once all the data is entered, don't forget to press Save.


Once you have captured the passwords, you can use them anytime you need them. Provided that the Nitrokey is plugged in and the password safe is unlocked, you will find a list of passwords stored on your Nitrokey in Menu | Passwords. After you click on the desired entry, the program copies the appropriate password to the clipboard of the desktop environment. You can then paste it onto the login screen.

Note that this is a weak point: The password is sent in plain text to the clipboard, where it would theoretically be possible for an attacker to intercept it. Caution is therefore advisable when working on a computer that you do not own.

To prevent your password from staying in the clipboard indefinitely, use the Settings tab in the app to set the time at which the password is deleted from the clipboard. The default is 60 seconds, but 30 seconds is usually long enough. After that, the password disappears from the clipboard. This feature can be an issue if you use a clipboard manager. In the test, the copied passwords remained in the clipboard manager's history.

One-Time Passwords

To improve login security, online services often use one-time passwords that are sent to the user by text. For many online services, you can simply generate a one-time password using the Nitrokey App so that you do not have to rely on the provider's app for each user account. Look for instructions at the Nitrokey website [3].

The basic principle is the same for all services: enable two-factor authentication for the service and enter the secret key, which will actually be used to generate one-time passwords via the provider's own app, in the Nitrokey App.

For example, log in to your Google account via Then click Security on the left and, under Sign in to Google, opt for Confirm in two steps. When you get there, first set up your smartphone. After that, the system will show you different ways to use your smartphone for two-factor authentication. By default, Google sends you one-time passwords as text messages.

Select Authenticator App from the list of options and click Setup. You don't really want to use the Authenticator App, but that's the only way Google will hand over the private key you're after. Now a barcode appears on the page, which you would scan with the Authenticator App if you were using it. But don't do that; instead click on You can't scan it.

Google will then show you the private key. Switch to the Nitrokey App and call up the Disposable passwords entries tab. Now, assign a name for the entry, in this case, Google. Enter the private key in the Secret field and click Save. This step completes the setup in the Nitrokey App. Switch back to the Google account because there the configuration goes a little further.

In the dialog from which you just copied the private key, click Next. Google will ask you for a six-digit code, which will be shown to you by the Authenticator App. You can now directly test whether everything is set up correctly in the Nitrokey App.

Launch the Nitrokey App and click Menu | Passwords | Google. The Nitrokey App will then generate a one-time password and copy it to the clipboard. From there, paste it into the dialog box in your Google account. This completes the setup of your Google account, and from now on, you can use the Nitrokey App to generate one-time passwords to log in.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • OpenPGP Smartcard

    Improve communication security with GnuPG and the OpenPGP smartcard.

  • 2FA

    Protect your system from unwanted visitors with two-factor authentication.

  • KeePassX

    KeePassX is an open source personal data management tool that lets you keep your passwords, URLs, attachments, and peace of mind

  • Secure Online Passwords

    Securely storing passwords online can be a complex task. With a few tools, websites can offer better security, but users still need to choose their passwords wisely.

  • Two-Factor Authentication

    Add an extra layer of protection with one-time passwords.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More