Securely encrypt passwords with Nitrokey Pro 2
Locked
The Nitrokey Pro 2 is a small device that covers a wide range of cryptographic functions.
The small and inconspicuous Nitrokey Pro 2 is a digital door opener: You can use the Nitrokey's password safe to securely lock up your access credentials, and you can generate one-time passwords for more secure logins to online services. An integrated OpenPGP card lets you encrypt and sign emails. (See the article on the OpenPGP smartcard starting on p. 18 in this issue.)
You can purchase the Nitrokey Pro 2 for around EUR50 via the manufacturer's online shop [1] (Figure 1). The online shop is also where you will find the Nitrokey Storage 2, which provides the same functions as the Nitrokey Pro 2 but also includes encrypted storage capacity ranging from 16 to 64GB. Depending on how much storage you need, the Nitrokey Storage 2 costs somewhere between EUR109 and EUR199.
Configuration
To set up the Nitrokey, you also need the Nitrokey App [2], which is available for various operating systems. For Linux, the manufacturer offers packages for various distributions on its website, as well as the source code, which you can compile yourself.
Once you have purchased the Nitrokey and installed the app on your computer, plug the stick into the computer and start the software with the nitrokey-app
command in the shell or by clicking on the icon in the application menus.
Access to the Nitrokey is protected by a PIN. The PIN keeps your data safe, even if you lose the stick. To change the settings, you first need to enter the Admin PIN (see the "Start PIN" box). Before you start working, the first thing to do is to set your own PIN and Admin PIN. Select Menu | Configure | Change User PIN and Change Admin PIN in the Nitrokey App (Figure 2).
Start PIN
The Nitrokey's start PIN is always 123456
, and the startup Admin PIN is always 12345678
. You will want to change the PIN immediately before using the Nitrokey for the first time. To change the PIN, select Menu | Configure in the Nitrokey App.
You can now use the password safe to store important access credentials. Unlock the safe in the app via Menu | Unlock Password Safe and enter the PIN. Then click on the Password Safe tab, where you can store up to 16 passwords and credentials. Select a slot on the list, assign a name, and enter the login information and password.
If you are just logging in to an online service, the app will help you choose a new password after clicking Generate random password. The storage space on the Nitrokey is limited, so you will see the maximum number of characters to the right of each field. Once all the data is entered, don't forget to press Save.
Unlocking
Once you have captured the passwords, you can use them anytime you need them. Provided that the Nitrokey is plugged in and the password safe is unlocked, you will find a list of passwords stored on your Nitrokey in Menu | Passwords. After you click on the desired entry, the program copies the appropriate password to the clipboard of the desktop environment. You can then paste it onto the login screen.
Note that this is a weak point: The password is sent in plain text to the clipboard, where it would theoretically be possible for an attacker to intercept it. Caution is therefore advisable when working on a computer that you do not own.
To prevent your password from staying in the clipboard indefinitely, use the Settings tab in the app to set the time at which the password is deleted from the clipboard. The default is 60 seconds, but 30 seconds is usually long enough. After that, the password disappears from the clipboard. This feature can be an issue if you use a clipboard manager. In the test, the copied passwords remained in the clipboard manager's history.
One-Time Passwords
To improve login security, online services often use one-time passwords that are sent to the user by text. For many online services, you can simply generate a one-time password using the Nitrokey App so that you do not have to rely on the provider's app for each user account. Look for instructions at the Nitrokey website [3].
The basic principle is the same for all services: enable two-factor authentication for the service and enter the secret key, which will actually be used to generate one-time passwords via the provider's own app, in the Nitrokey App.
For example, log in to your Google account via https://myaccount.google.com
. Then click Security on the left and, under Sign in to Google, opt for Confirm in two steps. When you get there, first set up your smartphone. After that, the system will show you different ways to use your smartphone for two-factor authentication. By default, Google sends you one-time passwords as text messages.
Select Authenticator App from the list of options and click Setup. You don't really want to use the Authenticator App, but that's the only way Google will hand over the private key you're after. Now a barcode appears on the page, which you would scan with the Authenticator App if you were using it. But don't do that; instead click on You can't scan it.
Google will then show you the private key. Switch to the Nitrokey App and call up the Disposable passwords entries tab. Now, assign a name for the entry, in this case, Google. Enter the private key in the Secret field and click Save. This step completes the setup in the Nitrokey App. Switch back to the Google account because there the configuration goes a little further.
In the dialog from which you just copied the private key, click Next. Google will ask you for a six-digit code, which will be shown to you by the Authenticator App. You can now directly test whether everything is set up correctly in the Nitrokey App.
Launch the Nitrokey App and click Menu | Passwords | Google. The Nitrokey App will then generate a one-time password and copy it to the clipboard. From there, paste it into the dialog box in your Google account. This completes the setup of your Google account, and from now on, you can use the Nitrokey App to generate one-time passwords to log in.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.
-
Plasma Desktop Will Soon Ask for Donations
The next iteration of Plasma has reached the soft feature freeze for the 6.2 version and includes a feature that could be divisive.
-
Linux Market Share Hits New High
For the first time, the Linux market share has reached a new high for desktops, and the trend looks like it will continue.
-
LibreOffice 24.8 Delivers New Features
LibreOffice is often considered the de facto standard office suite for the Linux operating system.
-
Deepin 23 Offers Wayland Support and New AI Tool
Deepin has been considered one of the most beautiful desktop operating systems for a long time and the arrival of version 23 has bolstered that reputation.