Nitrokey Pro 2 FAQ#

Q: Which Operating Systems are supported?

Windows, Linux and macOS.

Q: What can I use the Nitrokey for?

See the overview of supported use cases.

Q: What are the default PINs?
  • User PIN: “123456”

  • Administrator PIN: “12345678”

We strongly recommend to change these PINs/password to user-chosen values before using the Nitrokey.

Q: What is the maximum length of the PIN?

Nitrokey uses PINs instead of passwords. The main difference is that the hardware limits the amount of tries to three while a limit doesn’t exist for passwords. Because of this, a short PIN is still secure and there is not need to choose a long and complex PIN.

Nitrokey Storage’s PINs can be up to 20 digits long and can consist of numbers, characters and special characters. Note: When using GnuPG or OpenSC, 32 character long PINs can be used but aren’t supported by Nitrokey App.

Q: What is the User PIN for?

The user PIN is at least 6-digits long and is used to get access to the contect of the Nitrokey. This is the PIN you will use a lot in every day use e.g. for decrypting messages, for unlocking your encrypted storage (NK Storage only) etc.

The user PIN can have up to 20 digits and other characters (e.g. alphabetic and special characters). But as the user PIN is blocked as soon three wrong PIN attempts were done, it is sufficiently secure to only have a 6 digits PIN. The default PIN is 123456.

Q: What is the Admin PIN for?

The admin PIN is at least 8-digits long and is used to change contents/settings of the Nitrokey. That is to say after initializing the Nitrokey you probably won’t need this PIN too often (e.g. if you want to add another password to the password safe of the Nitrokey Pro or Nitrokey Storage).

The admin PIN can have up to 20 digits and other characters (e.g. alphabetic and special characters). But as the admin PIN is blocked as soon three wrong PIN attempts were done, it is sufficiently secure to only have 8 digits PIN. The default PIN is 12345678.

Q: Why does my Nitrokey Pro hang when switching between nitrokey-app and GnuPG?

GnuPG and nitrokey-app sometimes tend to hand each other. This is a known problem and it can be fixed by re-inserting the Nitrokey into the USB slot.

Q: Which drivers/tools can be used?

GnuPG is required for many use cases. It is a command line tool but usually you don’t need to invoke it directly but use another application with user interface.

Don’t use GnuPG in parallel with OpenSC or another PKCS#11 driver because both may interfere and unexpected issues may result.

Install GPG4Win which contains Gnu Privacy Assistant (GPA) and GnuPG (GPG). Start Gnu Privacy Assistant (GPA) or another application such as your email client to use GnuPG. Advanced users could use GnuPG directly (command line). Please note: The Fellowship smart card is similar to the Nitrokey Pro so that this instructions work Nitrokey as well. In general the official documentation is recommended.

Q: How fast is encryption and signing?

Encryption of 50kiB of data:

  • 256 bit AES, 2048 bytes per command -> 880 bytes per second

  • 128 bit AES, 2048 bytes per command -> 893 bytes per second

  • 256 bit AES, 240 bytes per command -> 910 bytes per second

  • 128 bit AES, 240 bytes per command -> 930 bytes per second

Q: Which algorithms and maximum key length are supported?

See the following table:

Start

Pro + Storage

Pro 2 + Storage 2

Nitrokey 3

HSM

HSM 2

rsa1024

rsa2048

rsa3072

rsa4096

curve25519

NIST-P 192

NIST-P 256

NIST-P 384-521

Brainpool 192

Brainpool 256-320

Brainpool 384-521

secp192

secp256

secp521

Q: Does the Nitrokey Pro contain a secure chip or just a normal microcontroller?

Nitrokey Pro contains a tamper resistant smart card.

Q: Is the Nitrokey Pro Common Criteria or FIPS certified?

The security controller (NXP Smart Card Controller P5CD081V1A and its major configurations P5CC081V1A, P5CN081V1A, P5CD041V1A, P5CD021V1A and P5CD016V1A each with IC dedicated Software) is Common Criteria EAL 5+ certified up to the OS level (Certification Report, Security Target, Maintenance Report, Maintenance ST).

Q: How can I use the True Random Number Generator (TRNG) of the Nitrokey Pro for my applications?

Both devices are compatible to the OpenPGP Card, so that scdrand should work. This script may be useful. The user comio created a systemd file to use scdrand and thus the TRNG more generally. He created an ebuild for Gentoo, too.

Q: How good is the Random Number Generator?

Nitrokey Pro and Nitrokey Storage use a True Random Number Generator (TRNG) for generating keys on the device. The entropy generated by the TRNG is used for the entire key length. Therefore the TRNG is compliant to BSI TR-03116.

The TRNG provides about 40 kbit/s.

Q: How large is the storage capacity?

The Nitrokey Pro doesn’t contain storage capability for ordinary data (it can only store cryptographic keys and certificates).