Nitrokey 3 FAQ¶
- Q: Which Operating Systems are supported?
Windows, Linux and macOS. Also some support for Android and iOS.
- Q: What can I use the Nitrokey for?
See the overview of supported use cases.
- Q: How can I check if my Nitrokey 3 is working?
On WebAuthn.io you can check various high-level functionalities, while webautn.bin.coffee provides good developer level details (technical) details. You can also test your Nitrokey.
- Q: Where is the right spot for NFC on my smartphone?
This is different for every smartphone model, you should find your brand’s respective hardware description to find this out. A quite extensive list can be found here.
- Q: What happens if I lose my device?
When securing accounts using FIDO (two-factor authentication and passwordless login), you should configure another factor in your account as a backup. Depending on the service this backup factor can be a phone number, an app or even a second Nitrokey FIDO2. If you lose a device, you can still log in with the second Nitrokey (or with another second factor).
- Q: How large is the storage capacity?
The Nitrokey 3 doesn’t contain storage capability for ordinary data (it can only store cryptographic keys and certificates).
- Q: Why does the Nitrokey 3 not show up in GnuPG?
Make sure to install a firmware more recent than version 1.4.0. For more information, see the firmware-update page for your operating system.
- Q: Why does the Nitrokey 3 not show up in Nitrokey App?
Nitrokey 3 does only show up and can be managed in “nitropy” and “Nitrokey App 2, not in Nitrokey App 1”.
- Q: Which algorithms and maximum key length are supported?
See the following table:
Start |
Pro + Storage |
Pro 2 + Storage 2 |
Nitrokey 3 |
HSM |
HSM 2 |
|
rsa1024 |
✓ |
✓ |
✓ |
✓ |
||
rsa2048 |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
rsa3072 |
✓ |
✓ |
✓ |
✓ |
||
rsa4096 |
✓ |
✓ |
✓ |
✓ |
||
curve25519 |
✓ |
✓ |
||||
NIST-P 192 |
✓ |
|||||
NIST-P 256 |
✓ |
✓ |
✓ |
✓ |
||
NIST-P 384-521 |
✓ |
✓ |
||||
Brainpool 192 |
✓ |
✓ |
||||
Brainpool 256-320 |
✓ |
✓ |
✓ |
|||
Brainpool 384-521 |
✓ |
✓ |
||||
secp192 |
✓ |
✓ |
||||
secp256 |
✓ |
✓ |
✓ |
|||
secp521 |
✓ |
- Q: How can I set the PIN for my Nitrokey 3?
The Nitrokey 3 has distinct PINs for each feature. Please refer to the chapter of your respective operating system (Linux, macOS, Windows).
- Q: Is the Nitrokey 3 Common Criteria or FIPS certified?
The secure element (SE050M) is Common Criteria EAL 6+ security certified up to the OS level (Certificate, Certification Report, Security Target, Java Card Protection Profile - Open Configuration).
- Q: How to use Nitrokey 3 with Azure Entra ID (Active Directory)?
After disabling Enforce Attestation Nitrokey 3 is supported by Azure Entra ID out of the box.
- Q: How can I use the SE050 Secure Element?
Starting with version 1.7.0 the Secure Element should be automatically activated, if the OpenPGP Card was not used before. To check its activation state you can use:
nitropy nk3 get-config opcard.use_se050_backend
. To activate it, if it isn’t activated use:nitropy nk3 set-config opcard.use_se050_backend true
or disable it accordingly by passingfalse
. Changing the backend from one to the other will always wipe all your data inside the OpenPGP CardNote
If you are updating from a test version firmware, we recommend factory resetting the device before using the Nitrokey 3 with the SE050 in production environments.