Frequently Asked Questions (FAQ)

Q: O Nitrokey 3 Common Criteria ou FIPS é certificado?

Not yet but we are aiming for certifications in the future. Please contact us if you are interested in supporting these efforts.

Q: Which protections against physical tampering are in place?

NetHSM is sealed which allows to detect physical tampering. It contains a TPM which is protected against physical tampering. The TPM is the root of trust and securely stores cryptographic keys which are used to encrypt and decrypt further data and keys in the NetHSM. This protects against booting malicious firmware and software and decrypting data and keys being stored. The current NetHSM doesn’t contain additional sensors to detect tampering.

Q: Where can I learn more about NetHMS’s security architecture and implementation?

Start with the chapters Getting Started, Administration and Operations. Proceed with the following resources.

• Overall system design

• Security assessment report

• Full source code

• Physical random number generator (TRNG) of quality PTG.3 according to AIS-20: hardware, firmware

Q: Roadmap: Which features are planned?

We plan the following developments in the loose order. Changes to this prioritization based on customer requests are possible.

• Performance improvements

• Quorum: m-of-n access scheme and security domain management

• Additional ECC: ECDH (X25519, NIST), secpXk (Koblitz) , Brainpool

• Direct, dynamic cluster capability, possibly support for external database

• Remote attestation and cloud service

• User authentication via mTLS certificates or FIDO

• More user rights management (e.g. additional roles, groups)

• Productive usable software container

• Further separations and hardenings

• FIPS and/or Common Criteria certifications

• Redundant power supplies