Configuração do KDF-DO#


KDF-DO stands for Key Derived Function - Data Object. With this data object the card can inform clients that it supports derived keys. (For details see section 4.3.2 of the OpenPGP Smart Card 3.4 specification) The benefit of using derived keys is, that instead of transmitting passwords in clear text only hashes are transmitted to the card and therefore only hashes are stored on the card. Since a derived key will be longer than the original password it will also be harder to successfully run a brute force attack.


No momento só é possível ajustar o KDF-DO, quando o Nitrokey Start está vazio (logo após um reset de fábrica).

Steps to Configure KDF-DO#

  1. Executar reset de fábrica

  2. Configurar o KDF-DO usando GnuPG

  3. Alterar PIN de Admin (opcional; sem as teclas só é possível alterar o PIN de Admin)

  4. Importar / gerar chaves

  5. Alterar PIN de usuário e administrador

Configuração do KDF-DO usando GnuPG#

  1. Run gpg2 --card-edit

  2. $ admin

  3. $ kdf-setup

  4. Digite o PIN de Administração

  5. Verify current state state by looking at the card details (gpg2 --card-status), where KDF setting ......: on should be visible, e.g.:

Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: on
Signature key ....: [none]

Testado com#

  • gpg (GnuPG) 2.2.20 / 2.2.25

  • Nitrokey Start RTM.10

  • Curva 25519 teclas