Set PINs#
The Nitrokey 3 has distinct PINs for each feature.
FIDO2
Password and OTP secrets
OpenPGP Card (User PIN, Admin PIN, and optional Reset Code)
PIV
FIDO2#
The PIN for FIDO2 can be set with Nitropy, operating system native apps, or a webbrowser such as Chrom(e|ium).
Setting PIN with Nitropy#
The PIN for FIDO2 can be set with the Nitropy utility.
Connect the Nitrokey 3 with your computer.
On the terminal enter
nitropy fido2 set-pin
and follow the instructions. If the PIN has been already set before the above command must be changed tonitropy fido2 change-pin
.
Setting PIN with the Chrom(e|ium) webbrowser#
# Chrome(e|ium) - Linux, Mac OS, and Windows
Open Chrome(e|ium).
Open the menu with the three dots in the top right of the menubar.
Click on “Settings”.
In the menubar on the left click on “Privacy and security”.
In the menu in the middle click on “Security”.
In the menu in the middle click on “Manage security keys”.
In the menu in the middle click on “Create a PIN”.
Follow the instructions on the screen to set the PIN.
Settings PIN with Windows Settings application (Windows only)#
Open the Windows “Settings” application.
Open the “Accounts” menu.
In the menubar on the left click on “Sign-in options”.
In the menu in the middle click on “Security Key” and then “Manage” under it.
Under the header “Security Key PIN” click on “Change”.
Follow the instructions on the screen to set the PIN.
Passwords and OTP secrets#
The PIN for passwords and OTP secrets can be set with the Nitropy utility.
Connect the Nitrokey 3 with your computer.
On the terminal enter
nitropy nk3 secrets set-pin
and follow the instructions.
OpenPGP Card#
The PINs on the OpenPGP Card can be set with GnuPG. The OpenPGP Card has the User PIN, Admin PIN, and an optional Reset Code.
User PIN#
The User PIN is used for key operations, such as signing, encrypting, and authentication.
The factory default for the User PIN is 123456
.
Note
The User PIN must have a minimal length of 6 characters and maximal length of 127 characters. It can contain alphanumeric characters, including special characters such as punctations.
Warning
The User PIN has a PIN retry counter of 3 attempts. If this attempts are used up, the User PIN must be unlocked with the Admin PIN. Alternatively the optional Reset Code can be used for unlocking.
Connect the Nitrokey 3 with your computer.
On the terminal enter
gpg --card-edit
.In the promt enter
passwd
.GnuPG will now ask for the current User PIN, and the new User PIN. Please note that if you provision a new Nitrokey the factory default PIN from above must be entered as the current User PIN.
Admin PIN#
The Admin PIN is used for management operations, such as copying and generating keys, unblocking the PIN, and setting the Admin PIN and Reset Code.
The factory default for the Admin PIN is 12345678
.
Note
The Admin PIN must have a minimal length of 8 characters and maximal length of 127 characters. It can contain alphanumeric characters, including special characters such as punctations.
Warning
The Admin PIN has a PIN retry counter of 3 attempts. If this attempts are used up, the OpenPGP Card can not be used anymore and must be reset to factory defaults.
Connect the Nitrokey 3 with your computer.
On the terminal enter
gpg --card-edit
.In the prompt enter
admin
, followed bypasswd
.In the prompt enter
3
, to set the Admin PIN.GnuPG will now ask for the current Admin PIN, and the new Admin PIN. Please note that if you provision a new Nitrokey the factory default PIN from above must be entered as the current Admin PIN.
Reset Code#
The Reset Code is used to unblock the User PIN. It is useful in situations when the user of the Nitrokey should be able to unblock the User PIN, but not be able to manage it with the Admin PIN.
Note
The Reset Code has no factory default. It must be explicitly set using the Admin PIN.
Note
The Reset Code must have a minimal length of 8 characters and maximal length of 127 characters. It can contain alphanumeric characters, including special characters such as punctations.
Note
Once the Reset Code is set it can not be disabled anymore. Disabling would require a reset of the OpenPGP Card application.
Warning
The Reset Code has a PIN retry counter of 3 attempts. If this attempts are used up, the Reset Code must be unlocked with the Admin PIN.
Connect the Nitrokey 3 with your computer.
On the terminal enter
gpg --card-edit
.In the prompt enter
admin
, followed bypasswd
.In the prompt enter
4
, to set the Reset Code.GnuPG will now ask for the Admin PIN, and the Reset Code.
PIV#
The PIN and PUK for PIV (Personal Identity Verification) Card can be set with pivy-tool.
PIN#
The PIN is used for key operations, such as signing and authentication.
The factory default for the PIN is 123456
.
Note
The PIN must have maximal length of 8 characters. It can contain alphanumeric characters, including special characters such as punctations.
Warning
The PIN has a PIN retry counter of 3 attempts. If this attempts are used up, the PIN must be unlocked with the PUK.
Connect the Nitrokey 3 with your computer.
On the terminal enter
pivy-tool change-pin
.
PUK#
The PUK is used for management operations, such as unblocking the PIN.
The factory default for the PUK is 123456
.
Note
The PUK must have a maximal length of 8 characters. It can contain alphanumeric characters, including special characters such as punctations.
Warning
The PUK has a retry counter of 3 attempts. If this attempts are used up, the PIV Card can not be used anymore and must be reset to factory defaults.
Connect the Nitrokey 3 with your computer.
On the terminal enter
pivy-tool change-puk
.