(Nitrokey Start - macOS)
KDF-DO stands for Key Derived Function - Data Object. With this data object the card can inform clients that it supports derived keys. (For details see section 4.3.2 of the OpenPGP Smart Card 3.4 specification) The benefit of using derived keys is, that instead of transmitting passwords in clear text only hashes are transmitted to the card and therefore only hashes are stored on the card. Since a derived key will be longer than the original password it will also be harder to successfully run a brute force attack.
At the moment it is only possible to set the KDF-DO, when the Nitrokey Start is empty (just after a factory reset).
Run factory reset
Set up KDF-DO using GnuPG
Change Admin PIN (optional; without keys only Admin PIN change is possible)
Import / generate keys
Change User and Admin PIN
Enter Admin PIN
Verify current state state by looking at the card details (
gpg2 --card-status), where
KDF setting ......: onshould be visible, e.g.:
Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 0 KDF setting ......: on Signature key ....: [none]
gpg (GnuPG) 2.2.20 / 2.2.25
Nitrokey Start RTM.10
Curve 25519 keys