Nitrokey is a physical USB thumbdrive developed in Germany to encrypt email with OpenPGP, GnuPG or S/MIME, use One Time Passwords, encrypt your computer hard drive files, manage digital certificates and act as a double authentication token with websites that have adopted the Universal 2dn Factor U2F standard supported by Google services, OpenSSH and WordPress. The hardware design and software code of this encryption thumbdrive has been made open source to allow the review of their security and for developers to be able to integrate their own applications.
The thumbdrive keeps three RSA encryption keys of up to 4096 bits, they are all linked to the same identity but used for different purposes, authentication, signing and encryption, the keys are hardcoded in the device, this makes it impossible for viruses to extract them, the One Time Passwords are compatible with Google Authenticator and hardware encryption is using the AES256bit algorithm with plausible deniability using hidden volumes. The dongle comes with a default administrator PIN set to 12345678 that you should change.
Encryption USB thumdribe NitroKey
A more expensive version, called “NitroKey Storage“, allows you to store up to 64GB of encrypted data in the device, everything is secured using AES256bit hardware encryption. The USB thumbdrive will work in all operating systems, including Linux, it can be used for authentication as well as encryption.
If you are worried about a trojan horse in your computer stealing your encryption keys, Nitrokey can stop just that. Carrying your encryptions keys with you in your pocket, instead of having them in your hard drive makes identity theft less likely, and NitroKey’s open source lets you check its firmware integrity, the developers advertise this as a way to thwart the NSA practise of intercepting hardware in the post to implant backdoors on them.
This is not a very cheap dongle but in line with what encryption thumbdrives normally cost, you can buy a Yubikey for half price but it does not have any encryption abilities other than U2F authentication, Nitrokey offers email and data encryption on top of secure U2F logins.
The best selling point of this thumbdrive comes in the form of being open source supporting standard security programs. The developers also mention that the key has a tamper-proof design and that you can set up a hidden encrypted container to avoid mandatory surrendering of your data when crossing the border or in countries where it is illegal not to reveal your password to law enforcement.
Peter Hendriks
I do not see how this device is going to protect x509 pk12 certificates. If it’s a corp ca structure it’s likely to be rolled out centrally, to deploy them on all workstations. Those root keys might be stored in a safe or strongbox. They are most likely used on airgapped laptops anyway. saving those keys on a thumbdrive seems a big security risk to me.
If it’s a private person x509 CA cert system, like pk12 certs, the keys are loaded into the Windows machine dedicated cert storage itself for signing and encrypting / decrypting. Saving those certs on a thumb drive with strong 7zip encryption seems safe enough. You have to manually install those certs on every computer anyways.
The thumbdrive also supports TrueCrypt, but there was a lot of fuss about it.
Jan
The Nitrokey is not a thumbdrive but custom hardware with an USB interface. Secret keys are stored in an integrated smart card and never been exported to the computer. Hence, signing and decryption are performed on the Nitrokey itself.