Backup and security of Nitrokeys


I’m completely new to this type of stuff (two-factor authentication, encryption? U2F, etc.) but I’d like to buy my first Nitrokey. I have a couple of questions, I would really like someone to answer them before my purchase.

There are several authentication methods, some of them do not require a login. Please list which of the methods supported by Nitrokey keys do not require login, and which do. It would be very convenient to register with just a key, without coming up with a unique login.

Is it possible to compare registration and login data made with the same key on different resources and determine that the accounts on these resources belong to the same person?

Nitrokeys only support 3 RSA key pairs, is that a lot or a few? Why have multiple key pairs on the same device?

Is it possible to make a complete copy of the key (for example, as a QR code printed on paper) so that if the key is lost, it could be restored. I mean restore the functionality of ALL authentication methods, U2F, OTF and others. I read a bit about U2F it has a secret character set and a counter. And, if I save a set of symbols on a sheet of paper, what about the counter, which will be reset to zero on each new Nitrokey?

I would like to remind you that my question is still relevant. The site actually has very little information about the product being sold. Moreover, there is the possibility of buying non-existing functions, such as, for example, here:

you have terrible product support.

Dear @dfgasgafg

please note, that this discourse forum here is not the official customer support platform. If you are looking for support for a bought product, please address this to support (at) nitrokey (dot) com. This forum does serve as a platform for users to communicate - not necessarily to provide product support.

On top of that, if you ask very generic questions and introducing yourself as new to this type of stuff - answering your questions is kind of time intensive - mainly because you ask questions without defining what you would like to achieve. You can also imagine that public insults will likely also not motivate more people to help you.

But as I am already here, let me try to share some (partial) answers:

There are several authentication methods, some of them do not require a login. Please list which of the methods supported by Nitrokey keys do not require login, and which do. It would be very convenient to register with just a key, without coming up with a unique login.

Not trivial to answer, I assume you mean web authentication methods, which are mostly based on FIDO - the Nitrokey 3 supports all of them. But the Nitrokey 3 is not meant to decide which one is actually used, this decision is made by the server.

Is it possible to compare registration and login data made with the same key on different resources and determine that the accounts on these resources belong to the same person?

Nope, this is by definition not possible for FIDO-based authentication. If you meant this, there are ways to realize web-logins using PKCS#11 + OpenPGPCard, then this would likely be possible, but these are very rare.

Nitrokeys only support 3 RSA key pairs, is that a lot or a few? Why have multiple key pairs on the same device?

This highly depends on your needs. Also this is kind of unrelated to the questions before, because you are now within the OpenPGPCard application (which has nothing to do with the FIDO-application on the Nitrokey 3). In short for why to have multiple key pairs on the same device: because keys can have different purposes (one for signing, one for encryption …) - but this again depends on your use case, e.g., a Nitrokey HSM2 can easily keep 50 keypairs.

Is it possible to make a complete copy of the key (for example, as a QR code printed on paper) so that if the key is lost, it could be restored. I mean restore the functionality of ALL authentication methods, U2F, OTF and others. I read a bit about U2F it has a secret character set and a counter. And, if I save a set of symbols on a sheet of paper, what about the counter, which will be reset to zero on each new Nitrokey?

No, this is currently not possible and only partly for specific applications:

  • FIDO2 by definition (specification) does not foresee this as a feature, this might change soon with some “special” credentials called “Passkeys” (discoverable Resident Keys / Credentials)
  • OpenPGPCard by specification doesn’t allow extraction of the private portion of the key(s), but there are ways to import an existing, so you can realize it like that
  • PasswordSafe (which btw. is already implemented, so no need to necro-reference old threads) can due to its nature extract passwords+logins, but currently no OTP secrets

Long term we are looking into backup mechanisms, but this is complex. Especially, as there is data on the Nitrokey 3 generated for specific authentication methods, which cannot be broken down to something like one mnemonic (or QR-code) like it is done for other devices.



On the Nitrokey homepage “” in the “Support” section, there are four links: “Documentation”, “FAQ”, “Forum” and “Download”. Where I should look for help if neither the Documentation, nor the FAQ, nor the Download answer my questions? Maybe if the forum is not created for finding technical support, it is worth removing it from this section and replacing it with the email address you provided above? Maybe it’s worth expanding the “FAQ” section by adding a description of the functions provided?

Anyway, I’m glad you answered me, thanks.

I am very interested in how the use of the methods embedded in Nitrokey looks like for the user.

Here, for example, I used OTP, though from the phone. It looked like this: during two-factor authentication, I need to launch an application on my phone that shows me a few numbers and a countdown in seconds, for which I must dial these numbers. Very convenient, but only until the moment my phone went bad.

Next, U2F. There are many videos online showing how it works. When authorizing on the site: connect the key to the computer, press the button and you’re done.

Next, OpenPGP. As I understand it, it is only needed for encryption (and decryption): files, mail, etc. It does not affect authorization on Internet pages. S/MIME is the same.

That’s it, I don’t know the rest. Tell me please, what is a Tamper-resistant smart card? How does Password Manager work? Where are RSA key, RSA key pairs, ECC key, ECC key pairs and Elliptic curves used? What is OpenPGPCard and does Nitrokey implement this functionality?

Best Regards.

Tell me please, I will again have to wait 10 days for someone to answer me?

(I do not work for Nitrokey and I am not associated with them)

I understand that you are new to those kind of things. And indeed, 8 days passed since your last post.

Before buying a device (and I’d say Nitrokey 3 is not for the beginner), maybe you can install GnuPG and generate keys in the software. There you will have choice between RSA/ECC/Ed25519 - all those fancy types of keys. There are advantages and disadvantages of these, too long to write. Try encrypting or decrypting email or some stuff, maybe exchange encrypted email with some one who has this too. I personally also use S/MIME (it’s kind of similar), it is easier to integrate with email programs like Mozilla Thunderbird or Microsoft Outlook. Email encryption like GPG or S/MIME need some extra work if you only use webmail browser interface.

3 keys on the OpenPGP card relate to the basic needs of the GPG user - you can generate 3 keys for different purposes - key one is your basic identity key (I am @dfgasgafg and I confirm key 2 and key 3 are mine). Key 2 can be used to decrypt emails, Key 3 can be used to sign emails (I am simplifying a lot). There are some reasons to have those keys separately (mathematically one can sometimes just use 1 key for many of those things).

Regarding OTP the easiest way to back up is to store the original “secret code” safely (usually hidden in the QR code). It can be used on other devices as well (if the original device is broken). It is a known problem that security of OTP gets compromised because people store their secret codes on the phones/computers and could get hacked this way.

But on paper it can be somewhat safe and does not require a hardware device.

All this FIDO stuff etc. does not really like to be copied from device to device or backed up somewhere else.

1 Like

@saper Thank you for responding.

Do I understand correctly that if you encrypt an email, then it is necessary to send your open key to all contacts, otherwise they will not be able to read anything? Or is it encryption only between me and the e -mail server?

So I don’t understand at all why three different keys should be used. No, if we assume that the encryption algorithm is vulnerable, then I understand - in order to hide the connection between these keys. One key, for example, is signed by letters to wife (who works in the NSA), the other for mistress.

FIDO2 uses the keys of eptic curves. As I understand it, these are other keys, not those that are generated at the beginning?

As in the Matrix room you exhibit absurdely bad manners. You obviously lack a lot of general knowledge which in itself is of course ok, everyone had to start; but you seem to expect to be broadly educated in this forum / by Nitrokey when a lot of your questions are so basic that searxing would get you there. You should work on your attitude and come back if you have specific questions related to a Nitrokey product.

First of all, let me thank you for your attention to this topic. I am happy to communicate with every person, even with someone like you (what exactly I mean by the words “someone like you” I explain in the fourth paragraph).

Thank you for not referring me to the abnormal due to my lack of knowledge of cryptography. This is very important to me and I am very grateful to you for this. Please be kind enough to keep me posted on your score should it change.

With all due respect, let me ask you your definition of “broad education” that you think I’m trying to get here on the forum and in the Matrix room from Nitrokey. I already have a higher education which cost me 5 years and I don’t consider it “broad”.

It’s been almost two weeks since my first post. And I make it clear that my interest in the topic is not quenched by additional comments. If my questions are really so simple that even a simple Google search can give me the answer, why don’t you write to me about it? Or, for example, do not give me a link where I can get comprehensive information? You can even mock me a little using animation services: Let Me Google That , and leave with a sense of your own superiority, I will still be glad for such help. But instead you claim that it’s easy without any reasoning.

Of course, I have questions related to Nitrokey products, some of which I have written above.

And finally, after two weeks of waiting for answers about a product I want to buy, after two weeks of asking for technical support on your official forum, what exactly did you consider “bad manners”?

we talk end-to-end encryption here.

There are algorithms which can be only used for signing. others only for encryption. please install GnuPG and play a bit with it. Of you want/need more, install and learn OpenSSL to play with keys at the lower level.

Hope this helps, there is not much more that can be said on the backup/security issues of the keys themselves.

Yes thanks, that helps a lot.

I have another question, directly about the purchased Nitrokey devices. Considering what we have come to in the rooms of the Matrix, U2F is not safe.

In this regard, I would like to divide my stay on the Internet into several non-overlapping “personalities”. That is, use one secret U2F key for banking operations, another for social communication, and a third for work. I am very persistent in trying to find out from the support team whether it is possible to use several completely different secret keys on one device so that for the other party it will look like several different people are registering. But so far I have not received a response from them.

After all, if this is not possible, I will need to buy 3 Nitrokey devices, and if we take into account the need for duplication, six devices. One device costs $60, it turns out everything together will cost $360. In addition, it will be very inconvenient to carry around three keys: they are not as small as the Yubekey and will take up quite a lot of space in your pocket.

In any case, even if you do not know the answer to this question, I am very grateful to you for your time dedicated to me.

The issue you are concerned about is part of the privacy design of WebAuthn (FIDO2). In general, hardware keys are designed to create a unique public-private key pair for each account they are registered with. This means that even if the same hardware key is used to register multiple accounts, each account will have a unique public key associated with it.

However WebAuthn (FIDO2) can be configured in various ways by the server operator. For example the attestation can be a requirement for authentication. This could show that 3 accounts all were verified by the same device type. While it does not prove that it was the same device, it can be one datum that could be used together with other information to attempt to fingerprint you.

This might be a good read about the issue and counter measures already in place.

Is it possible to generate a unique private key associated to new account? There is reason to believe that in the elliptical curve there is the backdoor used with the U2F. Yes, it is possible that the court decision is necessary to use this backdoor, but if this court decision is, a person will definitely determine his privat key. And it would be advisable to have several private keys in different areas of life. So everyone who uses, for example, torrents can feel in danger.

That was also interesting to me to dig deeper, how this works in detail.

In Elliptic Curve Cryptography, a private key is basically a random 256 bit integer and a matching public key is generated by calculating the matching value on the selected curve. That is why it is usually very fast and does not need much computation power.

On a hardware token, the key gets derived from a fixed device secret. The key derive function can be different and the resulting key is only known to the token that generates it.

The public key is calculated and sent to the website that offers WebAuthn authentication.

For login, a nonce (random number) gets exchanged and the token signs the nonce by deriving the private key again. The website can verify the signature with the public key.

As you can see in this code sample, the user information as well as the relaying party (the website) is present in the data that gets used to derive a unique private key with use of the device key.

So every private key is depending on the device secret as they all get derived from it but every registration using a different username with a website yields a different key pair.

let credential = await navigator.credentials.create({
  publicKey: {
    challenge: new Uint8Array([117, 61, 252, 231, 191, 241, ...]),
    rp: { id: "", name: "ACME Corporation" },
    user: {
      id: new Uint8Array([79, 252, 83, 72, 214, 7, 89, 26]),
      name: "jamiedoe",
      displayName: "Jamie Doe"
    pubKeyCredParams: [ {type: "public-key", alg: -7} ]


That is, the generation of the public key is influenced by the secret key of the device, a random number, as well as the user’s login and the name of the website. Thus, the same login on different sites, as well as different logins on the same site, will give different (private?) keys. It should be impossible to determine if the two accounts belong to the same user.

But what if the curve is chosen so that it is vulnerable to secret attakc? That is, the organization that chose this curve went through millions of millions of curves and found one that is vulnerable to an unknown to wide public attack: SafeCurves: Rigidity

Then, this organization can find out the secret key of the device from the logging data. And the only way to protect against this attack is to use multiple device secret keys. Of course, it will not save one account from being hacked, but at least it will be more difficult to confirm that two different accounts belong to the same user.

Curves used in U2F: NIST P-256 are compromised:

That’s why I asked: is it possible to have several secret hardware keys on one device?

In case of FIDO2, there’s not a whole lot you can do since the curves are already set in the standard. But you can factory reset your key every so often and re-register with your services to be safe.

Personally, I like to use multiple keys from different vendors. It’s a good way to have a backup and keep my work, personal, and testing tokens separate. Plus, I usually use two tokens of the same model so I can recreate bugs, test firmware upgrades, and do some BCDR exercises.

Although the Snowden leaks exposed that agencies were attempting to weaken encryption standards, there is currently no evidence to indicate that they successfully compromised NIST P-256. As a result, it is possible that the curve and its applications are now subject to even greater scrutiny and have been the focus of extensive research by cryptographers worldwide.

SafeCurves is a project that promotes the use of elliptic curves that are secure and resistant to attacks. I am also following their recommendations and prefer Curve25519. AFAIK their mathematical guidelines are sound and they give rationale about the parameters of the recommended curves to have “nothing up the sleeves”. They do not mention any concerns about standardized curves like NIST P-256 besides that it does not meet their criteria.

I am very grateful to Mr. Snowden that his leaks brought attention to the crooked NIST P-256 encryption. But the mere lack of evidence that NIST P-256 was compromised is not proof that it is not.

The NSA is a very large organization, there was a story when they demonstrated the superiority of their technology over the academic community:

“It took the academic community two decades to realize that the NSA’s “tweaks” actually improved the security of DES. This means that back in the 70s, the National Security Agency was two decades ahead of the state of the art.”

Also the NSA has already been seen trying to standardize vulnerable algorithms: Dual_EC_DRBG - Wikipedia

In our discussion, I would like to draw attention to one, as it seems to me, important feature: if someone has the ability to recover your private key using your public key, then he will be able to find out about you everything that you do and get comprehensive information about your life. But this can be easily avoided by using different private keys to register on different services. Then the NSA will have access to some aspects of my life separately and it will be more difficult to tie them together. In addition, an NSA citizen would need to get a whole bunch of court decisions to break private keys, which also makes them difficult to trace.

And, in principle, it is quite easy to implement. The only inconvenience is that you have to carry a whole bunch of electronic keys in your pocket. Nitrokey devices are already quite large (if you want to use NFC as well), and if you carry several of them at once, it will be very inconvenient in everyday life.

Therefore, I was so persistently interested in whether it is possible to have several secret keys on one device. For me it would be much more convenient and much cheaper.

It is a good idea to be cautious in regard to IT security.

If there were a backdoor in the curve, it is highly likely that others would discover it as well. As a result, it would be unwise to roll out NIST P-256 in one’s own country. Yet, it is one of the approved curves and as it is one of the oldest, it is also widely adopted in the US.

Also interesting: I had a look into CTAP (Client ot Authenticator Protocol) that gets used by FIDO2:
ECDHE (Elliptic Curve Diffie Hellman Ephemeral) is used to establish a shared secret key between the token and the authentication server, which provides perfect forward secrecy. The private key on the token remains secret and is not directly derived from the device key alone.