For whatever reason I purchased a Nitrokey 3A some time ago. Now I have time to learn how to use it.
I understand that the Nitrokey does enhance security. But what, when the Nitrokey gets faulty? Or gets lost?
Is it possible to copy the content of the Nitrokey to another one as a backup or to another kind of device?
If there is no means for a backup I do just exchange one risk by another. Without key I will be locked out from anything, or?
The general concept of token like the Nitrokey 3 is they store the secrets that securely that no backup can be made.
Basic idea: if you lose the token tomorrow, the finder can’t access anything, with the wrong PIN the key locks completely after a few false tries.
Of course your thought is correct. The concept means you should have a suitable backup method for each secret, at the beginning of use and later. Once you get used to use the Nitrokey, you can decide if you simply get a second one and register it separately (you also can’t backup from one key to the other) with the services, or use other authentication methods. Whatever you choose as backup (second key or methods), you can keep safe, to rely on when you need the backup.
However, that still doesn’t fully answer why the concept doesn’t allow for backups AFTER ENTERING the corresponding PIN. In my opinion, that would be even more optimal, since for most applications, you could safely use a key, always knowing that a copy of the content is stored safely somewhere.
However, I’m writing this text with complete ignorance of the hardware used and its actual capabilities. Perhaps the hardware simply doesn’t offer these capabilities. Then there might still be potential.
Nitrokey 3 has multiple functions inside and each of them has to be discussed separately.
For a FIDO2 key (sometimes called Passkey) it should not be possible. If this device breaks, you have to log in with a recovery code (hopefully provided by the service you try to log in to) or some other factor, you remove the broken FIDO2 key, you add the new one.
For OTP - what you can do is to add the same OTP secret to multiple devices (Nitrokey 3, some smartphone, some password manager…) therefore losing the device will not be a disaster.
For OpenPGP (GnuPG) it is more complicated. One option is to create the keys on the computer (and store them securely!!) and then copy them to the card - see this OpenPGP Key Generation With Backup - Nitrokey Documentation
I personally prefer a different strategy for OpenPGP - explained https://security.stackexchange.com/a/112964 and partially this Subkeys - Debian Wiki
This means if you lose a device, you generate new subkeys on a new device, certify that subkey using the master key. But you have to re-publish new subkeys and revoke old ones.
