I bought a Nitrokey Pro 2 and my plan is to use it to store three OpenPGP subkeys (authentication, encryption, signing).
My master key is elsewhere.
The problem I encountered is that while the three subkeys are on the Nitrokey, the passphrase is not asked when I try to decrypt a file or sign a mail, for example. Only the user PIN is asked.
I do not fully understand the mechanism going on. When the subkeys were on my computer, the passphrase was asked each time I tried to sign or encrypt a message.
I have a NitroKey Pro that I use for GPG. There is some level of configuration. I have it caching the PIN for decryption for a short time, then for signing things, I have to type the PIN for each signature.
During import to the Nitrokey the secret keys were decrypted using your passphrase and written raw to the device - access to it is now protected only with the user PIN.
This is sufficient, as device is not allowing for a brute force attack with configured 3 invalid attempts limit - after that the data will not be reachable anymore unless administrator PIN is used to reset it. If the admin PIN will be improperly entered as well, then the access to the key material will be lost, and device will have to be factory-reset to initialize it again.
