How many PGP keys can be stored on NK PRO2/HSM2?


How different subkeys can be from each other when Nitrokey formatted by GPG tool? I mean at least their type. Can one of them be RSA4096, another ECDSA and the last one say Brainpool?
Can then SSH use all three those keys in a hybrid mode via gpg-agent to require all of them simultaneously to pass authentication successfully? Are all those mentioned key types (RSA4096, ECDSA and Brainpool) supported by OpenGPG and OpenSSH+gpg-agent? Will it work as describe (three GPG keys of different types) on a single Nitrokey hardware device?

If the Nitrokey file system is formatted by OpenGPG tool then does not SSH should use gpg-agent which is compatible with ssh-agent instead of talking directly via OpenSC-PKCS11 library by itself ?

Please also let me know, how many GPG identities can store a single Nitrokey HSM2?

One PGP identity takes 3 subkeys? Is master key actually stored inside the Nitrokey or only on the host PC and shall be removed to a safe backup place later?

Hi @sanyo,

  1. On OpenPGP smart card the type and length could be different AFAIR. Support depends on the application, GnuPG should work with that.
  2. OpenSSH support for smart cards depends on them and their use of OpenSC. Multiple keys authentication was already discussed in some other topic I believe.

It all depends on user configuration of course.

  1. See fact sheet:

Storage capacity: 76 KB EEPROM total, max. 150 xECC-521 keys, max. 300 x ECC/AES-256 keys, max. 19 xRSA-4096 keys, max. 38 x RSA-2048 keys

  1. That depends on the method of choice. The key could be generated on the smart card only, and then never leaves it (unless we talk about HSM, which have the encrypted backup feature by design). The key could be as well imported to the smart card, and then this leaves you with a trail of the secret material in a different place, which is arguably less secure.