How to mitigate the loss of a Nitrokey Pro?


Before securing my access (app, OS) with my new Nitrokey Pro, I’d like to have a clear view of the impact of a loss of the key, and how it’s possible to mitigate its impact.
On webapp, is it still possible to use the recovery mechanism offered by the sites after MFA is activated?
Is it safe to secure a OS access with a Nitrokey ? What could be a good plan ? some user “covered” by the nitrokey key, and a rescue one (an admin?) not covered, that would permit to save the situation ?
What are the best practices to avoid to be stuck? :slight_smile:
Any feedback would be appreciate.

Thank you in advance.



Hi Gilles,

it is a clever thing to think about backup first :wink:

Regarding the mutli-factor-authentication (MFA) of various services I would say that it actually depends on what they have implemented. Some have some spare TANs you can save as a backup (for example GitHub is doing this), others offer a phone number as a backup etc.

What you can always do is to save the secret key/seed for your OTP entries. The point is: where to “save” it securely, right? You could write it down, if you feel more safe with this kind of backup or you think of something else. However you decide to backup: this secret key let’s you (but everyone else as well) restore your OTP access. So be careful!

Regarding the OS: this totally depends on the OS and the settings used. In most cases I would recommend to have two ways to log in to the system - by password and by Nitrokey. This should save you the hassle.

As I said, all comes down to the system and the settings you choose, the situation for OSs is just to diverse. In doubt, you may elaborate what you would like to do.

I hope I could help you a bit!

Kind regards


Thanks Alex for your feedback.
I’m currently trying to understand how to use such a key, before proposing it to some customers.
A part of your answer is “I would recommend to have two ways to log in to the system”. Do you mean : with the same account, or with different account ?
My wondering is : if we allow an authentication with AND without the key (so if we can bypass the key), which improvement of security does the key offer ?

About backup, the FAQ says the only way to achieve that is to create the keys locally first , backup them and move the keys on the Nitrokey afterwards. I’ll do that :slight_smile:


Hi Gilles,

It depends on the use-case mainly. For example, If you are afraid of shoulder-surfing, it is good to use the Nitrokey in general, but it is no problem to have a second login mechanism that you only use in case of a loss.

Of course, you don’t need to have this fallback at all, if you can work with an extra account for maintenance. But then you have the same situation - an account which is accessible without the Nitrokey. I think you can not prevent this entirely. The advantage is to not expose the password all the time just to log in to the machine.

This is totally true for your PGP keys. The backup for TOTP keys can go the way I described above.

Kind regards

Most services I’m aware of do have a recovery mechanism in case of device loss. Note, the recovery process is usually more complicated than an ordinary login in order to keep the security level equally high as with 2FA.

I would say : the key offers the possibility to define a verrry long password, like
This very sentence is the übercomplicated password that I defined in case I lose the NK!
… which you still can remember perfectly, but is so long that I expect it’s really long to crack/guess…

Incidentally, for this I’d love a small step-by-step, just with the terminal and gpg… I found some here and there but it’s often unclear when they were written, on which exact OS etc.

I plan to create such instructions for a long time. Unfortunately, it is quite time consuming and not often used. I try to still create a extensive guide the next weeks.

1 Like

I just stumbled over this old thread also thinking about how to cope with the loss of my new nitrokey pro. What can I do when I use the nitrokey for encrypting mail and disks? Of course, I can create the keys locally and export them to a safe place before copying them to the nitrokey. But how can I regain access to my encrypted contents in mail and on disks after loosing the nitrokey? How in this situation can I import the exported keys into gpg command line tool and decrypt my stuff? Or even better, how can I push my secret keys export to an 2nd nitrokey and use it as an “backup smartcard”?

Any hints on this would be really appreciated. Maybe it’s all in the gpg man pages but I cannot spend nights solving this issue…

1 Like

I indeed am concerned with the very same issue. Cannot trust a single device that can crash.

To my (old) knowledge, keys created normally with the NK remain on the NK so one can never duplicate them, nor the NK.

Now, I understand with GPG on your machine, you can create your keys there and then upload them onto the NK, so you can do this with two NKs and indeed get a backup.
And then you delete them from the computer.

Here, purists will declare that, because the key happens to have been recorded once on my computer, everything is potentially wrecked, and basically it is a sin.
I agree that theoretically, mathematically, yes, Poutine, Trump, or the Israeli secret services (add your own nightmare here at will) could access your computer right now and devillishly copy the key. But oh well.

To me basic user, the only thing missing here is a simple, step-by-step procedure describing the above. I even think there is something like this somewhere here, but I cannot find it back :shushing_face:


well I managed to create the keys on my local computer and make a backup by following this HOW TO:

I suppose this is what you want to do.

If you are on Windows and have installed GPG4Win, you have to start the Windows command line or (better) power shell. Then you can do all the command line stuff as shown in the tutorial using the gpg command. You may start with typing “gpg --help”. Make sure that you execute all commands in the tutorial exactly as shown.

My question is: How can I use my backup to decrypt stuff after loosing my nitrokey?

Best regards

Bumping up the question.

cc @nitroalex

I am also intersted in this topic: Is it possible to again get ssh access to a server with putty by using the saved keys. If not, the key backup seems rather useless for the ssh server access application case.

Hi @Heraklit !
I believe the original question is about encryption key backup made during the GnuPG on-device generation, where it is proposed to make one for user. Other two subkeys, authentication (which SSH is using) and signing, are not backed up, hence the only way to have them outside the device is to create it securely on air-gapped PC and then import them to the device.

Thanks for the reply.


one would think that the command

gpg --export-secret-keys > sec-key.asc

will not only export the encryption key. But I am not sure,
the article gives no further hints.

Thanks for the reply. My post was filtered away by Akismet. I try it again without link.

Following the nitrokey howto article “openpgp-create-backup” mentioned by ckozianka above (link removed) one would think that the command

gpg --export-secret-keys > sec-key.asc

will not only export the encryption key. But I am not sure, the howto article gives no further hints.

It exports all secret keys associated with

You can either import the previously exported secret keys into GnuPG and use them right away or import them securely on a new Nitrokey and use them this way (which is more secure, of course).

The latter is described here.

Sorry for confusion. I meant the key backup created during the on-device key generation with GnuPG - then the only ingredient is encryption subkey.

@nitroalex: Could you take a look at the question regarding importing the mentioned subkey: How to mitigate the loss of a Nitrokey Pro? ?

I thought I did above?

1 Like

Regarding putty, Kleopatra supports it out-of-the-box (available in its configuration window). See: