Regarding the mutli-factor-authentication (MFA) of various services I would say that it actually depends on what they have implemented. Some have some spare TANs you can save as a backup (for example GitHub is doing this), others offer a phone number as a backup etc.
What you can always do is to save the secret key/seed for your OTP entries. The point is: where to “save” it securely, right? You could write it down, if you feel more safe with this kind of backup or you think of something else. However you decide to backup: this secret key let’s you (but everyone else as well) restore your OTP access. So be careful!
Regarding the OS: this totally depends on the OS and the settings used. In most cases I would recommend to have two ways to log in to the system - by password and by Nitrokey. This should save you the hassle.
As I said, all comes down to the system and the settings you choose, the situation for OSs is just to diverse. In doubt, you may elaborate what you would like to do.
Thanks Alex for your feedback.
I’m currently trying to understand how to use such a key, before proposing it to some customers.
A part of your answer is “I would recommend to have two ways to log in to the system”. Do you mean : with the same account, or with different account ?
My wondering is : if we allow an authentication with AND without the key (so if we can bypass the key), which improvement of security does the key offer ?
About backup, the FAQ says the only way to achieve that is to create the keys locally first , backup them and move the keys on the Nitrokey afterwards. I’ll do that
It depends on the use-case mainly. For example, If you are afraid of shoulder-surfing, it is good to use the Nitrokey in general, but it is no problem to have a second login mechanism that you only use in case of a loss.
Of course, you don’t need to have this fallback at all, if you can work with an extra account for maintenance. But then you have the same situation - an account which is accessible without the Nitrokey. I think you can not prevent this entirely. The advantage is to not expose the password all the time just to log in to the machine.
This is totally true for your PGP keys. The backup for TOTP keys can go the way I described above.
Most services I’m aware of do have a recovery mechanism in case of device loss. Note, the recovery process is usually more complicated than an ordinary login in order to keep the security level equally high as with 2FA.
I would say : the key offers the possibility to define a verrry long password, like This very sentence is the übercomplicated password that I defined in case I lose the NK!
… which you still can remember perfectly, but is so long that I expect it’s really long to crack/guess…
Incidentally, for this I’d love a small step-by-step, just with the terminal and gpg… I found some here and there but it’s often unclear when they were written, on which exact OS etc.
I plan to create such instructions for a long time. Unfortunately, it is quite time consuming and not often used. I try to still create a extensive guide the next weeks.
I just stumbled over this old thread also thinking about how to cope with the loss of my new nitrokey pro. What can I do when I use the nitrokey for encrypting mail and disks? Of course, I can create the keys locally and export them to a safe place before copying them to the nitrokey. But how can I regain access to my encrypted contents in mail and on disks after loosing the nitrokey? How in this situation can I import the exported keys into gpg command line tool and decrypt my stuff? Or even better, how can I push my secret keys export to an 2nd nitrokey and use it as an “backup smartcard”?
Any hints on this would be really appreciated. Maybe it’s all in the gpg man pages but I cannot spend nights solving this issue…
I indeed am concerned with the very same issue. Cannot trust a single device that can crash.
To my (old) knowledge, keys created normally with the NK remain on the NK so one can never duplicate them, nor the NK.
Now, I understand with GPG on your machine, you can create your keys there and then upload them onto the NK, so you can do this with two NKs and indeed get a backup.
And then you delete them from the computer.
Here, purists will declare that, because the key happens to have been recorded once on my computer, everything is potentially wrecked, and basically it is a sin.
I agree that theoretically, mathematically, yes, Poutine, Trump, or the Israeli secret services (add your own nightmare here at will) could access your computer right now and devillishly copy the key. But oh well.
To me basic user, the only thing missing here is a simple, step-by-step procedure describing the above. I even think there is something like this somewhere here, but I cannot find it back
If you are on Windows and have installed GPG4Win, you have to start the Windows command line or (better) power shell. Then you can do all the command line stuff as shown in the tutorial using the gpg command. You may start with typing “gpg --help”. Make sure that you execute all commands in the tutorial exactly as shown.
My question is: How can I use my backup to decrypt stuff after loosing my nitrokey?
I am also intersted in this topic: Is it possible to again get ssh access to a server with putty by using the saved keys. If not, the key backup seems rather useless for the ssh server access application case.
Hi @Heraklit !
I believe the original question is about encryption key backup made during the GnuPG on-device generation, where it is proposed to make one for user. Other two subkeys, authentication (which SSH is using) and signing, are not backed up, hence the only way to have them outside the device is to create it securely on air-gapped PC and then import them to the device.
You can either import the previously exported secret keys into GnuPG and use them right away or import them securely on a new Nitrokey and use them this way (which is more secure, of course).
Kleopatra ist the default certificate administration user interface of Gpg4win. Instead, the help files only mention the GNU Privacy Assistant which is an alternative program for managing certificates, in addition to Kleopatra. https://gpg4win.org/doc/en/gpg4win-compendium_6.html
The screenshot shows how to enable the putty support.
Meanwhile I work without backup of the private key. This means that, for each server, one needs a method to replace the pubkey in case of loss or damange of the NitroKey.
