Nitrokey App handling two keys, cross-backup?

Hello all,

I have seen an entry about the app “intending” to handle two keys at a time (on the same machine); I don’t know if this already works : is it the case?

If it is, I’d be quite interested in duplicating my current key, and doing it so that the internal keys are backed up in the other key.

I understand the process to do this would be different from the standard one described here (which only creates the internal keys… in the Nitrokey) : I’d probably have to generate them separately, then loading them on both keys…

Are there other people interested in such a way of doing?
What would be the simplest /or fastest /or most secure way to perform this?


Actual a very good point for a bit different scenario: I have one HSM on one of my two server. I just wonder how I would configure high availability ? In this case I think I would need to have a 1:1 copy to ensure that that services are still available from outside under the same key.
And in that case , the second HSM Key would be also a backup of all keys.

So I am looking forward what will be posted …

1 Like

I assume this was about Nitrokey App supporting two devices in parallel. It won’t support key generation or key handling anytime soon. If you want to have your cryptographic keys stored on two devices, you can do this with GnuPG or OpenSC. Instructions are in the documentation on our website .

Nitrokey HSM supports this out of the box. Keys can be securely exported and imported among multiple Nitrokey HSM. See here.

Thanks jan ! So I would need two HSM NK’s ( one on each server ) and the keys for high-availibilty packages should be on both HSM NK’s , while e.g. host specific keys ( e.g. sshd host key) would be only on the host own HSM NK. ( Backup of the host keys could be stored on the other HSM NK) . Does this look like a reasonable scenario ?

Yes indeed : will it work if I just plug two NK storage at a time, will they appear propely on the OS?

I didn’t find details here about generating the master key outside the NK to get a backup, only an external link to the FSFE site whose page is marked both ‘obsolete’ and ‘broken’. Can I consider that the instructions detailed there for instance are OK?
Thank you!

Unfortunately, there is no extensive description for this yet afaik. The FSFE site did help me a lot. While you have to think about what you doing and can not proceed step by step, most information is still valid and shows the general steps.

I really try to finally create a extensive guide on how to do it the expert way… Only few users would go this way, therefore, we did other stuff first.

The xmodulo site you posted is quite nice, but generates the keys on-device, so that it does not help if you like to have a backup.

1 Like

Thank you very much Alex!

I thought that in the figure below (by the middle of the xmodulo page), there was a mention of getting the key backup saved in /home/…
Is this just for the subkeys?

In any case thank you again for your strong work and reactivity!!

This is a most unfortunate function in GnuPG (imho). This is backup encryption key only. That is to say, you can only decrypt messages with it, but you do not have an actual backup of the whole key set. Therefore, I would consider this more harmful than useful as users keep thinking of this as a real backup…


OK -understood! Many thanks indeed!
This week-end I launch myself into the FSFE site :wink:

OK, I now realize I was not fully clear : Suppose I buy a second Nitrokey Storage in order to just duplicate the stored data on two keys : am I able to plug simultaneously both USB keys on my machine, unlock the two corresponding encrypted storages, see both volumes on the computer, and transfer stored data from one to the other, without an intermediate step on the computer HD?
Thank you!


Nice use case. I will look into it. Created issue: NitrokeyApp#387

At the moment Nitrokey App connects to the first available device, and user cannot change the selection during the App execution.

1 Like

Frankly, that’s a case for selling the NK by pairs :wink:
(at least, I’d immediately buy a second one if this works!)

1 Like


I actually did it. I created some instructions now. You may have a first look.

I’d be glad to get some feedback!

Kind regards


Not yet tried on my side, but that looks perfectly clear!
If I manage to get through I’ll probably go on for a backup Nitrokey indeed :wink:

I can also highly recommend Dr. duh’s Yubikey guide on GitHub. Some of the specifics may pertain to only the Yubikey, but the overall process is fairly generic and can definitely be applied to the NitroKey as well.