Nitrokey + Mooltipass?


#1

I am looking at getting a Mooltipass hardware password manager and combining it with a hardware 2FA device for maximum security.

I like Nitrokey because of open source and made in Germany. I am looking at Nitrokey Pro 2 (since most sites I need 2FA for doesn’t support U2F) and had a few beginner questions:

  1. How many different sites with OTP can I use the Nitrokey for? I.e. how many different keys can I have on the device at the same time?

  2. Do I need to buy two devices in order to keep a backup in case I lose my Nitrokey? Is it a simple procedure to “clone” the device?

Thanks!


#2

NoobUser I don’t know what is Mooltipass but for me I’m using a Nitrokey Storage on which I store a Keepass2 file (which can record any number of passwords).
At this moment I just store the file there (so, in a safe encrypted place, and with its own password in addition) but I know I also could add OTP to the Keepass file.

For what concerns cloning the key for backup purposes it’s a concern I definitely share with you, and I initiated a thread on this here, you can have a check!
Hervé


#3

It is possible to save up to 15 TOTP passwords on Nitrokey Pro/Storage

No, you don’t need a second device, if you are fine with backing up the secrets on a general purpose device or a piece of paper which should be saved somewhere secure in this case.

Unfortunately, you can not just copy a whole device to another Nitrokey. The advantage of our devices is that no one can extract the secrets. Even we are not able to do this with a tool :wink: The only way to create backups is to do it during the initialization e.g. during key generation, TOTP configuration etc.


#4

Hi Herve5,

Interesting, I do exactly the opposite: before getting my NitroKey, I was using a keepass (keepassxc) software. And now my NitroKey PINs /backup code are stored there. So if I lose my key, I have everything to save the situation in my keepass file.( And in my Nitrokey I store the OTPs only (until now))

It solves for me the-loss-of-my-key case, but seems to be less secure: the Nitrokey is locked after several attempts, not the keepass file.
Not sure there is a real truth to guarantee both backup ability and total security…

Gilles


#5

Hello Gilles,

in fact my use case for passwords is probably biaised from the start : I have been buying the Nitrokey Storage primarily as a secure way to transfer work documents when daily commuting (which is perfect), and only later on I started thnking about passwords, etc.

In fact when I moved the Keepass file on the key, that was merely to sync the ones at home and work…
So my principle of having the Keepass file on the key, etc. is certainly not the result of a deep theory!


#6

I’m kind of in the same boat, I like the convenience of syncing with my mobile devices, but I’m concerned about the exposure of my password store, because as time passes even if I change my passphrase old “versions” of my store may be brute forced as compute power increases and quantum computing becomes more accessible.

One of the things I’ve been using recently is gopass a rewrite of the “classic” pass unix password manager in Go. It has some awesome features like password generation and some ability to do TOTP codes, and uses GPG and Git as the storage mechanism, making it far easier to move around without less fear of exposing secrets, and rather than one store that once “cracked” essentially gives access to all the secrets, each secret is separately encrypted to your GPG key so you can rotate individual secrets without exposing your whole store to a timing attack (unless you re-encrypt everything to add a new recipient, but that is probably far less common on personal stores than if you are using it for collaboration at work).

My hope would be to see if I can set up my GPG key to be provided by the Nitrokey and the password store to live on the Nitrokey in the encrypted space, so unless they had access to my machine at the same time that I have the volume mounted and my GPG key loaded they won’t get anything, and even then they would have to hope I didn’t have the gpg-agent set up to prompt for my pin after a minute or two.