Nitrokey Pro 2 potential security issue

Hardware Setup : xx30 flashed with heads / qubes 4.0.1 / nitrokey pro 2

I use the nitro key to verify the integrity of my laptop firmware , tpm and qubes boot partition .

Other then the initial boot proccess i do not use the nitro key for any additional functions like the password safe or anything that requires managing the security key through the nitrokey-app on linux. I set it up through the menu options within heads

Something that occurred to me would be a potential attack scenario where the Attacker had physical access to the laptop and the security key .

Even if the Attacker did not have the current pin of the Nitrokey…

Could the attacker not potentially maliciously modify the qubes boots partition to capture the luks encryption password .

Then perform a OEM factory reset from within heads firmware menu which automatically resets the nitro key + pin and creates a fresh signing key also signing the boot files as part of its proccess thus signing the maliciously changed boot partition

How would the user know whether this has happened or not ?

if the security pin of the Nitrokey is not required to actually boot the laptop . Then the change of the security pin would not give any indication that anything has actually changed on the Nitro key .

Meaning the user could unknowingly boot a tampered laptop assuming the signing key and pin to be genuine ( pin is not required to boot an OS ) when infact its a reset nitro key with a compromised pin and compromised signing key that has signed a maliciously altered boot partition .

until the user actually does something that requires the original pin then he will assume that everything is unchanged as in the meantime the luks password would be captured on first boot up .

Of course. The whole point is that you must not let anyone tamper them both. If you can’t keep your Nitropad with you all the time then at least keep your Nitrokey Pro with you so that the key can reliably verify the boot data of your Nitropad.

1 Like