Could you implement pass or pass-otp in the nitrokey? Maybe just the secret in a slot? How? That would make pass as secure as keepass2 but much more minimal and clean right… Would it work?
I’m not satisfied with keepass2 because i have had issues with it earlier. Wanna try this one instead if i can get it as secure as keepass2 with otp codes to log in, that are stored on the nitrokey.
pass already supports gpg keys on a token like Nitrokey. I guess also the plugins like pass-otp
pass init <gpg_key_in_hex> initializes a new password store and protects it with the key that may be a regular gpg key or a token. You just need to load the key into gpg-agent.
That sounds great! Any “newbie” guide out there step-by-step? How to set up. How to use, how to backup to new machines and set it up with the nitrokey? Yeah i would use pass any day before keepass2! Thank you!
Can i use hotp in the nitrokey and paste into pass or how do i set it up? Why is there no guide already on this site? There is a keepass guide already…
Do you mean something like this, and that i should paste it into totp on the nitrokey?
I’m not a coder. Any computer guide for “dummies” out there on how to use this with the nitrokey? Do i need the pass-otp plugin and use those codes in the nitrokey then?
ok now i saw i get some key in hex… yeah i could just copy in that instead of base32 you are right… Need to find some good guide and try it.
Yeah this is for advanced users…
https://plkt.io/a/2019/08/09/configuring-and-integrating-nitrokey-into-your-workflow/
I can try it out though.
The hex keyid or your email address just needs to match the gpg key on your token. Via gpg-agent you then decrypt the credentials in pass using your token.
Please be aware that you also need to safeguard your public key as it cannot be recreated from the data on the token.
Any step-by-step guide im to tired for this right now…Can i use the guide i linked earlier?
I still don’t get why it’s an keepass guide here and not for pass and a nitrokey on their site. thanks
$ gpg --card-status
Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2xxx-xxx) 00 00
Application ID ...: D27xxx
Application type .: OpenPGP
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: xxx
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 4
KDF setting ......: off
Signature key ....: AF45 BC55 0B79 2328 FDA8 FDDF 52C4 7BAA 4A43 C43D
created ....: 2022-06-15 10:32:37
Encryption key....: D214 2C33 7BB8 BCD1 A408 BCE6 9DB9 9182 D416 D26A
created ....: 2022-06-15 10:32:37
Authentication key: 8457 9611 C3FE 28D0 5069 5B06 2320 EE45 DDBF A285
created ....: 2022-06-15 10:32:37
General key info..: pub rsa2048/52C47BAA4A43C43D 2022-06-15 nku demo key <nku@example.com>
sec> rsa2048/52C47BAA4A43C43D created: 2022-06-15 expires: never
card-no: FFFE xxx
ssb> rsa2048/2320EE45DDBFA285 created: 2022-06-15 expires: never
card-no: FFFE xxx
ssb> rsa2048/9DB99182D416D26A created: 2022-06-15 expires: never
card-no: FFFE xxx
$ gpg -k
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/nku/.gnupg/pubring.kbx
----------------------------
pub rsa2048 2022-06-15 [SC]
AF45BC550B792328FDA8FDDF52C47BAA4A43C43D
uid [ultimate] nku demo key <nku@example.com>
sub rsa2048 2022-06-15 [A]
sub rsa2048 2022-06-15 [E]
$ pass --version
============================================
= pass: the standard unix password manager =
= =
= v1.7.4 =
= =
= Jason A. Donenfeld =
= Jason@zx2c4.com =
= =
= http://www.passwordstore.org/ =
============================================
$ pass init AF45BC550B792328FDA8FDDF52C47BAA4A43C43D
mkdir: created directory '/home/nku/.password-store/'
Password store initialized for AF45BC550B792328FDA8FDDF52C47BAA4A43C43D
$ pass generate support.nitrokey.com/nku
mkdir: created directory '/home/nku/.password-store/support.nitrokey.com'
The generated password for support.nitrokey.com/nku is:
|0stdqFIVgjzCX/C9dvD?x"g}
$ pass
Password Store
`-- support.nitrokey.com
`-- nku
$ tree ~/.password-store/
/home/nku/.password-store/
└── support.nitrokey.com
└── nku.gpg
1 directory, 1 file
$ pass show support.nitrokey.com/nku
|0stdqFIVgjzCX/C9dvD?x"g}
$ pass otp insert --secret --issuer totp.ssch.dev
Enter secret for this token: GZ4FORKTNBVFGQTFJJGEIRDOKY
Retype secret for this token: GZ4FORKTNBVFGQTFJJGEIRDOKY
Insert into totp.ssch.dev/totp.ssch.dev? [y/N] y
mkdir: created directory '/home/nku/.password-store/totp.ssch.dev'
$ pass otp totp.ssch.dev/totp.ssch.dev
949416
You are awesome! 
I read that just in the right time now when setting it up. Peace and thanks!
This is the best password manager i have ever tried!!! Combined with nitro. Sweet
pass is brilliant! It just beats keepass with its simplicity and no errors, and it has way stronger encryption.
It’s the only password manager you will ever have to have really…
So i can also just paste the pass otp i borrow from totp.ssch.dev onto the nitrokey as token and then save that token as a backup if i switch computers and so on then? Then it’s a really secure password manager! And you could back it up to different keys even if you wanted…
Even having 2fa one one, and keys on another if you wanted, but that seems “overkill” for me though.
Gotta learn how to back up passwords and restore them and so on though… On other computers.
Thanks for your help!
A few questions… When the key is in and the database is unlocked… Could the thief/attacker download the keys un-encrypted then? Or would he get the files, but need to un-encrypt them on his/her machine?
How easily can passwords be stolen? How hard can you make it if someone hacks your machine… Plus you need to take backups of the tree ~/.password-store/ right, for all machines? Do you usually unplug the key after you have used the passwords for security? Thanks!
The password manager pass stores all data gpg encrypted at rest. Accessing the data needs the unlock of the gpg key. The passphrase gets cached some time (AFAIR 600 seconds; timer resets on use).
Your nitrokey passphrase is being verified via scdaemon CHECKPIN on card and cached with gpg-agent. The most secure way is unplugging the Nitrokey. killall -s HUP gpg-agent lets gpg-agent forget the entered passphrase. Killing gpg-agent should also work gpgconf --kill gpg-agent.
If you decide to print the password to screen, it could be added to the backlog buffer of your terminal and written on disk (some terminals have that as a feature to scroll back previous sessions or large output and might write that to disk)
When you copy / paste passwords, it could be recorded in convenience tools like gpaste that allow to access a clipboard history. Also other tools have access to the clipboard and may access copied passwords.
Having a second factor token that cannot be copied is considered as a plus for some users and use cases. Everyone that has access to your OTP secret can generate valid OTP codes.
ok thanks. I could then use the nitro to generate otp’s. Just paste the demo token on the nitrokey… that would be the safest.
But i have backed up the secret-key…
How can i add that on another card? Do i wait with that or can i do that now already? Or can i use one card at a time? What if i drop one usb key?
What’s the best way to back up the secret key on two usb sticks, and/or how do i do if i have a new computer and want to restore the password database and the secret keys and so on?
Thanks again. Good answers!
I mean this guide…
https://docs.nitrokey.com/start/windows/openpgp-keygen-backup.html
If i have backed up the key and try to restore a backed up key to another device from the:
https://docs.nitrokey.com/start/windows/openpgp-keygen-backup.html#key-import
gpg --edit-key --expert keyID
I get that the key is on the first nitrokey…
Can you even have two cards as devices for this or do you have one at a time, and if you lose one, you need to set it all up from scratch with the sec-key ?
I’m new to gpg.
You can backup the password store with the gpg encrypted secrets (3-2-1 backup strategy), take a note on how you installed pass and the plugins, maybe even backup the iso to install the os and the software packages in order to be able to install the exact same versions. As pass is very open, I doubt that the latter would be necessary but for completeness, I would back it up.
Make sure to also backup the PUBLIC key! Especially when created on the Nitrokey. It is a hassle/sometimes impossible to regenerate it!
The gpg key can be generated externally and stored on multiple Nitrokeys. After that, you could save the key in pass, store it somewhere safe (e.g. self-encrypted usb key), print it out or whatever suits your disaster recovery strategy.
Make sure to not loose User PIN and Admin PIN for your Nitrokeys.
That should be quite safe.
I backup top-most important data on steel plates with embossed letters/digits to be safe from fire.
Haha, you take your security seriously… I like it. 
Link the plates in PM. That sounded smart! What do you mean by make an iso? How would that look like?
Yeah i can back up the public key also… Might have deleted it. I think i can generate it again, and if not i can start over… Just testing this system out some.
I like pass! But how do i take an backed up sec-key.asc and make other nitrokeys have it?
Do you do that when you create everything at the start or can you do it later on?
Any good guides out there on how you restore everything? Yeah i’m gonna read some. But i definitely prefer pass over keepass. And no i would not loose the pins. I remember stuff like that.
Thanks
Cheapest way is numbering / stamping some washers:
What do you mean by make an iso?
e.g. Linux Live CD or Debian install iso
I like pass! But how do i take an backed up sec-key.asc and make other nitrokeys have it?
https://docs.nitrokey.com/pro/openpgp-keygen-backup.html
And no i would not loose the pins. I remember stuff like that.
Scenario would be that you are not available and someone else would need to access/recover passwords (e.g. intensive care).
Thanks for the answers!
How do i import another pass instance in another debian machine if i have the secret.asc and the public.asc?
Just import them? Any link or could you write how i set up pass init and my passwords if i just copy the password files from pass on one machine, and then set up gpg with privatekey.asc and publickey.asc? Thanks
You need to import your gpg key
gpg --armor --export j.doe@example.com > public.asc
gpg --import public.asc
You could host the public key somewhere and then use gpg --card-edit followed by a ‘fetch’.
Then just copy over your password directory and you should be good.
Some people like to add the encrypted password store to git and use git clone via ssh to copy instances over. Afterwards you could commit changes and sync it by git fetch.
Thanks.
I did import both keys… But i might have intilized the new pass init wrong i choosed a random name… Now when i try to generate a pass i get this:
gpg: user: skipped: No public key
gpg: [stdin]: encryption failed: No public key
Password encryption aborted.
You know what i could try now?
Do i need to init this on every computer then? pass init <gpg_key_in_hex>
I need to look up which key i picked last time or if email did work…
Now when i tried to use a key as init and generate a pass i get this instead:
gpg: 727randomnumbers657: There is no assurance this key belongs to the named user
gpg: [stdin]: encryption failed: Unusable public key
Password encryption aborted.
What do i do now? I’m gonna try to set this up later on… A step-by-step guide online would been nice to have… How to set up this on a machine, and backup, that’s done… But to start on a new machine, i need to learn this. Thanks again for your good answers.
Is it the same keyid? If so, you could just copy over.
Yes everything is the same… Just a copy of everything… What should i copy over exactly? And how do i set up pass init on the new machine? Could you write some steps?
Others are free to answer also, but you seem to know this in detail. Thanks