I’m looking forward to purchasing my first NitroKey. However, I’m not sure which model to go for.
I’m doubting between the Pro and the HSM. I don’t want to make any compromises concerning security, but I also don’t want to buy a lot of different devices for this.
Here’s what I’m aiming to secure:
I work on the three major operating systems (win, mac, (centos, debian)).
The windows machines are usually workstations.
The mac system would be my main workstation. It’ll be handeling mail and generally a lot of web traffic.
I’m running about 50 servers in private and public environments. These servers are almost exclusively centos. there are a couple of debians in there.
Connections to servers are usually made through SSH to a terminal server which has the SSH port open. From there connections are made to the other servers, which only accept ssh connections from that terminal server.
For virtualization I’m making use of Proxmox.
Next to these, I’m using a few web services (slack, trello). Though most of the web services I use, I try to host myself, due to privacy concerns.
The HSM key seems to be more server oriented while the Pro key seems more user oriented.
A little guidance would be great
The Nitrokey HSM is more aimed at running your own CA, the Pro is more user oriented IMHO. If you think about usng GPG for email encryption/signing, you have already made the decision for the Pro
Great! I made my order. The HSM may come in handy later, but I’ll cross that bridge when I’m there.
I may still have a concern:
I’ll secure things with this device I would rather not lose. computers, servers, and lots of data.
I imagine some services supplying ways to retrieve your account in case of loss, theft or destruction on the device.
But I would have a hard time breaking back into my computer without internet to look up how to do it.
Is there a way to duplicate the keys on the device to be stored in a safe?
Or would a better practice be to get 2 keys for all accounts and store one in a safe location?
[quote=“fraksken”]Is there a way to duplicate the keys on the device to be stored in a safe?
Or would a better practice be to get 2 keys for all accounts and store one in a safe location?[/quote]
The fundamental thing is quite simple. You can generate the keys on the device or outside of the device.
For your usecase I would simply generate the keys with gpg on a trusted computer, export them to the Nitrokey, export them in addition to a file, put that file on a device (or print it out) and delete the keyring on the trusted computer. That gives you a backup you can put in a safe and the keys on the Nitrokey.
Here is a quite good step-by-step description of that process: jfry.me/articles/2015/gpg-smartcard/