the Nitrokey Storage came without a documentation, and I didn’t find anything online that would explain what User PIN and Admin PIN are supposed to be used for? Which of them should I use? Which is more important for protecting my data, i.e. which should have a stronger password? I don’t want to remember unnecessary information Is one of them optional (or can be left with the default PIN)?
The basic documentation on this is really lacking, it should be extended
Hello and welcome this is security world. Main idea behind Admin and User PIN is privilege separation.
You should make both strong.
User PIN is everyday password, you would use it to unlock device, write some data, read data, generate OTP etc.
Admin PIN is maintenance - reset user pin(yes, you’ll forget it, write it incorrectly and block stick), change user pin, factory reset device.
You forget mention one more PIN - firmware. This would be used to reflash you device. If you decide that device work as you expect and want to leave it in this state. You’ll block firmware upgrade and to unlock you’ll need upgrade PIN.
Hope now everything is little bit clear.
I total understand your concerns about the remembering the different pin. I have a “black book” - also in case I can’t tell my wife how to access things. There I note down all the stuff that I need in a encrypted way e.g. rot
So I would recommend instead of using the same stuff everywhere, to differentiate and to note it down. Such a book is difficult to hack from online resources
And yes, you should differentiate all three pins and never (!) keep the default.
I try to add some basic information about PIN usage in the documentation, thanks for letting us know!
I would like to add some points I find important:
You seldom really need admin and firmware PIN. As @Peacekeeper said you may want to write it down in any way you think this is still save. I did not use my admin PIN since initializing my device. I would expect the user PIN, which you regularly need, easy to remember after some time.
We sometimes talk of PINs and passwords the same way. The truth is: you really only need a 6-/8-digit PIN for user/admin PIN, because the device gets blocked after 3 PIN attempts. So if this helps: it is okay to only use digit PINs which many people find easier to remember.
Please note that the firmware “password” should indeed be one. That is to say it should not be a digit PIN, but a full-featured password like “Fjke08!jdlS”. There is not blocking after wrong attempts like it is the case for user and admin PIN.
I think one answer is still missing: can I use the admin pin to enable the encryption without the user pin ?
( I can’t test it right now, nor do I remember ( and it is not in my black book ))
In addition to the firmware password, it is more important to understand: once the key is set to update mode you HAVE to update or re-write the firmware. There is no way back without an update to get the NK out of this mode. So set your Firmware Password, but don’t put the NK in the update mode at that time.
It is not possible to read the content of the card with the admin PIN as far I know. But, of course, it is easily possible to reset user PIN if in possession of admin PIN. That is to say in the end one actually can read/decrypt messages with the admin PIN!
Sorry if I still don’t fully understand this. My concern is mainly about the encrypted storage. Now if I have a user PIN that I use for the encrypted storage. And I put my important documents in there, and I write the admin PIN on a paper and hide it somewhere.
Now if someone would find that paper, he could get my Nitrokey, change the User PIN to 1234, and then read my stored documents after putting in 1234 as the user PIN instead of the one originally used for encrypting the data?
Actually, issuing programmer’s launch command (the same as after the flashing) could revert it from this mode (so it will not work as a data-destroying function), but we do not support this kind of behavior officially (which means we do not test it and this operation is not described anywhere in our guides).
This is correct. Someone finding your admin PIN and your Nitrokey is in possession of your data! Therefore: only write down your admin PIN if you feel save with it (e.g. because you did it in a way you don’t think anyone can find out…).
Some minor note: One can not use the user PIN 1234 because at least 6 characters have to be used.
This is correct. Only blocking the Admin PIN (by using up all attempts) would result in clearing the data. It would be better to remember this PIN and set the User PIN to some other hard combination, but nothing would break if you would forget the latter. You can always re-set the User PIN while having the Admin PIN, and no data will be removed.
Yeah, and the “Black Book” is like a two factor authentication … So I would not worry to much, that somebody get’s your NK and the Book at the same time. But strong PIN’s are always useful - otherwise:_ why do you need a NK Storage ?
I think it is an excellent step into the right direction. I would have two more suggestions:
a) I am missing the SO Pin description ?!
b) while digits could be simple, I think an explanation for the “characters” maybe needed: Think about UTF16 ? German strange letters like ÖÄÜß ? Special shell charters like $!? ? So I would expect here also to be clear about the possibilities …
Just my thoughts
Yes, I was thinking about this as well. I felt like people buying HSM are the kind of people who are not looking for this information but it doesn’t hurt to include it either… So I’ll do that.
As far as I now there is no problem with these characters. To be honest right now I don’t know what specific character set is allowed, but you can use a lot different characters and I don’t wanted to limit these in the description if there is no need to. At least I added a little note to make clear that not only alphabetic characters are allowed.
Hmm, I mentioned UTF16 as I assume there is a limited length of characters or better bytes to store the password. I am sure you know that UTF could use more than 1 byte, which would immediately shrink the visible length of the password.
I would suggest to describe how many bytes are available for the storage of the SO key. Maybe a Chinese user only could use 4 “characters” as SO Key
[Update] I just read
The SO-PIN must be composed of 16 hexadecimal characters. The value is internally converted into an 8 byte key value. <
So it would be just a cut’n’paste for you in a single place …
As you can totally brick your Nitrokey HSM if not noticing everything described on the link page, I do not like to paste this one sentence. So as for SO-PIN I intentionally did not gave more information and mentioned the OpenSC wiki.
To be honest, I don’t want to complicate this here. I am still not sure, what the limitations are, but if I found them, I’d rather add them here.