I think one answer is still missing: can I use the admin pin to enable the encryption without the user pin ?
( I can’t test it right now, nor do I remember ( and it is not in my black book ))
In addition to the firmware password, it is more important to understand: once the key is set to update mode you HAVE to update or re-write the firmware. There is no way back without an update to get the NK out of this mode. So set your Firmware Password, but don’t put the NK in the update mode at that time.
It is not possible to read the content of the card with the admin PIN as far I know. But, of course, it is easily possible to reset user PIN if in possession of admin PIN. That is to say in the end one actually can read/decrypt messages with the admin PIN!
Sorry if I still don’t fully understand this. My concern is mainly about the encrypted storage. Now if I have a user PIN that I use for the encrypted storage. And I put my important documents in there, and I write the admin PIN on a paper and hide it somewhere.
Now if someone would find that paper, he could get my Nitrokey, change the User PIN to 1234, and then read my stored documents after putting in 1234 as the user PIN instead of the one originally used for encrypting the data?
Actually, issuing programmer’s launch command (the same as after the flashing) could revert it from this mode (so it will not work as a data-destroying function), but we do not support this kind of behavior officially (which means we do not test it and this operation is not described anywhere in our guides).
This is correct. Someone finding your admin PIN and your Nitrokey is in possession of your data! Therefore: only write down your admin PIN if you feel save with it (e.g. because you did it in a way you don’t think anyone can find out…).
Some minor note: One can not use the user PIN 1234 because at least 6 characters have to be used.
This is correct. Only blocking the Admin PIN (by using up all attempts) would result in clearing the data. It would be better to remember this PIN and set the User PIN to some other hard combination, but nothing would break if you would forget the latter. You can always re-set the User PIN while having the Admin PIN, and no data will be removed.
Yeah, and the “Black Book” is like a two factor authentication … So I would not worry to much, that somebody get’s your NK and the Book at the same time. But strong PIN’s are always useful - otherwise:_ why do you need a NK Storage ?
I think it is an excellent step into the right direction. I would have two more suggestions:
a) I am missing the SO Pin description ?!
b) while digits could be simple, I think an explanation for the “characters” maybe needed: Think about UTF16 ? German strange letters like ÖÄÜß ? Special shell charters like $!? ? So I would expect here also to be clear about the possibilities …
Just my thoughts
Yes, I was thinking about this as well. I felt like people buying HSM are the kind of people who are not looking for this information but it doesn’t hurt to include it either… So I’ll do that.
As far as I now there is no problem with these characters. To be honest right now I don’t know what specific character set is allowed, but you can use a lot different characters and I don’t wanted to limit these in the description if there is no need to. At least I added a little note to make clear that not only alphabetic characters are allowed.
Hmm, I mentioned UTF16 as I assume there is a limited length of characters or better bytes to store the password. I am sure you know that UTF could use more than 1 byte, which would immediately shrink the visible length of the password.
I would suggest to describe how many bytes are available for the storage of the SO key. Maybe a Chinese user only could use 4 “characters” as SO Key
[Update] I just read
The SO-PIN must be composed of 16 hexadecimal characters. The value is internally converted into an 8 byte key value. <
So it would be just a cut’n’paste for you in a single place …
As you can totally brick your Nitrokey HSM if not noticing everything described on the link page, I do not like to paste this one sentence. So as for SO-PIN I intentionally did not gave more information and mentioned the OpenSC wiki.
To be honest, I don’t want to complicate this here. I am still not sure, what the limitations are, but if I found them, I’d rather add them here.
While I understand, I think I would go away from the wording “character” as this is really misleading for the definition of a stored Password ( without a deeper description) . ASCII/ECBDIC are using 7 Bit’s only, Extended ASCII 8 Bits, UTF between 1 and 4 bytes - and all are representing “characters”.
Especially as there is a lock after a number of retries, it is essential to describe this.
Look at this post where the user has used total wrong “characters” and now is a bit lost … ( I would say he is sitting on 59,- Euro crab as he can’t reset the keys any longer )
Anyhow, your turn how easy you like to make the usage of your products
This is the exact reason why I’d rather keep the description for SO PIN as it is. The wiki is extensive in this point.
You can not block the other models in this way. I totally see your point, but I have no other clear description at hand right now… Furthermore, I always prefer to have a warning in the program which takes the PIN if anything is not fulfilled
Ok thanks guys. Your answers have made this topic a lot more clear for me. But now one question of mine is still open: Do I lose anything when using the same User and Admin PIN?
When an attacker gets my User PIN but not the Admin PIN, he can get my secret data. When an attacker gets my Admin PIN but not my User PIN, he can also get my secret data. So security-wise, these two are equivalent, I don’t really care about an attacker modifying my data (aka having the Admin PIN instead of “only” the User PIN), because once an attacker is in control of my Nitrokey, I don’t expect him to give it back to me lol.
Same for forgetting/changing the password: I am using my User PIN much more often, so the risk of forgetting the Admin PIN is much higher than forgetting the User PIN. When using a weak Admin PIN (one that is easy to remember), I could as well just use an easy to remember User PIN.
I don’t really get why there are two different PINs for this anyway. When both can be used to read the encrypted data!? So I think I’ll just use the same PIN for both.
I would say User PIN is for everyday use, for reading the state of the device. Admin PIN should be only required for the configuration phase, when you setup/write secrets to the device, and then you do not need it again. If you would use the device in an unsafe environment, using the user PIN only, you have the confidence that its state is not altered and it produces reliable, not altered results. The only other thing attacker could do, is removal of all the data from the device.
In case you would like to make use of this read/write separation, perhaps you would like this solution: Nitrokey Pro / Storage devices’ smartcards are easily reset-able to factory-state, so in case you would like to use one PIN on the device, you could set a one-time Admin PIN, configure everything as you like, and once content after a couple of days you could set the Admin PIN to a random value. The downside is, there is no way to write to it anymore unless whole device would be cleared.
In any way, I think that one should choose method that best suits everyday usage and does not make life harder needlessly.
Hi, while I understand on the one side your point, I sometimes type to fast things and --ups it is deleted. So a separate Admin is helpful for me as a second “hurdle” before I do the dangerous things. To make it easy to remember, I “extend” the user-pin to an Admin-pin .eg. when the user pin is 2021 my admin pin would be 202120 ( of course my pins are different
))
But this surely happens… 
