I am interested in using the Nitrokey 3c NFC as a part of my workflow. That said, I am a bit confused about the FIDO2 SSH part.
The guide on the web, if I understand correctly, results in the key being generated on the Nitrokey itself, correct? This would mean, that there is no possible way of backing it up or at least copying it onto a second Nitrokey, which could just reside in a safe to protect one from losing access when the original one is lost.
Also how would one go about using the key for signing GIT commits or pushing them to Github?
Yes, correct. Be it either a “resident credential” or “non-resident credential”.
Site note: When generating i.e. an ed25519-sk key you have two choices: either as a “non-resident credential” or as “resident credential”.
With a “non-resident credential” you have to move the (so called) key handle file manually to each computer where you want to use your FIDO2 (non-resident) SSH credential.
With a “resident credential” on the other hand, you are able to export the key handle from the FIDO2 (using ssh-keygen -K), so the FIDO2 SSH Token can be used everywhere. Even this key handle “looks” like kind-of a private key, it is not private. A 3rd-party can get access to this file, but can not do anything with it as long as the 3rd-party also do not have your SK and maybe even your FIDO2 PIN.
For ease of use, I would personally prefer a “resident credential”.
Yes. But, nobody prevents you from using a second Nitrokey (or any other SK) and generate a second FIDO2 SSH Token, and adding this to authorized_keys, too. (Or going further an setup an SSH CA, and get a Certificate for your FIDO2 SSH Token(s)…)
