Would it be good to have two nitrokeys? How would you back them up?

Hello… About nitrokeys… It would be good to have two of them if you drop one…
Does anyone of you have it like that? So do you just copy the same keys on both devices then and nothing more? Is it hard to do… Do you have some advice on how to work with two nitrokeys? Maybe just fill the first one and then just clone it? That would be the least amount of work right?
Should work to make an exact copy of one to another, then to manually write the same keys in both for everything.

I need to learn about this key it seems like a good solution for passwords and so on… Thanks!
edit: It’s in linux also…

here is a german Articel, that describe exactly what you need: https://www.kuketz-blog.de/gnupg-schluesselerstellung-und-smartcard-transfer-nitrokey-teil2/
Maybe a translator can help you. Or you can write to us if you have specific questions about it.

1 Like


I am very interested in this too, because I wish to have a backup in case of loss…

1 Like

I don’t know about Nitrokeys, but we use NitroHSM 2 and we basically have 5 of them. We use one for various development purposes, one of them is used as master HSM - we have master key on it and it is stored in a safe and its backup (exported key) is stored in different physical location. Another one is used as intermediary production CA and yet another one is used as (root) CA for testing environment - it is easier to create keys with it (procedure is easier, programaticaly it is identical), but they can’t be used in production of course. And we have one spare unit in case anything bad happens to any of them. I suppose that we should have few more in store in case everything goes down, but managing backups and so one is major PITA and I’m still working on good procedure to do it.

Anyway, I think that same backup mechanism is used for Nitrokey, and procedure is nicely described here:


Correct me if procedure is absolutely different, but I suppose basics are the same.

1 Like

Thanks… But i want a simple guide on how to set up 2fa on one nitrokey, and then make a clone and send to the other nitrokey. Would that work? Some easy linux guide… This guide was good but i’m not sure how this would work:

"4.3 Backup of the key material

Before we transfer the key material on the Nitrokey, we first make a Backup on an external storage medium (eg. USB-Stick) to. This may be due to dm-crypt / LUKS additionally be encrypted and should be read in connection securely stored."

I want to do a clone of the first nitrokeyso if i drop the first one, so i can just plug in the second one without any hassle so it just works the same… How would i clone the first nitrokey and copy to the second nitrokey so that they are identical?

One thing that would be awesome!!! Can i use 2fa and also unlock the computer or check hardware changes also with a nitrokey? HOW? that setup would be cool… But then it’s one nitrokey per computer right? Would be good to see if a system has been touched or not if possible… I don’t need that level of security, but it could be fun to have, or try out. :slight_smile: To unlock the computer like you would with a car or something… thanks

Will this work of different computers? I have not set myself into how this all works, but am reading some now. It seems nice. I also read this just now:

Prerequisite: An initialized Nitrokey with keys being generated.

On another computer, than the one you generated the keys on, you need to inform GnuPG about the Nitrokey. You have two options for doing so:

If you published your public key on your website you should program that URL into your smartcard in the “URL of public key” section (gpg --card-edit, admin, url). In addition or instead you may want to publish your public key on a key server. When you get to a new computer, you can insert the card, run “gpg --card-edit”, then run “fetch” and GPG will fetch the public key from the URL. If there’s no URL entered then it will attempt to retrieve the public key from the keyserver.

Alternatively, you can copy and import the public key manually from a flash drive for instance. In this case you have to insert the device and run “gpg --card-status”. (Now the general key info will be correctly populated, and new pseudo-secret stubs will be created.)

In any case the keyring file (e.g. ~/.gnupg/pubring.gpg) which contains the public keys of your contacts has to be copied manually.

See this more detailed description.

thanks, good link you posted.