Nitrokey is an open source usb smart card that has multiple uses including one time passwords, email encryption, file encryption and computer authentication. The creators decided to create it when they needed a solution to securing their encryption keys on insecure computer systems. In 2009 they released their first product and now in 2016 they have four different products and are on their way to creating another one. I found Nitrokey when I was looking to get another Yubikey and found out that Yubikey went closed source. Since then I have been testing the Nitrokey out, I’ve found that I like it a lot and will definitely be using the them in the future. So far it has been a bit of a challenge to configure as the GUI is far from perfect, mainly in the aspect that its hard to figure out if you are a newcomer. But I haven’t given up and have been able to use the majority of the features that the Nitrokey Pro has (which is a pretty long list). And eventually I got the hang of it, and realized how very simple issues were proving to be more challenging then they should have been.
I found GPG to be the easiest to of the Nitrokey abilities. The simplest way to begin is to use the GPA Assistant. The GPA Assistant lets you edit the user data on the card and easily/quickly generate encryption keys for the smart card. The other option is to use the terminal which is not that much harder to learn. The one problem that really stumped me was getting everything to work on multiple computers, for example if I setup the Nitrokey on one pc GPG would not be able to decrypt/sign anything on another pc. I am hoping to resolve this issue in the future as it would greatly improve the functionality as it limits me to one computer (When I figure this out I will update the post). Besides this one little hitch the Nitrokey worked great, the hardest part was getting familiar with using GPG commands as I have always prefered using the GUI. You can use GPA with it but I found using the command line was preferable when setting up the Nitrokey.
If you were able to get the Nitrokey working with GPG and all that, then using it for email encryption is only takes a few more steps. Assuming you are going to use Thunderbird, you just need to install the Enigmamail extension. Once you install the plugin you can encrypt and decrypt mail in the same way that you would encrypt/decrypt anything with your Nitrokey. Email encryption with Nitrokey is one of the easier functions of the Nitrokey to set up.
This section was a simple challenge for me to set up. I ended up overlooking the setup process only to realize where I was going wrong. All you really need to do is download the PKCS#11 library that lets Veracrypt talk with Nitrokey. Once you do that you can add the Nitrokey as a keyfile and add an extra layer of security to your encrypted volumes.
This is the one function of the Nitrokey that I struggled to set up. I’ve setup Keepass with OTP before although I never ended up using it. If anyone knows how to set up Keepass with Nitrokey please comment or send me a message as I would love to set this up as it is one of the most important features of Nitrokey.
In the end
I definitely am a fan of the Nitrokey Pro, after getting through the challenging learning curve at least. Nitrokey has a pretty long list of features, there are more than what I mentioned in this post. The features that I listed in this post are the ones that I have tried and successfully set up. I’m going to give the other features a go when I get access to my other machine but I wanted to get this post out as I have had the Nitrokey for a while now (stuck on windows ultrabook currently). If you are not afraid of fairly advanced (but open source) but feature rich usb key then give Nitrokey a go. And even if you are not the most advanced user with a bit of problem solving its easy to set everything up, its just a bit harder. Overall I’m a fan of the Nitrokey Pro, its well designed (there are a few things I would like to see though) and has lots of features. Be sure to check the website in the future as I will be creating tutorials for the Nitrokey Pro (feel free to ask questions if you have any).
Whiteout.io is a German email that provides software to securely communicate with anyone. Whiteout comes in the form of a Chrome plugin, web client, and mobile apps (IOS & Android). There is also a private beta email service that they offer. Whiteout lets you use any email address with their service, all you have to do is login like any other client. It took me less than a minute to login and shoot off a test email. Whiteout’s goal is to provide a secure and easy to use service that can run on multiple devices. I found that Whiteout did a great job of doing so, I know that my messages are secure because of end to end encryption. But at the same time I do not have to deal with the hassle of installing plugins, or anything of the like. It’s just login and go, no problems to deal with. Take into note, that this is still the beta test, so not everything is perfect. The private beta email service is quite nice, it is very similar to the regular client and seems to offer the same features. I know that PGP is one of the most secure methods of communication today, but it is also well-known for being a pain to use. But with Whiteout, all the pain of using PGP is gone, and so easy to use that it’s just as easy to use as Gmail or other email services. Whiteout could easily be used by everyone, as it removes the hassle of PGP without the loss of security. The developers behind were kind enough to give me some Beta keys to the private beta email service.If you would like one just enter your email in the subscribe box and comment on this post, and I’l send you a key.
ProtonMail is a free email service that offers end to end encryption, that is currently in an invitation only Beta. ProtonMail is a based in Switzerland, which means they are protected by Swiss Data Laws. Because its using end to end encryption, all your information is encrypted before it is sent off to the servers. So if they were forced to hand over any information to a third party, all they have to give is encrypted. When using ProtonMail, you are not logged and they do not ask for any personal information. If you want to help fund them, you can pay in Bitcoin so nothing will be tracked back to you. And the platform is quite easy to use, currently you can only login with your web browser. This is not a bad thing as their web client is not bad and is quite easy to use. And if you have someone who isn’t using ProtonMail, you can still communicate securely, just send them an email like normal and they decrypt a PGP message with a password.
I have not used ProtonMail a lot as what I do doesn’t require secure communications. Also the people I communicate with the majority of the time don’t use PGP encryption, and I bet that they most likely don’t know what it is. The biggest downfall to PGP encryption is that almost no one uses it except for people who go out of their way to use it. ProtonMail eleminates the problems that many people have with PGP, all the compicated work is done behind the scenes with ProtonMail. When using it, its like using Gmail or another free email service. I hope that when Beta ends, and it opens to the public; a lot of people will use it. In the past, services that offer great security are often overlooked as it’s not worth the effort to use them. With ProtonMail, this problem no longer exisits. For a preview of your ProtonMail’s webclient check out this screenshot.
gpg4usb is a small easy to use fully portable encryption tool. Most of the software surrounding pgp has a steep learning curve or requires knowledge of commands gpg4usb doesnt. It is my favorite public key encryption tool as it is a balance of functionality and ease of us. In the past I have had trouble with gpg4win which is another pgp toolkit that offers more a more integrated solution. Don’t get me wrong gpg4win is a great tool but gpg4usb is easier to use but doesn’t have the same integration that gpg4win has which are mainly plugins for email clients. My favorite part of gpg4usb is the ability to easily encrypt and decrypt text or files.
The process is very simple, type your text then select the key(s) you send a message to. You will be prompted for your password and you’ll be done. The result looks like step 4.
Simply paste your text into gpg4usb, select your key and click on decrypt.
A word of advice when using gpg/pgp; make backups of your keys and don’t forget your password. As there is no recovery feature for your keys, if you lose it or forget it then you are screwed. If there is a way to recover your keys let me know, I have lost a few but never really used them for anything.
Yubikey is a hardware security token that offers two factor authentication. The different models are the Yubikey Standard, Nano, NEO and VIP. There are more Yubikeys that come third-party features such as Yubikey + Lastpass, Yubikey + Password Safe. Yubikey Standard is the basic Yubikey, similar in size to a USB Drive. Yubikey Nano is the same on the software end as the Standard, but it has been designed to be kept inside a usb port for long term use. Yubikey NEO has the standard USB interface and the ability to connect with NFC enabled mobile phones (Android). It allows you to securely and easily use two-factor authentication on any device that has a USB port or NFC
Yubikeys are a very useful tool if you want an easy to use but secure two factor authentication device. I own a Yubikey Nano and use it with Lastpass to add an extra layer of security. It fits perfectly into my laptops USB slot, it’s so small that sometimes when I take it out I worry about losing it. If you are using a laptop and don’t have a lot of USB slots it may be a good choice to trade the small form factor for the bigger size so that when you remove it you wont lose it as easily. I haven’t been able to try other hardware tokens but Yubikey is wallet friendly and fairly easy to use. Now if my computer only had more USB slots so I don’t have to worry about losing it when I take it out.