Nitrokey Pro & Nitrokey HSM
The company I work for has donated a Nitrokey HSM and a Nitrokey Pro (v1) to play with. I intend to make as many things working with them as I can, and document them in the process.
Please note that:
- Both are tamper-resistant.
- The Nitrokey Pro has specific OTP and PGP support, the Nitrokey HSM does not.
- The Nitrokey HSM has PKI/CA management features, the Nitrokey Pro does not.
- The Nitrokey HSM has no support for RSA higher than 2048-bits, the Pro does (up to 4096).
- The Nitrokey HSM has no support for EC higher than 320-bits, the Pro does (up to 512).
- The Nitrokey HSM is significantly faster than the Pro in signing/verification operations.
- The Nitrokey HSM has almost 10 times more memory for storing key-pairs than the Pro.
I currently have the first iteration of the Nitrokey Pro line. There is currently a new version out. Apart from supporting higher keys and possibly more types, it's still built the same way. All examples should still be valid.
I work with Ubuntu 18.04 LTS, most software is similar, though installation instructions might be different. That's left as an exercise to the reader.
Playing with the devices:
- Nitrokey HSM:
- Setting up the device for the first time.
- Creating and deleting key-pairs.
- Using them with OpenSSH.
- Using them for DNSSEC-signing in PowerDNS.
- Nitrokey Pro