Hero Image


Nitrokey Pro & Nitrokey HSM

The company I work for has donated a Nitrokey HSM and a Nitrokey Pro (v1) to play with. I intend to make as many things working with them as I can, and document them in the process.

Please note that:

  • Both are tamper-resistant.
  • The Nitrokey Pro has specific OTP and PGP support, the Nitrokey HSM does not.
  • The Nitrokey HSM has PKI/CA management features, the Nitrokey Pro does not.
  • The Nitrokey HSM has no support for RSA higher than 2048-bits, the Pro does (up to 4096).
  • The Nitrokey HSM has no support for EC higher than 320-bits, the Pro does (up to 512).
  • The Nitrokey HSM is significantly faster than the Pro in signing/verification operations.
  • The Nitrokey HSM has almost 10 times more memory for storing key-pairs than the Pro.

I currently have the first iteration of the Nitrokey Pro line. There is currently a new version out. Apart from supporting higher keys and possibly more types, it's still built the same way. All examples should still be valid.

I work with Ubuntu 18.04 LTS, most software is similar, though installation instructions might be different. That's left as an exercise to the reader.

Playing with the devices:

  • Nitrokey HSM:
    • Setting up the device for the first time.
    • Creating and deleting key-pairs.
    • Using them with OpenSSH.
    • Using them for DNSSEC-signing in PowerDNS.
  • Nitrokey Pro