How to Use NitrokeyUSB smart card to make Linux environment safer

The financial industry and other enterprise environments often adopt an advanced security defense mechanism based on hardware protection: A physical security key (also known as a "security token" or a "hardware token") that prevents human intervention as a protective layer for secret software keys or login information.

As the security risks on the Internet are getting higher and higher, a simple step-by-step security is no longer enough to cope with, so people turn to multi-layer security to defeat the increasingly cunning attacks against their digital assets and online privacy. The financial industry and other enterprise environments often adopt an advanced security defense mechanism based on hardware protection: A physical security key (also known as a "security token" or a "hardware token") that prevents human intervention as a protective layer for secret software keys or login information. Hardware-based security methods are useful in many environments, such as two-factor verification, VPN access, and secure password library.

If you are a DIY user (DY), you may not want to use a ready-made USB thumb drive to create your own USB-based security key. However, popular USB drivers are naturally vulnerable to virus or malware attacks targeting the programmable features of original USB firmware. I personally will not entrust my private key to a USB thumb drive for $5 in the zone.

Recently, I accidentally discovered a USB-based security key hardware named Nitrokey (previously called "Crypto Stick. Nitrokey is not a cheap USB storage stick, but the price between $20 and $50 is reasonable. Considering its wide range of integrated security features, I don't think the price is too high. In this article, I will specifically discuss the Nitrokey Pro hardware and introduce the actual use cases.

What is Nitrokey Pro?

In short, Nitrokey Pro is a security key storage hardware that prevents the use of PIN protection and uses USB interfaces. It uses embedded smart cards to implement many open security standards, such as OpenPGP negotiation, S/MIME, HOTP (HMAC-based one-time password), and TOTP (time-based one-time password ). Therefore, once you store the secret key on Nitrokey Pro, it can sign, encrypt, decrypt, and verify the key on the hardware, therefore, your secret key will never leak to the computer connected to the smart card. In this way, you need to run various security tasks on a third-party computer that is unreliable (may have a large number of malware. The one-time OATH password generated by Nitrokey Pro is compatible with Gmail, Dropbox, AWS, and many other websites. Nitrokey Pro also has a built-in security password library. If you cannot trust any software password management tool, you can store difficult-to-remember login information on hardware that prevents human intervention.

Aside from all these advantages, I like Nitrokey most in its openness. As it said, "Private Security" is not secure, which inspires Nitrokey personnel to open the hardware and software of their products to the open-source community at the same time, so they can be audited and reviewed, to find any security vulnerabilities. You can complete open PCB hardware design, firmware and software source code on all Nitrokey smart card product series in its official Github software library (https://github.com/Nitrokey.

The following describes how to install Nitrokey Pro on a Linux computer and how to use it in several practical scenarios.

Install Nitrokey Pro on Linux

To install Nitrokey Pro on Linux, you must first plug it into the USB port of your computer. If you are running the latest Linux release, it should be able to easily find the necessary USB device driver for the card. Use lsusbCommandConfirm that Nitrokey Pro is visible on your system. In this case, the card is displayed as "Clay Logic ".

$ lsusb

Once you confirm that the USB device is successful, create a udev rule for the Nitrokey Pro USB device and restart the udev service, as shown below.

$ wget https://www.nitrokey.com/sites/default/files/40-nitrokey.rules $ sudo cp 40-nitrokey.rules /etc/udev/rules.d/$ sudo service udev restart

Next, download and install the Nitrokey App (https://www.nitrokey.com/download). If you use Nitrokey Pro to generate a one-time password or use it as a password management tool, you need this dedicated GUI application. However, in most cases, Nitrokey USB keys can be used without the Nitrokey App.

To install the Nitrokey application on the Linux Desktop:

On Debian-based systems:

$ Sudo apt-get install gdebi-core

$ Sudo gdebi nitrokey-XXXXXX.deb

On the Red Hat-based system:

$ Sudo rpm-ivh nitrokey-XXXXXX.rpm

After the Nitrokey App is installed, start the application as follows.

$ Nitrokey-app

If the application matches the Nitrokey USB hardware, the desktop notification "Nitrokey connected" is displayed.

The Nitrokey Pro smart card uses two pins for protection: the user PIN (default: 123456) and the Administrator PIN (default: 12345678 ). Be careful when entering those pins, because if the user PIN is incorrect three or more times, the card will be locked and you will not be able to use the card (unless the Administrator PIN overwrites the user PIN ), if the Administrator PIN is incorrect three or more times, the USB key hardware is completely damaged and cannot be repaired. In case a smart card falls into the hands of a bad guy, this strict PIN-based hardware protection is essential.

Once Nitrokey Pro is accessible on your system, the first thing you need to do is change the user PIN/Administrator PIN. Therefore, right-click the Nitrokey icon on the top of the desktop to go to the "configuration" menu. You can change the user PIN and administrator PIN at the same time.

Note: You can also use the gpg command for PIN management. I will introduce it below.