Nitrokey

This article describes how you can use your Nitrokey with NixOS.

There are multiple variants of Nitrokeys, with the newest being the "Nitrokey 3". Different products support different security operations like FIDO2, One-Time-Passwords and S/MIME and OpenPGP key handling ^[1].

Installation

While Nitrokey devices operate via USB (a standard port & protocol), to use it in a meaningful way, udev rules need to be added to the system to make the USB device available to regular users.

Shell

☶︎

This Section needs to be expanded. Further information may be found in the related discussion page. Please consult the pedia article metapage for guidelines on contributing.

Depending on your Nitrokey device, there are different CLI applications to interact with it.

Nitrokey 3

For Nitrokey3, you can use the pynitrokey with its included nitropy program.

Not that you still need superuser rights if the nitrokey-udev-rules are not set up on your system.

nix shell nixpkgs#pynitrokey
sudo nitropy

System Setup

To make Nitrokey devices usable by regular users, enable the appropriate hardware option. This will set up correct udev rules.

hardware.nitrokey.enable = true;

Tips and Tricks

GPG Support

☶︎

This Section needs to be expanded. Further information may be found in the related discussion page. Please consult the pedia article metapage for guidelines on contributing.

programs = {
  ssh.startAgent = false;
  gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };
};

KeePassXC

KeePassXC supports securing a password database with Nitrokey hardware tokens. The official Nitrokey documentation has details on how a Nitrokey device must be set up to work with KeePassXC.

However, some NixOS Options should be set to make it work:

services.pcscd.enable = true;
environment.systemPackages = [ pkgs.nitrokey-app2 ];

References

↑ https://en.wikipedia.org/wiki/Nitrokey#Technical_features

[1] ttps://en.wikipedia.org/wiki/Nitrokey#Technical_features

[1]