Manage Nitrokey with privacyIDEA

Maximum Transparancy – Maximum Trust


Look at my Nitrokeys. The pre-release of the Nitrokey Pro, the Nitrokey Storage and Nitrokey HSM. The Nitrokey is a crypto device, which you can use to store your PGP Keys or just RSA keys and thus sign and decrypt data. It comes with a password safe and the ability to generate one time passwords. It is open hardware and all necessary software is open source. Thus it is a great device to be combined with the open source authentication system privacyIDEA.

Nitrokey managed by privacyIDEA

You can manage your keys locally on your desktop with the Nitrokey-App. You can reset the user PIN and the administrator PIN (SO PIN). And you can manage the passwords in your password safe.


But you can not use the OTP functionality as you need a backend or an application to authenticate against. The idea to manage the Nitrokey with privacyIDEA was around for a while. Issues have been filed to the privacyIDEA github project and the privacyIDEA command line client. Managing the OTPs of the Nitrokey seemed to be a logical first step.

Just yesterday I pushed the code to the github repository of the privacyIDEA command line client. The good news is, that there are no changes in the privacyIDEA backend necessary. The Nitrokey acts as an HOTP or TOTP token – both token types are already supported by privacyIDEA. The command line client takes care of initializing the Nitrokey and creates the token object in the privacyIDEA backend.

privacyIDEA and hardware tokens

privacyIDEA already supports several hardware tokens, which can be seeded: like the Yubikey, U2F devices, eToken NG or daplug token. Most of these tokens (except U2F) are initialized via the command line client. The great thing with the command line client is, that the tokens like the Yubikeys can be mass enrolled. This way the administrator can initialize hundrets of tokens in a few minutes and initialize these with new key material – being independent of the vendor.

With the Nitrokey you can do this, too. But you also get a bonus. You are indepent with your key material of any vendor and you get a hardware, that is open, where you can simply run your audits on it.

Enroll a Nitrokey HOTP token

To be able to enroll the Nitrokey you need to get and install the Nitrokey-App and libnitrokey. The privacyIDEA admin client uses libnitrokey to initialize the OTP slot. The Nitrokey support in the privacyIDEA admin client is totally new. It is not contained in the packages of the privacyIDEA admin client, yet. So you also need to get the github repository and install the privacyIDEA admin client via

  python install

Now you can enroll Nitrokeys:

  privacyidea -U https://localhost – admin super – nosslcheck token nitrokey_mass_enroll – slotname meiner0 – slot 0

The new command option nitrokey_mass_enroll will start the mass enrollment process for Nitrokeys. This will only work if all Nitrokeys have the same admin PIN. At the moment the admin PIN is requested during startup and not for each enrolled Nitrokey.

You can specify which slot should be written. There are 3 HOTP slots, so this value can be 0 – 2. You can also set a slotname for this slot.

The admin client will ask you for the next Nitrokey to be inserted. This way you can initialize OTP slots of many Nitrokeys and then give these keys to your users.

The great thing is, the admin client will read the serial number of each Nitrokey during the rollout process. It then create an HOTP token object in the privacyIDEA backend with the token serial NK<serial>_<slotnumber>. This way you can easily identify devices.

Maximum trust

privacyIDEA once more improves the level of trust by supporting the open hardware Nitrokey. Get transparent software and transparent hardware to boost trust to the max.


Leave a comment