From ArchWiki

Nitrokey is an open-source USB key series used to enable the secure encryption and signing of data. The secret keys are always stored inside the Nitrokey which protects against malware (such as computer viruses) and attackers. A user-chosen PIN and a tamper-proof smart card protect the Nitrokey in case of loss and theft. The hardware and software of Nitrokey are open-source. The free software and open hardware enables independent parties to verify the security of the device. Nitrokey is supported on Microsoft Windows, macOS, Linux, and BSD. Nitrokey is developed and produced in Germany.


Packages designed to help configure Nitrokey products are nitrocli, nitrokey-app and python-pynitrokey. As of 2023, only the last one supports the Nitrokey 3.

For hardware encryption devices in general, it is important to have gnupg installed. Secure login to a shell and various websites are also supported by the Nitrokey 3 and Nitrokey FIDO2. For this to work, libfido2 is required, see Universal 2nd Factor.


Device nodes for a Nitrokey will be created by the udev rules which are part of the libnitrokey package. For use by GnuPG, the newly created /dev/bus/usb/*/* device (as determined by lsusb) must be accessible by an unprivileged user. For WebAuthn, the /dev/hidraw* device must also be. If they are only accessible by root, you can change the default by adding MODE="0666" to the appropriate lines in 41-nitrokey.rules. Instead of 41, one might need to symlink to a higher number if 50-udev-default.rules interferes.

Nitrokeys are empty when they first arrive. The official instructions explain how to create a new secret key and transfer it to the device. Backing up the key must be done before the transfer but only do this if you have a secure place to store the backup. The official site also has instructions for how to interface with sudo and such using pam-u2f.

See also