Delete This Post

This action will delete this post on this instance and on all federated instances, and it cannot be undone. Are you certain you want to delete this post?

No
Yes
Block This Actor

This action will block this actor and hide all of their past and future posts. Are you certain you want to block this actor?

No
Yes
Block This Object

This action will block this object. Are you certain you want to block this object?

No
Yes

Contributors to this thread:

JayVii postedJun 4, 2025

Does anyone have experience with either #Yubikey, #Nitrokey or any other hardware security token for both #MFA/#2FA as well as #encryption via #PGP/#GPG or #SMIME?

In particular, I am looking at the Nitrokey 3A NFC. As far as I can tell, Yubico only sells #MFA tokens(?), unless the YubiKey 5 FIPS Series can hold encryption keys as well?

Both price and open hardware aspect definitely speak for Nitrokey, but I do not know anyone who owns such a token... Anyone who I can talk to?

Forst postedJun 4, 2025

@jayvii Yubikey 5 series can store, among others, PGP and PIV keys, which you can use for signing and encrypting e-mails.

JayVii postedJun 4, 2025

@forst good to know, thanks! Do you own one yourself? If so, do you use any of those features besides MFA?

Forst postedJun 4, 2025

@jayvii Yep, I have Yubikey 5C, I use both PGP and PIV.

pink postedJun 5, 2025

@jayvii
I have a Yubikey 5 and use it with GPG and SSH.
Maybe @nitrokey can tell You more about its functionality.
@forst

caleb postedJun 5, 2025

@jayvii asked the same question recently and got mixed responses. Personally im going with yubikey (my first order never made it and got returned i need to reorder)

social.treehouse.systems/@cas/

JayVii postedJun 5, 2025

@cas interesting answeres there. Thanks for the thread! What made you choose yubikey in the end?

Tim Stoop :kubernetes: postedJun 5, 2025

@jayvii
We've been using Nitrokey Pro for years now, for both pgp and gpg. It's a very old one, and it can only store a limited number of totp tokens. I tend to use it in combination with passwordstore and the otp plugin, using the Nitrokey just for encryption of that data, which makes it mfa imo. Don't know about the newer hardware, but this has been working fine for years. Let me know if you have more questions.

JayVii postedJun 5, 2025

@timstoop I have never owned a hardware token before. So far I have only used software solutions for both MFA and used pgp/gpg directly stored on my devices.

How would you rate the setup experience for the sticks? Can you go over to any trusted device and easily use your keys and MFA directly or is there some involved setup process for each device you want to use this with?

Tim Stoop :kubernetes: postedJun 5, 2025

@jayvii
Basically, the old Nitrokey Pro I use (pointing it out specifically as things may have changed in newer hw) only really does pgp/gnupg, but you can easily set up the gpg agent to act as a ssh agent. Once set up (via some commands you run inside a gnupg shell) it basically just works. If you don't have it plugged in, it'll give you a pop-up, otherwise it'll ask for your pin. Setup is basically running a few commands from the docs (docs.nitrokey.com/nitrokeys/pr). Had no issues with it.