Does anyone have experience with either #Yubikey, #Nitrokey or any other hardware security token for both #MFA/#2FA as well as #encryption via #PGP/#GPG or #SMIME?
In particular, I am looking at the Nitrokey 3A NFC. As far as I can tell, Yubico only sells #MFA tokens(?), unless the YubiKey 5 FIPS Series can hold encryption keys as well?
Both price and open hardware aspect definitely speak for Nitrokey, but I do not know anyone who owns such a token... Anyone who I can talk to?
", "contentMap":{ "en":"Does anyone have experience with either #Yubikey, #Nitrokey or any other hardware security token for both #MFA/#2FA as well as #encryption via #PGP/#GPG or #SMIME?
In particular, I am looking at the Nitrokey 3A NFC. As far as I can tell, Yubico only sells #MFA tokens(?), unless the YubiKey 5 FIPS Series can hold encryption keys as well?
Both price and open hardware aspect definitely speak for Nitrokey, but I do not know anyone who owns such a token... Anyone who I can talk to?
" }, "mediaType":"text/html", "attachment":[], "tag":[ {"type":"Hashtag","name":"#Yubikey","href":"https://social.jayvii.de/tags/Yubikey"}, {"type":"Hashtag","name":"#Nitrokey","href":"https://social.jayvii.de/tags/Nitrokey"}, {"type":"Hashtag","name":"#MFA","href":"https://social.jayvii.de/tags/MFA"}, {"type":"Hashtag","name":"#2FA","href":"https://social.jayvii.de/tags/2FA"}, {"type":"Hashtag","name":"#encryption","href":"https://social.jayvii.de/tags/encryption"}, {"type":"Hashtag","name":"#PGP","href":"https://social.jayvii.de/tags/PGP"}, {"type":"Hashtag","name":"#GPG","href":"https://social.jayvii.de/tags/GPG"}, {"type":"Hashtag","name":"#SMIME","href":"https://social.jayvii.de/tags/SMIME"}, {"type":"Hashtag","name":"#MFA","href":"https://social.jayvii.de/tags/MFA"} ], "type":"Note", "id":"https://social.jayvii.de/objects/qoB3f15kCXA" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2025-06-04T16:27:40.000Z", "attributedTo":"https://mastodon.social/users/forst", "inReplyTo":"https://social.jayvii.de/objects/qoB3f15kCXA", "to":["https://www.w3.org/ns/activitystreams#Public"], "cc":["https://mastodon.social/users/forst/followers","https://social.jayvii.de/actors/jayvii"], "content":"@jayvii Yubikey 5 series can store, among others, PGP and PIV keys, which you can use for signing and encrypting e-mails.
", "contentMap":{ "en":"@jayvii Yubikey 5 series can store, among others, PGP and PIV keys, which you can use for signing and encrypting e-mails.
" }, "attachment":[], "tag":[ {"type":"Mention","name":"@jayvii@social.jayvii.de","href":"https://social.jayvii.de/actors/jayvii"} ], "url":["https://mastodon.social/@forst/114626033096471435"], "type":"Note", "id":"https://mastodon.social/users/forst/statuses/114626033096471435" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2025-06-04T18:37:00.723Z", "attributedTo":"https://social.jayvii.de/actors/jayvii", "inReplyTo":"https://mastodon.social/users/forst/statuses/114626033096471435", "replies":"https://social.jayvii.de/objects/D90icT-6kDY/replies", "to":["https://www.w3.org/ns/activitystreams#Public","https://mastodon.social/users/forst"], "cc":["https://social.jayvii.de/actors/jayvii/followers"], "content":"@forst good to know, thanks! Do you own one yourself? If so, do you use any of those features besides MFA?
", "contentMap":{ "en":"@forst good to know, thanks! Do you own one yourself? If so, do you use any of those features besides MFA?
" }, "mediaType":"text/html", "attachment":[], "tag":[ {"type":"Mention","name":"@forst@mastodon.social","href":"https://mastodon.social/users/forst"} ], "type":"Note", "id":"https://social.jayvii.de/objects/D90icT-6kDY" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2025-06-04T18:37:57.000Z", "attributedTo":"https://mastodon.social/users/forst", "inReplyTo":"https://social.jayvii.de/objects/D90icT-6kDY", "to":["https://www.w3.org/ns/activitystreams#Public"], "cc":["https://mastodon.social/users/forst/followers","https://social.jayvii.de/actors/jayvii"], "content":"@jayvii Yep, I have Yubikey 5C, I use both PGP and PIV.
", "contentMap":{ "en":"@jayvii Yep, I have Yubikey 5C, I use both PGP and PIV.
" }, "attachment":[], "tag":[ {"type":"Mention","name":"@jayvii@social.jayvii.de","href":"https://social.jayvii.de/actors/jayvii"} ], "url":["https://mastodon.social/@forst/114626545422186294"], "type":"Note", "id":"https://mastodon.social/users/forst/statuses/114626545422186294" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2025-06-05T09:53:46.000Z", "attributedTo":"https://norden.social/users/pink", "inReplyTo":"https://social.jayvii.de/objects/D90icT-6kDY", "to":["https://www.w3.org/ns/activitystreams#Public"], "cc":["https://norden.social/users/pink/followers","https://social.jayvii.de/actors/jayvii","https://social.nitrokey.com/users/nitrokey","https://mastodon.social/users/forst"], "content":"@jayvii
I have a Yubikey 5 and use it with GPG and SSH.
Maybe @nitrokey can tell You more about its functionality.
@forst
@jayvii
I have a Yubikey 5 and use it with GPG and SSH.
Maybe @nitrokey can tell You more about its functionality.
@forst
@jayvii asked the same question recently and got mixed responses. Personally im going with yubikey (my first order never made it and got returned i need to reorder)
https://social.treehouse.systems/@cas/114381054193693251
", "contentMap":{ "en":"@jayvii asked the same question recently and got mixed responses. Personally im going with yubikey (my first order never made it and got returned i need to reorder)
https://social.treehouse.systems/@cas/114381054193693251
" }, "attachment":[], "tag":[ {"type":"Mention","name":"@jayvii@social.jayvii.de","href":"https://social.jayvii.de/actors/jayvii"} ], "url":["https://social.treehouse.systems/@cas/114628277538438344"], "type":"Note", "id":"https://social.treehouse.systems/users/cas/statuses/114628277538438344" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2025-06-05T12:42:42.452Z", "attributedTo":"https://social.jayvii.de/actors/jayvii", "inReplyTo":"https://social.treehouse.systems/users/cas/statuses/114628277538438344", "replies":"https://social.jayvii.de/objects/ClIqFfEVhuY/replies", "to":["https://www.w3.org/ns/activitystreams#Public","https://social.treehouse.systems/users/cas"], "cc":["https://social.jayvii.de/actors/jayvii/followers"], "content":"@cas interesting answeres there. Thanks for the thread! What made you choose yubikey in the end?
", "contentMap":{ "en":"@cas interesting answeres there. Thanks for the thread! What made you choose yubikey in the end?
" }, "mediaType":"text/html", "attachment":[], "tag":[ {"type":"Mention","name":"@cas@social.treehouse.systems","href":"https://social.treehouse.systems/users/cas"} ], "type":"Note", "id":"https://social.jayvii.de/objects/ClIqFfEVhuY" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2025-06-05T05:58:33.000Z", "attributedTo":"https://fosstodon.org/users/timstoop", "inReplyTo":"https://social.jayvii.de/objects/qoB3f15kCXA", "to":["https://fosstodon.org/users/timstoop/followers"], "cc":["https://www.w3.org/ns/activitystreams#Public","https://social.jayvii.de/actors/jayvii"], "content":"@jayvii
We've been using Nitrokey Pro for years now, for both pgp and gpg. It's a very old one, and it can only store a limited number of totp tokens. I tend to use it in combination with passwordstore and the otp plugin, using the Nitrokey just for encryption of that data, which makes it mfa imo. Don't know about the newer hardware, but this has been working fine for years. Let me know if you have more questions.
@jayvii
We've been using Nitrokey Pro for years now, for both pgp and gpg. It's a very old one, and it can only store a limited number of totp tokens. I tend to use it in combination with passwordstore and the otp plugin, using the Nitrokey just for encryption of that data, which makes it mfa imo. Don't know about the newer hardware, but this has been working fine for years. Let me know if you have more questions.
@timstoop I have never owned a hardware token before. So far I have only used software solutions for both MFA and used pgp/gpg directly stored on my devices.
How would you rate the setup experience for the sticks? Can you go over to any trusted device and easily use your keys and MFA directly or is there some involved setup process for each device you want to use this with?
", "contentMap":{ "en":"@timstoop I have never owned a hardware token before. So far I have only used software solutions for both MFA and used pgp/gpg directly stored on my devices.
How would you rate the setup experience for the sticks? Can you go over to any trusted device and easily use your keys and MFA directly or is there some involved setup process for each device you want to use this with?
" }, "mediaType":"text/html", "attachment":[], "tag":[ {"type":"Mention","name":"@timstoop@fosstodon.org","href":"https://fosstodon.org/users/timstoop"} ], "type":"Note", "id":"https://social.jayvii.de/objects/W_K-l8e3y0E" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2025-06-05T16:54:38.000Z", "attributedTo":"https://fosstodon.org/users/timstoop", "inReplyTo":"https://social.jayvii.de/objects/W_K-l8e3y0E", "to":["https://fosstodon.org/users/timstoop/followers"], "cc":["https://www.w3.org/ns/activitystreams#Public","https://social.jayvii.de/actors/jayvii"], "content":"@jayvii
Basically, the old Nitrokey Pro I use (pointing it out specifically as things may have changed in newer hw) only really does pgp/gnupg, but you can easily set up the gpg agent to act as a ssh agent. Once set up (via some commands you run inside a gnupg shell) it basically just works. If you don't have it plugged in, it'll give you a pop-up, otherwise it'll ask for your pin. Setup is basically running a few commands from the docs (https://docs.nitrokey.com/nitrokeys/pro/getting-started). Had no issues with it.
@jayvii
Basically, the old Nitrokey Pro I use (pointing it out specifically as things may have changed in newer hw) only really does pgp/gnupg, but you can easily set up the gpg agent to act as a ssh agent. Once set up (via some commands you run inside a gnupg shell) it basically just works. If you don't have it plugged in, it'll give you a pop-up, otherwise it'll ask for your pin. Setup is basically running a few commands from the docs (https://docs.nitrokey.com/nitrokeys/pro/getting-started). Had no issues with it.
@jayvii I can vouch for @nitrokey since they truy are 100% #OpenSource and have an excellent track record!
", "contentMap":{ "en":"@jayvii I can vouch for @nitrokey since they truy are 100% #OpenSource and have an excellent track record!
" }, "attachment":[], "tag":[ {"type":"Hashtag","name":"#opensource","href":"https://infosec.space/tags/opensource"}, {"type":"Mention","name":"@jayvii@social.jayvii.de","href":"https://social.jayvii.de/actors/jayvii"}, {"type":"Mention","name":"@nitrokey@nitrokey.com","href":"https://social.nitrokey.com/users/nitrokey"} ], "url":["https://infosec.space/@kkarhan/114693838829579165"], "type":"Note", "id":"https://infosec.space/users/kkarhan/statuses/114693838829579165" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2025-06-16T16:10:09.000Z", "attributedTo":"https://tacobelllabs.net/users/arrjay", "inReplyTo":"https://social.jayvii.de/objects/qoB3f15kCXA", "to":["https://www.w3.org/ns/activitystreams#Public"], "cc":["https://tacobelllabs.net/users/arrjay/followers","https://social.jayvii.de/actors/jayvii"], "content":"@jayvii I've used a couple generations of Yubikey with GPG...
Security Key Series: Nope
FIPS Series: These Work, but if you don't know why you need one, don't bother
Bio Series: No
So that leaves us with the USD $50 something Keys
they all work with GPG. can load separate keys for encryption, authentication, signing.
anything older than yk4: can support 3072-bit RSA, but probably broken RNG
yk4: supports RSA4096
yk5: this brings in ECC support (details here: https://support.yubico.com/hc/en-us/articles/360016649139-YubiKey-5-2-enhancements-to-OpenPGP-3-4-support)
@jayvii I've used a couple generations of Yubikey with GPG...
Security Key Series: Nope
FIPS Series: These Work, but if you don't know why you need one, don't bother
Bio Series: No
So that leaves us with the USD $50 something Keys
they all work with GPG. can load separate keys for encryption, authentication, signing.
anything older than yk4: can support 3072-bit RSA, but probably broken RNG
yk4: supports RSA4096
yk5: this brings in ECC support (details here: https://support.yubico.com/hc/en-us/articles/360016649139-YubiKey-5-2-enhancements-to-OpenPGP-3-4-support)
@jayvii they should support x.509 silliness in a _different_ slot/applet than the GPG pieces, but it's been a while since I've used them like that so I don't want to speak to it.
talking to it from GPG and not-GPG can also be a chore. many smartcard stacks like to claim exclusive reader access.
", "contentMap":{ "en":"@jayvii they should support x.509 silliness in a _different_ slot/applet than the GPG pieces, but it's been a while since I've used them like that so I don't want to speak to it.
talking to it from GPG and not-GPG can also be a chore. many smartcard stacks like to claim exclusive reader access.
" }, "attachment":[], "tag":[ {"type":"Mention","name":"@jayvii@social.jayvii.de","href":"https://social.jayvii.de/actors/jayvii"} ], "url":["https://tacobelllabs.net/@arrjay/114693920903063369"], "type":"Note", "id":"https://tacobelllabs.net/users/arrjay/statuses/114693920903063369" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2025-06-17T05:22:02.759Z", "attributedTo":"https://social.jayvii.de/actors/jayvii", "inReplyTo":"https://tacobelllabs.net/users/arrjay/statuses/114693920903063369", "replies":"https://social.jayvii.de/objects/F2e90-MBLvc/replies", "to":["https://www.w3.org/ns/activitystreams#Public","https://tacobelllabs.net/users/arrjay"], "cc":["https://social.jayvii.de/actors/jayvii/followers"], "content":"@arrjay thabks a lot for the detailed info! For now, I am tending toward nitrokey, tbh
", "contentMap":{ "en":"@arrjay thabks a lot for the detailed info! For now, I am tending toward nitrokey, tbh
" }, "mediaType":"text/html", "attachment":[], "tag":[ {"type":"Mention","name":"@arrjay@tacobelllabs.net","href":"https://tacobelllabs.net/users/arrjay"} ], "type":"Note", "id":"https://social.jayvii.de/objects/F2e90-MBLvc" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2025-06-16T18:24:24.000Z", "attributedTo":"https://kafeneio.social/users/bioinformatician_next_door", "inReplyTo":"https://social.jayvii.de/objects/qoB3f15kCXA", "to":["https://www.w3.org/ns/activitystreams#Public"], "cc":["https://kafeneio.social/users/bioinformatician_next_door/followers","https://mastodon.social/users/lrvick","https://social.jayvii.de/actors/jayvii"], "content":"@jayvii
yubi can do most of the things you ask.
here is a good guide:
https://www.procustodibus.com/blog/2023/04/how-to-set-up-a-yubikey/
and here is another one:
https://github.com/drduh/YubiKey-Guide
As far as I know #nitrokey needs some extra steps in order to do some small things(wireguard key on the nitro, I don't remember if it works), other than that as it is open hardware and software it's the best choice in the market currently.
@lrvick may have an opinion about it.
@jayvii
yubi can do most of the things you ask.
here is a good guide:
https://www.procustodibus.com/blog/2023/04/how-to-set-up-a-yubikey/
and here is another one:
https://github.com/drduh/YubiKey-Guide
As far as I know #nitrokey needs some extra steps in order to do some small things(wireguard key on the nitro, I don't remember if it works), other than that as it is open hardware and software it's the best choice in the market currently.
@lrvick may have an opinion about it.
@bioinformatician_next_door @jayvii Yubikeys and Nitrokeys can do all of the same things at this point, however Nitrokey is open hardware/software and much more auditable/transparent as a result.
", "contentMap":{ "en":"@bioinformatician_next_door @jayvii Yubikeys and Nitrokeys can do all of the same things at this point, however Nitrokey is open hardware/software and much more auditable/transparent as a result.
" }, "attachment":[], "tag":[ {"type":"Mention","name":"@bioinformatician_next_door@kafeneio.social","href":"https://kafeneio.social/users/bioinformatician_next_door"}, {"type":"Mention","name":"@jayvii@social.jayvii.de","href":"https://social.jayvii.de/actors/jayvii"} ], "url":["https://mastodon.social/@lrvick/114695578271987289"], "type":"Note", "id":"https://mastodon.social/users/lrvick/statuses/114695578271987289" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2025-06-16T23:15:02.000Z", "attributedTo":"https://mastodon.social/users/lrvick", "inReplyTo":"https://mastodon.social/users/lrvick/statuses/114695578271987289", "to":["https://www.w3.org/ns/activitystreams#Public"], "cc":["https://mastodon.social/users/lrvick/followers","https://kafeneio.social/users/bioinformatician_next_door","https://social.jayvii.de/actors/jayvii"], "content":"@bioinformatician_next_door @jayvii
Also if you want a paranoids guide to setting up a yubikey or nitrokey for cold secret management with sharded backups, checkout our docs: https://trove.distrust.co
", "contentMap":{ "en":"@bioinformatician_next_door @jayvii
Also if you want a paranoids guide to setting up a yubikey or nitrokey for cold secret management with sharded backups, checkout our docs: https://trove.distrust.co
" }, "attachment":[], "tag":[ {"type":"Mention","name":"@bioinformatician_next_door@kafeneio.social","href":"https://kafeneio.social/users/bioinformatician_next_door"}, {"type":"Mention","name":"@jayvii@social.jayvii.de","href":"https://social.jayvii.de/actors/jayvii"} ], "url":["https://mastodon.social/@lrvick/114695582646900267"], "type":"Note", "id":"https://mastodon.social/users/lrvick/statuses/114695582646900267" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2025-06-17T05:23:34.258Z", "attributedTo":"https://social.jayvii.de/actors/jayvii", "inReplyTo":"https://mastodon.social/users/lrvick/statuses/114695582646900267", "replies":"https://social.jayvii.de/objects/wQ80zG3pKE4/replies", "to":["https://www.w3.org/ns/activitystreams#Public","https://mastodon.social/users/lrvick","https://kafeneio.social/users/bioinformatician_next_door"], "cc":["https://social.jayvii.de/actors/jayvii/followers"], "content":"@lrvick @bioinformatician_next_door thanks to both of you. Very helpful guides :) leaning towards nitrokey rn
", "contentMap":{ "en":"@lrvick @bioinformatician_next_door thanks to both of you. Very helpful guides :) leaning towards nitrokey rn
" }, "mediaType":"text/html", "attachment":[], "tag":[ {"type":"Mention","name":"@lrvick@mastodon.social","href":"https://mastodon.social/users/lrvick"}, {"type":"Mention","name":"@bioinformatician_next_door@kafeneio.social","href":"https://kafeneio.social/users/bioinformatician_next_door"} ], "type":"Note", "id":"https://social.jayvii.de/objects/wQ80zG3pKE4" } ] }