Generalnitroclistatus
Print the status of the connected Nitrokey device, including the stick serial number, the firmware
version, and the PIN retry count.
nitroclilock
Lock the Nitrokey. This command locks the password safe (see the Password safe section). On the
Nitrokey Storage, it will also close any active encrypted or hidden volumes (see the Storage
section).
nitroclireset
Perform a factory reset on the Nitrokey. This command performs a factory reset on the OpenPGP
smart card, clears the flash storage and builds a new AES key. The user PIN is reset to 123456,
the admin PIN to 12345678.
This command requires the admin PIN. To avoid accidental calls of this command, the user has to
enter the PIN even if it has been cached.
Storage
The Nitrokey Storage comes with a storage area. This area is comprised of an unencrypted region and an
encrypted one of fixed sizes, each made available to the user in the form of block devices. The encrypted
region can optionally further be overlayed with up to four hidden volumes. Because of this overlay (which
is required to achieve plausible deniability of the existence of hidden volumes), the burden of ensuring
that data on the encrypted volume does not overlap with data on one of the hidden volumes is on the user.
nitroclistorageopen
Open the encrypted volume on the Nitrokey Storage. The user PIN that is required to open the
volume is queried using pinentry(1) and cached by gpg-agent(1).
nitroclistorageclose
Close the encrypted volume on the Nitrokey Storage.
nitroclistoragestatus
Print the status of the connected Nitrokey Storage device's storage. The printed information
includes the SD card serial number, the encryption status, and the status of the volumes.
nitroclistoragehiddencreateslotstartend
Create a new hidden volume inside the encrypted volume. slot must indicate one of the four
available slots. start and end represent, respectively, the start and end position of the hidden
volume inside the encrypted volume, as a percentage of the encrypted volume's size. This command
requires a password which is later used to look up the hidden volume to open. Unlike a PIN, this
password is not cached by gpg-agent(1).
nitroclistoragehiddenopen
Open a hidden volume. The volume to open is determined based on the password entered, which must
have a minimum of six characters. Only one hidden volume can be active at any point in time and
previously opened volumes will be automatically closed. Similarly, the encrypted volume will be
closed if it was open.
nitroclistoragehiddenclose
Close a hidden volume.
One-timepasswords
The Nitrokey Pro and the Nitrokey Storage support the generation of one-time passwords using the HOTP
algorithm according to RFC 4226 or the TOTP algorithm according to RFC 6238. The required data – a name
and the secret – is stored in slots. Currently, the Nitrokey devices provide three HOTP slots and 15
TOTP slots. The slots are numbered per algorithm starting at zero.
The TOTP algorithm is a modified version of the HOTP algorithm that also uses the current time.
Therefore, the Nitrokey clock must be synchronized with the clock of the application that requests the
one-time password.
nitrocliotpgetslot [-a|--algorithmalgorithm] [-t|--timetime]
Generate a one-time password. slot is the number of the slot to generate the password from.
algorithm is the OTP algorithm to use. Possible values are hotp for the HOTP algorithm according
to RFC 4226 and totp for the TOTP algorithm according to RFC 6238 (default). Per default, this
commands sets the Nitrokey's time to the system time if the TOTP algorithm is selected. If --time
is set, it is set to time instead, which must be a Unix timestamp (i.e., the number of seconds
since 1970-01-01 00:00:00 UTC). This command might require the user PIN (see the Configuration
section).
nitrocliotpsetslotnamesecret [-a|--algorithmalgorithm] [-d|--digitsdigits] [-c|--countercounter]
[-t|--time-windowtime-window] [-f|--formatascii|base32|hex]
Configure a one-time password slot. slot is the number of the slot to configure. name is the
name of the slot (may not be empty). secret is the secret value to store in that slot.
The --format option specifies the format of the secret. If it is set to ascii, each character of
the given secret is interpreted as the ASCII code of one byte. If it is set to base32, the secret
is interpreted as a base32 string according to RFC 4648. If it is set to hex, every two
characters are interpreted as the hexadecimal value of one byte. The default value is hex.
algorithm is the OTP algorithm to use. Possible values are hotp for the HOTP algorithm according
to RFC 4226 and totp for the TOTP algorithm according to RFC 6238 (default). digits is the number
of digits the one-time password should have. Allowed values are 6 and 8 (default: 6). counter is
the initial counter if the HOTP algorithm is used (default: 0). timewindow is the time window
used with TOTP in seconds (default: 30).
nitrocliotpclearslot [-a|--algorithmalgorithm]
Delete the name and the secret stored in a one-time password slot. slot is the number of the slot
to clear. algorithm is the OTP algorithm to use. Possible values are hotp for the HOTP algorithm
according to RFC 4226 and totp for the TOTP algorithm according to RFC 6238 (default).
nitrocliotpstatus [-a|--all]
List all OTP slots. If --all is not set, empty slots are ignored.
Configuration
Nitrokey devices have four configuration settings: the numlock, capslock and scrollock keys can be
mapped to an HOTP slot, and OTP generation can be set to require the user PIN.
nitrocliconfigget
Print the current configuration.
nitrocliconfigset [[-n|--numlockslot] | [-N|--no-numlock]] [[-c|--capslockslot] | [-C|--no-capslock]]
[[-s|--scrollockslot] | [-S|--no-scrollock]] [[-o|--otp-pin] | [-O|--no-otp-pin]]
Update the Nitrokey configuration. This command requires the admin PIN.
With the --numlock, --capslock and --scrollock options, the respective bindings can be set. slot
is the number of the HOTP slot to bind the key to. If --no-numlock, --no-capslock or
--no-scrollock is set, the respective binding is disabled. The two corresponding options are
mutually exclusive.
If --otp-pin is set, the user PIN will be required to generate one-time passwords using the otpget command. If --no-otp-pin is set, OTP generation can be performed without PIN. These two
options are mutually exclusive.
Passwordsafe
The Nitrokey Pro and the Nitrokey Storage provide a password safe (PWS) with 20 slots. In each of these
slots you can store a name, a login, and a password. The PWS is not encrypted, but it is protected with
the user PIN by the firmware. Once the PWS is unlocked by one of the commands listed below, it can be
accessed without authentication. You can use the lock command to lock the password safe.
nitroclipwsgetslot [-n|--name] [-l|--login] [-p|--password] [-q|--quiet]
Print the content of one PWS slot. slot is the number of the slot. Per default, this command
prints the name, the login and the password (in that order). If one or more of the options
--name, --login, and --password are set, only the selected fields are printed. The order of the
fields never changes.
The fields are printed together with a label. Use the --quiet option to suppress the labels and
to only output the values stored in the PWS slot.
nitroclipwssetslotnameloginpassword
Set the content of a PWS slot. slot is the number of the slot to write. name, login, and
password represent the data to write to the slot.
nitroclipwsclearslot
Delete the data stored in a PWS slot. slot is the number of the slot clear.
nitroclipwsstatus [-a|--all]
List all PWS slots. If --all is not set, empty slots are ignored.
PINs
Nitrokey devices have two PINs: the user PIN and the admin PIN. The user PIN must have at least six, the
admin PIN at least eight characters. The user PIN is required for commands such as otpget (depending on
the configuration) and for all pws commands. The admin PIN is usually required to change the device
configuration.
Each PIN has a retry counter that is decreased with every wrong PIN entry and reset if the PIN was
entered correctly. The initial retry counter is three. If the retry counter for the user PIN is zero,
you can use the pinunblock command to unblock and reset the user PIN. If the retry counter for the
admin PIN is zero, you have to perform a factory reset using the reset command or gpg(1). Use the status
command to check the retry counters.
nitroclipinclear
Clear the PINs cached by the other commands. Note that cached PINs are associated with the device
they belong to and the clear command will only clear the PIN for the currently used device, not
all others.
nitroclipinsettype
Change a PIN. type is the type of the PIN that will be changed: admin to change the admin PIN or
user to change the user PIN. This command only works if the retry counter for the PIN type is at
least one. (Use the status command to check the retry counters.)
nitroclipinunblock
Unblock and reset the user PIN. This command requires the admin PIN. The admin PIN cannot be
unblocked. This operation is equivalent to the unblock PIN option provided by gpg(1) (using the
--change-pin option).
Install Now
PNG Icons
