NitroKey Pro2 Review

Hii guys,

I wanted to do this review as a video originally but due to personal circumstances, this was getting delayed way, way too long (it was scheduled for the end of August!), so I decided to do this in text format anyways.
Additionally, YouTube has announced their new TOS which made me really hesitant to upload it to their platform as well.

We added this new section to let you know that, starting today we'll begin slowly rolling out ads on a limited number of videos from channels not in YPP. This means as a creator that's not in YPP, you may see ads on some of your videos. Since you're not currently in YPP, you won't receive a share of the revenue from these ads, though you'll still have the opportunity to apply for YPP as you normally would once you meet the eligibility requirements. You can always check your progress toward eligibility on the monetization tab in YouTube Studio.

YouTube TOS as of the 20th of November 2020

So yea, it's gonna be a text format only.
I may release it as a video later as well on a platform like PeerTube, but don't count on it.

Anyways, this blog post is sponsored by NitroKey GMBH through their "Nitrokey Community Program".
Danke vielmals!
However, as per my Review Policy, my views and opinions will be 100% unaffected by this.
So let's dive in.

Who is NitroKey GMBH?

Nitrokey is a company based in Berlin, Germany that makes these small little USB dongles called "Hardware Security Tokens" that you can use for this and more.
In late 2009, the CEO Jan Suhr and two of his friends released an open-source device called the "Crypto Stick" just-for-fun and as they grew, in 2015, it became... well... Nitrokey.
They have kept their promise into keeping their products open-source and have actually expanded beyond these dongles and they are well-known in the community for promoting a safe and open internet.

Fast forward to late Juli of 2020, Nitrokey has announced their Nitrokey Community Program, in which people can request a free NitroKey for their project.
And well, I'm a simple Dutch person... I see free, I want.

What is the NitroKey Pro2?

For those new to GPG, you most likely have your private key on your device itself, also referred to as a "software key".
This, however, has a few issues with it.
- The key isn't easily portable.
- The key is prone to theft by malware.

The first one is a mostly a "convenience" issue.
Let's say I use my key for my main email but I use both my laptop and main desktop to mail.
This means I'm left with two choices:
- Sync the keys with both devices (by exporting it on one and importing it on the other)
- Only use my key on a specific device.
Neither of which is a nice choice in my opinion.
The NitroKey Pro2 solves this by having your private key on a stick you can carry with you.
Be it from desktop to laptop or from home to work.
If you have the stick with you, you have the key with you :)
You could solve this by having a copy of the private key on a USB stick, but we'll get to that in a bit.

The second one is a bigger problem though.
Remember, whom has the private key, is you.
This means that the thief can now pretend to be you and since the thief signed a message as you... well... you can fill in the blanks.
The NitroKey Pro2 solves this by not having your key on the device you're using.
Instead, it's on the stick called a "Hardware Security Token".
Unlike a regular USB stick, however, the key isn't readable by the machine either.
Any attempt that you will make by simply trying to read out the private key from the stick will result into a failure (given you don't crack open the stick and use specialized ways to extract it from the chips themselves).
This means that unlike with a regular USB stick, where you import the entire private key, you don't import the private key itself.
Instead, what you import is a reference to the private key on the stick, this is called a "stub".
This stub tells GPG: "If you need the private key associated with the fingerprint ABCDEF, you can find it on the token with ID the 123456".
This means that it becomes really difficult for someone who steals your laptop or phone to get their hands on your private key (given you didn't have the stick laying around) and for malware to steal it (because well, there is no key!).

Additionally, the NitroKey Pro2 has some other nifty features I'll come back to in a moment.
If you are curious on how a NitroKey Pro2 is made in global terms, head over to this YouTube video.

Types of NitroKey

The Pro2 isn't the only device in the offerings of NitroKey.
They have a fairly wide variety of devices so people can pick what they need.
Some types include:
- Storage2
- Pro2
- Start
- HSM2

You can find the differences on their website.
For this review, I chose the Pro2 because I felt like it was the one most people would be interested in over the Start since it has tamper-resistance, OTP support, a built-in password manager and a faster cryptographic processor, allowing for the use of bigger RSA keys (4096-bits vs 2048-bits) without having to wait 8 seconds for an operation.
8 Seconds is a lot if you ask me...
Mo schnell, mo betta.

Okay, most people do not need to care about a key with 4096-bits, however, having that futureproofing or if you want to make sure you're safe for a while can be nice to have.
However, do note that if you go for the Pro2 over the Start, you are losing support for "Curve25519" and "SECG/Koblitz", however, I don't know much about those elliptic curves, so I don't know if they have any real value.
The Pro2, on the other hand, does have support for ECC keys of 512-bits whereas the Start only goes up to 256-bits.
For those wondering, ECC, in most cases, is stringer than RSA so the keys can be smaller than RSA without losing out on security.
Do note that while ECC-keys are becoming a bit of the norm, using RSA-keys instead helps with backwards compatibility.

One thing you do lose as well over the Start is firmware updates.
This is what NitroKey had to say about it:

We haven't had the time to implement firmware update features into all our Nitrokey models yet. In the future, we will offer firmware updates for all our Nitrokey models.

NitroKey GMBH in private email

Devices similar to the NitroKey Pro2

The NitroKey Pro2 isn't the only device that can do this.
There exist a whole range of devices similar to the NitroKey Pro2.
Some other well-known devices are:
- "Yubikey" by Yubico.
- "Solo" by SoloKeys.
- "OpenPGP Smartcard"(?) by ZeitControl.

Another vendor of HSTs is Google with their "Titan", however, this device does not support GPG.
I personally own a "Yubikey 5 NFC", so I'll be comparing the NitroKey Pro2 to that later on in this review.

"Unboxing" the Nitrokey NitroKey Pro2

Once the package came in, it was a pretty non-descriptive little bubble envelope.
Simple, I like it.

Inside, you'll find the following contents:

Getting out your NitroKey is as simple as opening the bag from the top and taking it out that way.

I love how simple and clean their packaging is.
Very little is wasted and those plastic baggies they come in are re-usable.

Physical overview of the NitroKey Pro2

The physical aspect of the NitroKey isn't much bells and whistles either.
A hard plastic case with the NitroKey logo on it (and the model of the key), a USB-A port and a cap to protect said port.

Comparing the NitroKey Pro2 with the YubiKey 5 NFC

As said earlier, I'll be comparing the NitroKey Pro2 with my YubiKey 5 NFC on a few different criteria I think are important to most people looking into these keys:
- Ease of setup
- Support of features and protocols
- Portability
- Durability
- Ease of use in daily life
- Affordability

Ease of Setup

Let's get started with ease of setup alright?
I found that the setup of the Yubikey quite easy thanks to the software made by Yubico.
However, one thing I did not like about Yubico's implementation is that I need a lot of different programs for setting up different things.
This isn't too bad because it keeps bloat down for the average user, however, it does mean that sometimes I install the right program to do something.

Nitrokey on the other hand has made a nearly all-in-one app, only lacking GPG, for which most people use Kleopatra if they want a GUI.
And the Nitrokey app is very light weight as well, so that's a bonus point for Nitrokey.

This app also shows how the Nitrokey Storage2 has the ability to "plausibly deny the existence of encrypted data", since you appear to need the Nitrokey app in order to mount the drive.
As for the setups themselves, the Yubikey was quite easy to get setup.
Sadly, I don't want to accidentally ruin my Yubikey so I can't really show it, so you'll have to take my word for it.

As for the setup of the Nitrokey, you remove the cap and plug it into your PC.
Download and install the Nitrokey app if you didn't do this already and open it.
Go to Menu, configure and click "Change Admin Pin".
Change your pin to something secure and make sure to write it down somewhere safe in case you need it later.
The default admin pin is "12345678".
Next, go to Menu again, configure and this time click "Change User Pin".
Again, change it to something secure but this time, only remember it, do not write it down.
Do not change it to the same pin as the admin pin, as that's insecure.
The default user pin is "123456".

Support of features and protocols

These sticks would be kinda pointless if they don't support certain features and protocols that are common today.
As I've already said, these include but are not limited to:
- U2F
- Windows Desktop Logins

I wanted to test Linux Desktop logins as well, but this honestly was a massive pain in the arse and would probably go outside of the scope of this post (since it was rather complex).
If you are interested in it, I'd recommend reading this tutorial for both Nitrokey and Yubikeys, or this tutorial for the Yubikey.

Anyways, let's get TOTP setup.
Go to the security panel of your application (in my case Mastodon).
Copy your secret and open the Nitrokey App.
In the app, go to "OTP Slot Configuration".
Select an empty slot and give it a name.
Then, paste in the secret key, leaving the "Input format" to "Base32" unless otherwise specified by your application.
Then, click Save.
Next, go to the menu, passwords and click the TOTP you just added.
Your TOTP will now be in your clipboard.
Paste it into your service to activate TOTP.
You'll be presented with some recovery passwords, note these down in a secure place.

As for GPG, this is quite simple and is the same as for the YubiKey
I won't go into the details on it as I've already made a video about it on... YouTube... So go on there and turn on your adblocker if you will :)

We've already discovered that the Pro2 supports TOTP and HOTP, albeit limited to 15 TOTP keys and 3 HOTP keys.
As far as I know, the Yubikey 5 NFC has no such limitation.
As for FIDO2 and U2F, the Yubikey 5 NFC supports these pretty much flawlessly.
The Pro2 on the other hand doesn't support either of these.
That's where the second stick I received comes in, the Nitrokey FIDO2.
It carries the same form factor and design as the Pro2, however, is dedicated to the FIDO2 and U2F protocol.
The FIDO2 works flawlessly with both FIDO2 and U2F, however, it's a bummer that the Pro2 doesn't support this.
When I reached out to Nitrokey, this is what they had to say:

NitroKey Pro 2 doesn't have FIDO features yet. We're working on integrating FIDO into more Nitrokeys. As for now, only the dedicated devices, Nitrokey FIDO U2F and FIDO2 offer FIDO features (Nitrokey FIDO2 is capable of FIDO U2F too, of course.) NFC and USB-C will be added to Nitrokey FIDO2 in the foreseeable future, by the way.

NitroKey GMBH in private mail

We've also already established that both the Yubikey 5 NFC and Nitrokey Pro2 support GPG, but let's see if there are any differences.
Both the Yubikey 5 NFC and Nitrokey Pro2 support RSA up to 4096-bit keys.
However, the Nitrokey has a very slight edge here as it supports ECC keys up to 521-bits vs the 384-bits of the Yubikey.
They both have the three basic slots for Signing, Encryption and Authentication, however, as of firmware 5.2.3, the Yubikey also has support for a fourth slot for a so-called "Attestation Key".
This key is basically to prove that you generated keys on the device itself which means that no copy of the private keys ever existed.
It can be useful in some cases but for an "average" GPG user, it doesn't really matter, I think...
Sadly, I can't upgrade the firmware on my Yubikey either for "security reasons" so r.i.p my fourth slot.
On Android, both the Yubikey and the Nitrokey work with apps like OpenKeychain.
However, depending on the specific model of Yubikey, you may need an OTG adapter.
For every stick in the Nitrokey line, you'll need the OTG adapter since none support NFC at this moment.

Next, I've tested Windows Desktop Logins.
The Yubikey required a little program you can download here, which only required me to install the program and reboot my PC.
After that, all I had to do was follow a fairly simple wizard.
However, after following this wizard, I realized it was only like 2FA rather than just tapping the button to login.
Nitrokey, however, does have a tutorial on how to get it to work with third-party software, this software, however, only supports windows Home edition, unless you're willing to purchase a license for 70 euros.
They do, however, sell some other software called "Aloaha Smart Login" (Never heard of it before honestly) for 46 euro, which probably uses GPG (not sure)?
So sad panda, no Windows Logins out-of-the-box for either really, though I think this is more of a "Windows" issue than an issue with either stick.


Let's move on with portability, shall we?
The NitroKey Pro2 is a bit thicker than the Yubikey, however, it's still not much bigger than the average flash drive.
It's small enough to fit in most pockets, though if you tight pockets, you might not be able to fit it (wink wink nudge nudge).
The Yubikey on the other hand is really flat while being the same length and width as the Nitrokey.

And you know the saying, flat is justice.
As we've also established earlier, if you want to also have FIDO2 and U2F available to you, you need to carry two Nitrokeys as opposed to one, increasing the bulk you need to carry.
Additionally, I can use my Yubikey 5 NFC for either FIDO2 or GPG on my phone using... well... NFC.
The NitroKey Pro2 lacks this feature, so if I want to use FIDO2 or GPG, I'm gonna need an OTG adapter as well...


Durability shouldn't be overlooked either, I mean, you don't want your stick to just die on you do you?
That'd be kinda awkward...
The Yubikey is mainly one big slap of plastic, it is very sturdy and I can't easily break it with normal pressure.
The Nitrokey, on the other hand, is a regular PCB in a hollow enclosure so that you can open it and verify it against their schematics.
However, I can't seem to open it up without fear of making the enclosure un-closeable again.
Yubikey are proprietary doohickeys and as such, don't need to be able to be opened up.
So this round goes to the Yubikey as well, however, I'm sure someone with the right know-how can modify their Nitrokey into something that is about as solid as the Yubikey after they have verified it.
But obviously, those cases aren't exactly supported by Nitrokey.

Ease of use in daily life

To test the ease of use on a daily basis, I have replaced my Yubikey with the Nitrokeys for about two weeks of "normal" use to see how they fare.
Additionally swapping around between my Yubikey and the Nitrokeys in the month where I didn't have my PC.
Please note that this part was made with the "average person" in mind.
A few things I've noticed quite soon was the lack of NFC on the Nitrokey.
This means that if I wanted to use it with my phone, I had to carry a USB-A to USB-C adapter with me.
This also added to the bulk a bit, however, I carried this doohickey with me a lot anyway so it didn't bother me too much but well, if you're a lady with limited pocket space, even this might be a hassle.
My main cases for the Yubikey on the road where the OTP, for which I could use the Yubico Authenticator and FIDO2 or U2F, which worked nearly flawlessly with the Yubikey.
For the Nitrokey on the other hand, there was no way for me to access my OTP keys on my phone, making it difficult to login into certain websites while at a friends place and I had to swap to my FIDO2 if I wanted to use FIDO2 or U2F instead.
It also means that since I have no access to the OTP from my phone, if I'm out and about without my laptop, I can't access my OTP generator and as such, if I need to login somewhere, I can't.
This felt annoying, and I was already quite quickly inclined to leave my Nitrokeys at home as it is less bulky and does everything I need it to.
The Nitrokeys feel more like it was desktop first, with mobile use not even on their mind, which is a shame considering most people also will want to use it on their phones and tablets.
Ease of use, for a day-to-day basis, just feels... like a big hassle rather than a "minor addition", likely making people not bother with the security they obtain from it and going back to "the old ways".


As for Affordability, it doesn't boast too well for the Nitrokey Pro2 either.
I will not be taking shipping and import duties into consideration (since these can severely differ), just the price as listed.
The Yubikey 5 NFC costs about 51 merkeldollars on the German Amazon whereas a Nitrokey Pro2 costs 49 merkeldollars from their official store.
However, as we've already discussed, if you want to get U2F and FIDO2 support, you also need a Nitrokey FIDO2, which costs an additional 29 merkeldollars.
So in total, you'd be off 27 merkeldollars more as well as having to carry an additional Nitrokey with you.
It's a premium you'll have to pay if you want open-source I suppose.

The Verdict

So, it's time for the verdict.
For who is the Nitrokey and should you get one?
The Nitrokey is a lovely idea made by a company that has its vision going to the right place.
If you value open-source and don't care about losing some features from the package, or you want to have the full transparency then I'd say, go ahead, get a Nitrokey.
However, if you're like me, some bloke that just wants it to work and be a breeze to use in day-to-day life? Then I'd suggest going with the Yubikey.
I'm sorry Nitrokey, but I simply cannot recommend this to the average user that is just peeking from around the corner into the world of security tokens, especially if that person doesn't have much of an IT background.
I'm sure the more die-hard open-source community will be interested in it, however, it's not for the average consumer wanting to make their digital life just that bit more secure.
I hope that in the next iteration, you'll be able to work around the limitations, deliver a nice all-in-one package and be able to support mobile users a bit more as well.
I love what you are doing and I love your goals, however, the product is not nearly at the level of Yubikey when it comes to actually using the tokens..

Well, that was it for this review.
If you guys enjoyed it, please don't be hesitant to make it go around :)
If you want to purchase your own Nitrokey and help secure the future of ethical and open-source projects, then head over to their website to pick one up.
Or, if you have any questions, feel free to do so on my subreddit.

That's it for now.

Update 24 Nov 2020

I managed to open my key without breaking it.
Apparently, the shell is just friction fit onto place as opposed to using any clips.
So for those interested, here are some pictures of the inside:


Leave a comment

Please login to leave comment!