Nitrokey 3: Misc

Previous posts:

• Nitrokey 3
• Nitrokey 3: GPG keys generation
• Nitrokey 3: Importing GPG keys
• Nitrokey 3: GPG and emails
• Nitrokey 3: SSH
• Nitrokey 3: Git
• Nitrokey 3: Login

Here are a few remaining things I’d like to do with the Nitrokey 3, but I haven’t had time to look at them yet.

Measured boot

My laptop is a Librem 14 which uses PureBoot (Purism’s fork of coreboot and Heads) to start the computer. It measures the state of various elements of the boot process to ensure it has not been tampered with. The measures are PGP signed with a Librem Key… which is made by Nitrokey and is in fact a Nitrokey Pro 2. If the measurements are valid, the key blinks in green otherwise it blinks in red.

The Nitrokey 3 is supposed to support the tampering detection, but I don’t know if it’s implemented yet.

Full disk encryption

Having a mobile device that doesn’t have its hard drive encrypted is a “very bad idea”™. Thankfully most modern devices do encrypt the main storage by default. On Linux it’s usually done with LUKS.

At boot time, the LUKS key is asked to decrypt the disk.

I thought it would be easy and common practice to use a PGP key has one of the key to unlock a LUKS partition. While possible, it doesn’t look to be straightforward and that much used, it’s not something integrated by default. To achieve that, either follow Nitrokey’s documentation for full disk encryption or use Purism’s script to add key in LUKS.

Auto session lock

Another thing that could be interesting to do is to lock the current user session when the key is removed. I’m not sure that kind of feature is ot going to be annoying after some time or not. Need to try.

Purism provides information on how to lock the desktop session when the Librem Key is removed.

Remote sudo 2FA

In the previous post, I configured sudo to require a touch on the key to be run. What I’d like to do now, is the same, but when doing sudo on a remote server. I think it could be quite useful.

A quick search seems to show that it should be possible: https://unix.stackexchange.com/questions/589392/u2f-fido-forwarding-over-ssh/

Future

Since I have used various type of keys during the years, now what I’d like to see in the future is:

• improved support (I mean, supported by more software and websites, how is it possible that I can’t use FIDO2 on any banking website I use?);
• improved user experience (as seen in this series of post, the concepts to understand and how to use them are not the easiest);
• faster PGP operations (so far the Nitrokey 3 is noticeably slow);
• biometric support (like the YubiKey Bio Series, but with all the other functionalities (unlike those YubiKeys), the idea would be to use the fingerprint instead of having to type the PGP PIN);
• support of post-quantum algorithms.