diff --git a/fido2/linux/desktop-login.rst b/fido2/linux/desktop-login.rst index 87c858fa3f..377087e5a0 100644 --- a/fido2/linux/desktop-login.rst +++ b/fido2/linux/desktop-login.rst @@ -28,207 +28,207 @@ GUI Method 1. **In the lower left corner click on** ``Show Applications`` **and type settings in the search bar as following:** -.. figure:: /fido2/linux/images/fidou2f-1.png - :alt: img1 + .. figure:: /fido2/linux/images/fidou2f-1.png + :alt: img1 2. **Scroll down in the right bar to** ``Users`` -.. figure:: /fido2/linux/images/fidou2f-2.png - :alt: img2 + .. figure:: /fido2/linux/images/fidou2f-2.png + :alt: img2 3. **In the left corner click on** ``Unlock`` **and that would prompt for your password** -.. figure:: /fido2/linux/images/fidou2f-3.png - :alt: img3 + .. figure:: /fido2/linux/images/fidou2f-3.png + :alt: img3 4. **Select** ``Administrator`` **and enter the user name and password of your choice** -.. figure:: /fido2/linux/images/fidou2f-4.png - :alt: img4 + .. figure:: /fido2/linux/images/fidou2f-4.png + :alt: img4 5. **Once you finish Step 4 you should be done** -.. figure:: /fido2/linux/images/fidou2f-5.png - :alt: img5 + .. figure:: /fido2/linux/images/fidou2f-5.png + :alt: img5 CLI Method '''''''''' 1. **Create a backup user and give it root privileges** -You can do so by using these commands: + You can do so by using these commands: -.. code-block:: bash + .. code-block:: bash - $ sudo adduser - $ sudo usermod -aG sudo + $ sudo adduser + $ sudo usermod -aG sudo -In case you prefer to setup U2F for a single user, and are locked out of your -user session, you would still be able to login with the ````, and -proceed with the maintenance. + In case you prefer to setup U2F for a single user, and are locked out of your + user session, you would still be able to login with the ````, and + proceed with the maintenance. -.. warning:: + .. warning:: - The following guide can potentially lock you out of your computer. - You should be aware of these risks, as it is recommended to first use - the instructions below on a secondary computer, or after a full - backup. + The following guide can potentially lock you out of your computer. + You should be aware of these risks, as it is recommended to first use + the instructions below on a secondary computer, or after a full + backup. - You might lose access to your data after configuring `PAM - modules `__. + You might lose access to your data after configuring `PAM + modules `__. 2. **Set up the** ``rules`` **to recognize the Nitrokey FIDO2** -Under ``/etc/udev/rules.d`` download ``41-nitrokey.rules`` + Under ``/etc/udev/rules.d`` download ``41-nitrokey.rules`` -.. code-block:: bash + .. code-block:: bash - $ cd /etc/udev/rules.d/ - $ sudo wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules + $ cd /etc/udev/rules.d/ + $ sudo wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules -And restart ``udev`` service + And restart ``udev`` service -.. code-block:: bash + .. code-block:: bash - $ sudo systemctl restart udev + $ sudo systemctl restart udev 3. **Install** ``libpam-u2f`` -On Ubuntu 20.04 it is possible to download directly ``libpam-u2f`` from the official repos + On Ubuntu 20.04 it is possible to download directly ``libpam-u2f`` from the official repos -.. code-block:: bash + .. code-block:: bash - $ sudo apt install libpam-u2f + $ sudo apt install libpam-u2f -.. note:: + .. note:: - Click for more options + Click for more options - - Alternatively you can build ``libpam-u2f`` from - `Git `__. + - Alternatively you can build ``libpam-u2f`` from + `Git `__. - - To verify that the library is properly installed enter the - following command: + - To verify that the library is properly installed enter the + following command: - .. code-block:: bash + .. code-block:: bash - $ file /lib/x86_64-linux-gnu/security/pam_u2f.so + $ file /lib/x86_64-linux-gnu/security/pam_u2f.so - The Output should be something like the following: + The Output should be something like the following: - .. code-block:: bash + .. code-block:: bash - /lib/x86_64-linux-gnu/security/pam_u2f.so: \ ELF 64-bit LSB shared object, x86-64, version 1 (SYSV),\ dynamically linked, BuildID[sha1]=1d55e1b11a97be2038c6a139579f6c0d91caedb1, stripped + /lib/x86_64-linux-gnu/security/pam_u2f.so: \ ELF 64-bit LSB shared object, x86-64, version 1 (SYSV),\ dynamically linked, BuildID[sha1]=1d55e1b11a97be2038c6a139579f6c0d91caedb1, stripped 4. **Prepare the Directory** -Create ``.config/Nitrokey/`` under your home directory + Create ``.config/Nitrokey/`` under your home directory -.. code-block:: bash + .. code-block:: bash - $ mkdir ~/.config/Nitrokey + $ mkdir ~/.config/Nitrokey -And plug your Nitrokey FIDO2. + And plug your Nitrokey FIDO2. -Once done with the preparation, we can start to configure the computer to use the Nitrokey FIDO2 for 2nd factor authentication at login and ``sudo``. + Once done with the preparation, we can start to configure the computer to use the Nitrokey FIDO2 for 2nd factor authentication at login and ``sudo``. 5. **Generate the U2F config file** -To generate the configuration file we will use the ``pamu2fcfg`` utility that comes with the ``libpam-u2f``. For convenience, we will directly write the output of the utility to the ``u2f_keys`` file under ``.config/Nitrokey``. First plug your Nitrokey FIDO2 (if you did not already), and enter the following command: + To generate the configuration file we will use the ``pamu2fcfg`` utility that comes with the ``libpam-u2f``. For convenience, we will directly write the output of the utility to the ``u2f_keys`` file under ``.config/Nitrokey``. First plug your Nitrokey FIDO2 (if you did not already), and enter the following command: -.. code-block:: bash + .. code-block:: bash - $ pamu2fcfg > ~/.config/Nitrokey/u2f_keys + $ pamu2fcfg > ~/.config/Nitrokey/u2f_keys -Once you run the command above, you will need to touch the key while it flashes. Once done, ``pamu2fcfg`` will append its output the ``u2f_keys`` in the following format: + Once you run the command above, you will need to touch the key while it flashes. Once done, ``pamu2fcfg`` will append its output the ``u2f_keys`` in the following format: -.. code-block:: bash + .. code-block:: bash - :Zx...mw,04...0a + :Zx...mw,04...0a -Note, the output will be much longer, but sensitive parts have been removed here. For better security, and once the config file generated, we will move the ``.config/Nitrokey`` directory under the ``etc/`` -directory with this command: + Note, the output will be much longer, but sensitive parts have been removed here. For better security, and once the config file generated, we will move the ``.config/Nitrokey`` directory under the ``etc/`` + directory with this command: -.. code-block:: bash + .. code-block:: bash - $ sudo mv ~/.config/Nitrokey /etc + $ sudo mv ~/.config/Nitrokey /etc -.. tip:: + .. tip:: - - The file under ``.config/Nitrokey`` must be named ``u2f_keys`` + - The file under ``.config/Nitrokey`` must be named ``u2f_keys`` - - It is recommended to first test the instructions with a single - user. For this purpose the previous command takes the ``-u`` - option, to specify a user, like in the example below: + - It is recommended to first test the instructions with a single + user. For this purpose the previous command takes the ``-u`` + option, to specify a user, like in the example below: - .. code-block:: bash + .. code-block:: bash - $ pamu2fcfg -u > ~/.config/Nitrokey/u2f_keys + $ pamu2fcfg -u > ~/.config/Nitrokey/u2f_keys - - For individual user configuration you should point to the home - directory in the next step, or not include the ``authfile`` option - in the PAM configuration. + - For individual user configuration you should point to the home + directory in the next step, or not include the ``authfile`` option + in the PAM configuration. 6. **Backup** -This step is optional, however it is advised to have a backup Nitrokey in the case of loss, theft or destruction of your Nitrokey FIDO. + This step is optional, however it is advised to have a backup Nitrokey in the case of loss, theft or destruction of your Nitrokey FIDO. -To set up a backup key, repeat the procedure above, and use ``pamu2fcfg -n``. This will omit the ```` field, and the output can be appended to the line with your ```` like this: + To set up a backup key, repeat the procedure above, and use ``pamu2fcfg -n``. This will omit the ```` field, and the output can be appended to the line with your ```` like this: -.. code-block:: bash + .. code-block:: bash - :Zx...mw,04...0a:xB...fw,04...3f + :Zx...mw,04...0a:xB...fw,04...3f 7. **Modify the Pluggable Authentication Module** ``PAM`` -The final step is configure the PAM module files under ``/etc/pam.d/``. In this guide we will modify the ``common-auth`` file as it handles the authentication settings which are common to all services, but other options are possible. You can modify the file with the following command: + The final step is configure the PAM module files under ``/etc/pam.d/``. In this guide we will modify the ``common-auth`` file as it handles the authentication settings which are common to all services, but other options are possible. You can modify the file with the following command: -.. code-block:: bash + .. code-block:: bash - $ cd /etc/pam.d - $ sudo $editor common-auth + $ cd /etc/pam.d + $ sudo $editor common-auth -And add the following lines: + And add the following lines: -.. code-block:: bash + .. code-block:: bash - #Nitrokey FIDO2 config - auth sufficient pam_u2f.so authfile=/etc/Nitrokey/u2f_keys cue prompt nouserok + #Nitrokey FIDO2 config + auth sufficient pam_u2f.so authfile=/etc/Nitrokey/u2f_keys cue prompt nouserok -.. tip:: + .. tip:: - - Since we are using Central Authentication Mapping, we need to tell - ``pam_u2f`` the location of the file to use with the ``authfile`` - option. + - Since we are using Central Authentication Mapping, we need to tell + ``pam_u2f`` the location of the file to use with the ``authfile`` + option. - - If you often forget to insert the key, ``prompt`` option make - ``pam_u2f`` print ``Insert your U2F device, then press ENTER.`` - and give you a chance to insert the Nitrokey. + - If you often forget to insert the key, ``prompt`` option make + ``pam_u2f`` print ``Insert your U2F device, then press ENTER.`` + and give you a chance to insert the Nitrokey. - - If you would like to be prompted to touch the Nitrokey, ``cue`` - option will make ``pam_u2f`` print ``Please touch the device.`` - message. + - If you would like to be prompted to touch the Nitrokey, ``cue`` + option will make ``pam_u2f`` print ``Please touch the device.`` + message. - - `nouserok` will ensure that you can still login using the username and - password, you might want to remove this at some point once the setup - is working and you don't want regular username & password based logins. + - `nouserok` will ensure that you can still login using the username and + password, you might want to remove this at some point once the setup + is working and you don't want regular username & password based logins. -Once we modified the ``common-auth``, we can save and exit the file. + Once we modified the ``common-auth``, we can save and exit the file. -You can test the configuration by typing ``sudo ls`` in the terminal. You should be prompted the message ``Please touch the device.`` and have a similar output on the terminal: + You can test the configuration by typing ``sudo ls`` in the terminal. You should be prompted the message ``Please touch the device.`` and have a similar output on the terminal: -.. code-block:: bash + .. code-block:: bash - nitrouser@nitrouser:~$ sudo ls - [sudo] password for nitrouser: Please touch the device. + nitrouser@nitrouser:~$ sudo ls + [sudo] password for nitrouser: Please touch the device. -You can also test your configuration by logging out of the user session and logging back. A similar screen should be displayed once you you unplug/replug yout Nitrokey FIDO2 and type your password: + You can also test your configuration by logging out of the user session and logging back. A similar screen should be displayed once you you unplug/replug yout Nitrokey FIDO2 and type your password: -.. figure:: /fido2/linux/images/u2f-fido-pam-2.png - :alt: img6 + .. figure:: /fido2/linux/images/u2f-fido-pam-2.png + :alt: img6 Usage ----- diff --git a/fido2/windows/passwordless-microsoft.rst b/fido2/windows/passwordless-microsoft.rst index 4341996958..61919f8be2 100644 --- a/fido2/windows/passwordless-microsoft.rst +++ b/fido2/windows/passwordless-microsoft.rst @@ -10,22 +10,22 @@ Sample Login to Microsoft With The Nitrokey FIDO2 1. Click on “Sign in with security key”. -.. figure:: ./images/passwordless-microsoft/1.png - :alt: img0 + .. figure:: ./images/passwordless-microsoft/1.png + :alt: img0 2. Enter your PIN for the Nitrokey FIDO2. -.. figure:: ./images/passwordless-microsoft/2.png - :alt: img1 + .. figure:: ./images/passwordless-microsoft/2.png + :alt: img1 3. Touch your Nitrokey FIDO2 at the indicated spot. -.. figure:: ./images/passwordless-microsoft/3.png - :alt: img2 + .. figure:: ./images/passwordless-microsoft/3.png + :alt: img2 @@ -43,65 +43,65 @@ Here we offer you a guide on how to set up passwordless authentication for your 3. Select “Security”. -.. figure:: ./images/passwordless-microsoft/4.png - :alt: img3 + .. figure:: ./images/passwordless-microsoft/4.png + :alt: img3 4. Select “More security options” -.. figure:: ./images/passwordless-microsoft/5.png - :alt: img4 + .. figure:: ./images/passwordless-microsoft/5.png + :alt: img4 5. Select “Set up a security key”. -.. figure:: ./images/passwordless-microsoft/6.png - :alt: img5 + .. figure:: ./images/passwordless-microsoft/6.png + :alt: img5 6. Confirm with “Next” under “USB device”. -.. figure:: ./images/passwordless-microsoft/7.png - :alt: img6 + .. figure:: ./images/passwordless-microsoft/7.png + :alt: img6 7. Enter a PIN that you want to use for your Nitrokey FIDO2 and then select “Next”. -.. figure:: ./images/passwordless-microsoft/8.png - :alt: img7 + .. figure:: ./images/passwordless-microsoft/8.png + :alt: img7 8. Now tap on the marked position of the Nitrokey FIDO2. -.. figure:: ./images/passwordless-microsoft/9.png - :alt: img8 + .. figure:: ./images/passwordless-microsoft/9.png + :alt: img8 9. Confirm with “Allow”. -.. figure:: ./images/passwordless-microsoft/10.png - :alt: img9 + .. figure:: ./images/passwordless-microsoft/10.png + :alt: img9 10. Name your Nitrokey FIDO2 and then select “Next”. -.. figure:: ./images/passwordless-microsoft/11.png - :alt: img10 + .. figure:: ./images/passwordless-microsoft/11.png + :alt: img10 11. Now you have successfully set up password-free authentication for your Microsoft account! Confirm with “Got it”. -.. figure:: ./images/passwordless-microsoft/12.png - :alt: img11 + .. figure:: ./images/passwordless-microsoft/12.png + :alt: img11 diff --git a/nextbox/clients/android.rst b/nextbox/clients/android.rst index 099ac4a2bb..9ee034e0f1 100644 --- a/nextbox/clients/android.rst +++ b/nextbox/clients/android.rst @@ -7,31 +7,31 @@ Connect the NextBox with your smartphone 1. Download the Nextcloud app from the app store or play store. -.. figure:: /nextbox/images/gettingstarted/sp_1.jpg - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/gettingstarted/sp_1.jpg + :alt: imgsp1 + :scale: 30 % 2. Cick on "Sign in". -.. figure:: /nextbox/images/gettingstarted/sp_2.jpg - :alt: imgsp2 - :scale: 30 % + .. figure:: /nextbox/images/gettingstarted/sp_2.jpg + :alt: imgsp2 + :scale: 30 % 3. Enter your domain. -.. figure:: /nextbox/images/gettingstarted/sp_3.jpg - :alt: imgsp3 - :scale: 30 % + .. figure:: /nextbox/images/gettingstarted/sp_3.jpg + :alt: imgsp3 + :scale: 30 % 4. Enter your username and password and click "Log in". -.. figure:: /nextbox/images/gettingstarted/sp_4.jpg - :alt: imgsp4 - :scale: 30 % + .. figure:: /nextbox/images/gettingstarted/sp_4.jpg + :alt: imgsp4 + :scale: 30 % 5. Now you have access to your NextBox with your smartphone! -.. figure:: /nextbox/images/gettingstarted/sp_5.jpg - :alt: imgsp5 - :scale: 30 % + .. figure:: /nextbox/images/gettingstarted/sp_5.jpg + :alt: imgsp5 + :scale: 30 % diff --git a/nextbox/clients/linux.rst b/nextbox/clients/linux.rst index 6878fdb0ae..de28f443ad 100644 --- a/nextbox/clients/linux.rst +++ b/nextbox/clients/linux.rst @@ -8,8 +8,8 @@ Connect using the Nextcloud App 1. Download the client application from: https://nextcloud.com/install/ -.. hint:: Most distributions do provide the Nextcloud client via their - package managers. (e.g., Ubuntu, Arch Linux, Mint, ...) + .. hint:: Most distributions do provide the Nextcloud client via their + package managers. (e.g., Ubuntu, Arch Linux, Mint, ...) 2. After starting the ``nextcloud`` application, you will find it as a tray icon. @@ -30,8 +30,8 @@ Connect using WebDAV * To mount use: -.. code-block:: bash + .. code-block:: bash - mount -t davfs https://my.domain.tld/remote.php/webdav/ /mnt/target/path + mount -t davfs https://my.domain.tld/remote.php/webdav/ /mnt/target/path diff --git a/nextbox/clients/macosx.rst b/nextbox/clients/macosx.rst index a1cf5bfa47..1c978db335 100644 --- a/nextbox/clients/macosx.rst +++ b/nextbox/clients/macosx.rst @@ -9,39 +9,39 @@ Connect using the Nextcloud App 1. Download the Nextcloud client application: https://nextcloud.com/install/ -.. figure:: /nextbox/images/mac_app/nextc-download.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_app/nextc-download.png + :alt: imgsp1 + :scale: 30 % 2. After installation, click "Log in to your Nextcloud". Afterwards please provide your Nextcloud's domain. -.. figure:: /nextbox/images/mac_app/nextc-connect.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_app/nextc-connect.png + :alt: imgsp1 + :scale: 30 % 3. Provide your username and password and click "Log in". -.. figure:: /nextbox/images/mac_app/nextc-login.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_app/nextc-login.png + :alt: imgsp1 + :scale: 30 % -* Inside the menu bar there will be a Nextcloud icon to open the Nextcloud application settings. + Inside the menu bar there will be a Nextcloud icon to open the Nextcloud application settings. -.. figure:: /nextbox/images/mac_app/nextc-menu-bar-icon.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_app/nextc-menu-bar-icon.png + :alt: imgsp1 + :scale: 30 % -* Inside *Finder* below "favorites" you will find a "Nextcloud" directory with the user's files. + Inside *Finder* below "favorites" you will find a "Nextcloud" directory with the user's files. -.. figure:: /nextbox/images/mac_app/nextc-finder.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_app/nextc-finder.png + :alt: imgsp1 + :scale: 30 % Connect using WebDAV @@ -49,26 +49,26 @@ Connect using WebDAV 1. Inside *Finder*, open *Go* and choose *Connect to Server* -.. figure:: /nextbox/images/mac_webdav/1.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_webdav/1.png + :alt: imgsp1 + :scale: 30 % 2. Provide the WebDAV URL `https://yourdomain.xyz/remote.php/webdav` -.. figure:: /nextbox/images/mac_webdav/2.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_webdav/2.png + :alt: imgsp1 + :scale: 30 % 3. In the next step, provide the username and password to login to your Nextcloud instance. -.. figure:: /nextbox/images/mac_webdav/3.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_webdav/3.png + :alt: imgsp1 + :scale: 30 % 4. Once finished you can find your Nextcloud files in *Locations*. -.. figure:: /nextbox/images/mac_webdav/4.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_webdav/4.png + :alt: imgsp1 + :scale: 30 % diff --git a/nextbox/clients/windows.rst b/nextbox/clients/windows.rst index eea24c0efd..8422d054e5 100644 --- a/nextbox/clients/windows.rst +++ b/nextbox/clients/windows.rst @@ -9,39 +9,39 @@ Connect using the Nextcloud App 1. Download the Nextcloud client application: https://nextcloud.com/install/ -.. figure:: /nextbox/images/win_app/1.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/win_app/1.png + :alt: imgsp1 + :scale: 30 % 2. After installation, click "Log in to your Nextcloud". Afterwards please provide your Nextcloud's domain. -.. figure:: /nextbox/images/win_app/2.png - :alt: imgsp1 - :scale: 50 % + .. figure:: /nextbox/images/win_app/2.png + :alt: imgsp1 + :scale: 50 % 3. Provide your username and password and click "Log in". -.. figure:: /nextbox/images/win_app/nextc-login.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/win_app/nextc-login.png + :alt: imgsp1 + :scale: 30 % -* Inside the tray there will be a Nextcloud icon to open the Nextcloud application settings. + Inside the tray there will be a Nextcloud icon to open the Nextcloud application settings. -.. figure:: /nextbox/images/win_app/4.png - :alt: imgsp1 - :scale: 50 % + .. figure:: /nextbox/images/win_app/4.png + :alt: imgsp1 + :scale: 50 % -* Inside the file-explorer you can now find your Nextcloud instance files. + Inside the file-explorer you can now find your Nextcloud instance files. -.. figure:: /nextbox/images/win_app/5.png - :alt: imgsp1 - :scale: 50 % + .. figure:: /nextbox/images/win_app/5.png + :alt: imgsp1 + :scale: 50 % Connect using WebDAV @@ -56,9 +56,9 @@ Connect using WebDAV 1. Add a WebDAV drive using the file explorer's "Add a network location" icon. (You can also use "Map network drive" to bind your Nextcloud to a drive, like *Z:*). -.. figure:: /nextbox/images/win_webdav/6.png - :alt: imgsp1 - :scale: 50 % + .. figure:: /nextbox/images/win_webdav/6.png + :alt: imgsp1 + :scale: 50 % 2. In the following dialog please enter the full WebDAV address of your NextBox: ``https://my.domain.tld/remote.php/dav/files/USERNAME``. Replace *my.domain.tld* with @@ -67,9 +67,9 @@ Connect using WebDAV 3. In the following window insert your full Nextcloud credentials, means your username and password you use to login into your Nextcloud. -.. figure:: /nextbox/images/win_webdav/8.png - :alt: imgsp1 - :scale: 50 % + .. figure:: /nextbox/images/win_webdav/8.png + :alt: imgsp1 + :scale: 50 % Now your files from your Nextcloud instance are accessible via the file-explorer. diff --git a/nextbox/gettingstarted.rst b/nextbox/gettingstarted.rst index f4a2d7f999..03deb781d4 100644 --- a/nextbox/gettingstarted.rst +++ b/nextbox/gettingstarted.rst @@ -15,12 +15,12 @@ Quickstart green (see :doc:`LEDs `). -.. Warning:: + .. Warning:: - External storage drives without an external power supply must NOT be - connected to the USB sockets. Otherwise, this can lead to data loss on the - internal hard disk. **Always use external storage drives with a separate - power supply together with the NextBox.** + External storage drives without an external power supply must NOT be + connected to the USB sockets. Otherwise, this can lead to data loss on the + internal hard disk. **Always use external storage drives with a separate + power supply together with the NextBox.** Create Admin Account -------------------- @@ -28,17 +28,17 @@ Create Admin Account 1. Enter your desired username and password. Remember to choose a strong password for your admin account. -.. figure:: /nextbox/images/gettingstarted/1.png - :alt: img1 + .. figure:: /nextbox/images/gettingstarted/1.png + :alt: img1 -.. .. Note:: + .. note:: - An occurring warning can be ignored since you are on your local network. + An occurring warning can be ignored since you are on your local network. 2. Press "Finish Setup". This process may take a few minutes. -.. figure:: /nextbox/images/gettingstarted/2.png - :alt: img2 + .. figure:: /nextbox/images/gettingstarted/2.png + :alt: img2 Configure NextBox Related Features ---------------------------------- @@ -63,10 +63,8 @@ continue on: private cloud from the internet. Our :doc:`guide ` covers various approaches. -.. hint:: We prepared a *one-click* remote access method, allowing you - to set up basic remote access in seconds. - - + .. hint:: We prepared a *one-click* remote access method, allowing you + to set up basic remote access in seconds. * **Connect your devices to your NextBox.** For smartphones the official `Android App`_ and `iOS App`_ are both great additions for your personal diff --git a/nextbox/hardware-overview.rst b/nextbox/hardware-overview.rst index 4431aa75f5..dc613c51e9 100644 --- a/nextbox/hardware-overview.rst +++ b/nextbox/hardware-overview.rst @@ -31,21 +31,21 @@ the different connectors and interfaces is given. 1. Hardware button for :doc:`Factory-Reset` 2. :doc:`Status LED` -.. figure:: /nextbox/images/hardware-overview/back-side.jpg - :alt: back view - :align: center + .. figure:: /nextbox/images/hardware-overview/back-side.jpg + :alt: back view + :align: center 3. **USB Type-C / Power Supply** connector is designated as a replacement for the stock connector on the front side and is exclusively for supplying power to the NextBox and cannot transfer data. -.. hint:: The right side of the NextBox is designed so that all mandatory - interfaces can be accessed from this side. + .. hint:: The right side of the NextBox is designed so that all mandatory + interfaces can be accessed from this side. -.. figure:: /nextbox/images/hardware-overview/right-side.jpg - :alt: right view - :align: center + .. figure:: /nextbox/images/hardware-overview/right-side.jpg + :alt: right view + :align: center 4. The **RJ45 - 1GbE Ethernet** connector connects your NextBox with your home network and shall stay connected at all times. @@ -53,18 +53,18 @@ the different connectors and interfaces is given. 6. **Reserved USB 3 - Type A Slot**, used for the internal hard-disk. *Never remove this connector!* 7. **2x Free USB 2 - Type A Slots**, please see :ref:`Hardware FAQ` -.. hint:: Using a hard-drive with an external power supply you can use any of - the available USB slots. Keep in mind that the data transfer bandwidth for - the USB 2 slots is less compared to the USB 3 slot. + .. hint:: Using a hard-drive with an external power supply you can use any of + the available USB slots. Keep in mind that the data transfer bandwidth for + the USB 2 slots is less compared to the USB 3 slot. 8. **USB Type-C / Power Supply** (stock) connector, can be used as **[3]** 9. **Micro HDMI 1 slot**, usable but not needed. 10. **Micro HDMI 2 slot**, usable but not needed. 11. **Headphone Jack**, usable but not needed. -.. figure:: /nextbox/images/hardware-overview/front-side.jpg - :alt: front view - :align: center + .. figure:: /nextbox/images/hardware-overview/front-side.jpg + :alt: front view + :align: center .. hint:: The front interfaces are all optional and not necessary for NextBox usage in general. While the **USB Type-C/Power Supply** may be used, the diff --git a/nextbox/technical/replace-drive.rst b/nextbox/technical/replace-drive.rst index eba00e650c..06b9db1db9 100644 --- a/nextbox/technical/replace-drive.rst +++ b/nextbox/technical/replace-drive.rst @@ -43,20 +43,20 @@ Prepare New Hard-Disk 6. Determine your hard-disk's device name (e.g., ``/dev/sdb``) and make sure none of its partitions are mounted -.. warning:: - **Again: think at least twice about the following step. Make sure you are referring to the - correct hard-drive device (and NOT a partition, means** ``/dev/sdb1`` **is wrong).** The script will - decline to do the operation on ``/dev/sda`` as there are good chances this might be your - system hard-disk, if you really need this you can comment out lines 23-26 inside the script. + .. warning:: + **Again: think at least twice about the following step. Make sure you are referring to the + correct hard-drive device (and NOT a partition, means** ``/dev/sdb1`` **is wrong).** The script will + decline to do the operation on ``/dev/sda`` as there are good chances this might be your + system hard-disk, if you really need this you can comment out lines 23-26 inside the script. 7. Run the script using the device name you have determined. Once prompted for your sudo-password please provide it to allow r/w access to the hard-drive: -.. code:: + .. code:: - $ ./simple_prepare_harddrive.sh - - # example: ./simple_prepare_harddrive.sh /dev/sdb + $ ./simple_prepare_harddrive.sh + + # example: ./simple_prepare_harddrive.sh /dev/sdb 8. Watch the script's output for any errors, there should be none @@ -79,25 +79,25 @@ Replacement Guide 6. Unfold the USB-to-SATA cable and put the NextBox bridge upside down onto a electronics friendly surface like a desk as shown in the following image -.. figure:: /nextbox/images/technical/nextbox_bridge_backside.jpeg - :alt: nextbox-backside - :align: center + .. figure:: /nextbox/images/technical/nextbox_bridge_backside.jpeg + :alt: nextbox-backside + :align: center 7. Unscrew the Phillips screws holding the hard-disk in position (the amount of screws may differ, depending on your hard-disk type) shown in the following image: -.. figure:: /nextbox/images/technical/nextbox_bridge_backside_screws.jpeg - :alt: nextbox-backside-screws - :align: center + .. figure:: /nextbox/images/technical/nextbox_bridge_backside_screws.jpeg + :alt: nextbox-backside-screws + :align: center 8. Once the screws are removed, push the hard-disk carefully towards the direction shown in the image above. Do not push it towards the other direction, you might damage the USB cable. 9. Remove the USB-to-SATA cable from the hard-drive -.. warning:: - Avoid disconnecting the male-female USB connector to not change the position and bending - of the cable. If you have to: be careful to keep the force as small as possible onto the - 90° part of the USB extension cable. + .. warning:: + Avoid disconnecting the male-female USB connector to not change the position and bending + of the cable. If you have to: be careful to keep the force as small as possible onto the + 90° part of the USB extension cable. 10. Connect your previously prepared new hard-drive 11. Carefully slide your new hard-drive into the bridge and fix it into the right position diff --git a/nitropad/qubes/network-settings.rst b/nitropad/qubes/network-settings.rst index ab220ed7d6..2090d06cc8 100644 --- a/nitropad/qubes/network-settings.rst +++ b/nitropad/qubes/network-settings.rst @@ -6,16 +6,16 @@ To be able to use Wifi, Bluetooth and other functionalities, "Settings" must be 1. Click on the top left Qubes Icon and select Qubes:Settings under sys-net. -.. figure:: ../images/network-settings/settings_0.png - :alt: img1 + .. figure:: ../images/network-settings/settings_0.png + :alt: img1 2. Go to Applications, select "Settings" and click ">" to move it to the right side. 3. Click "Apply" and after wards "Ok". 4. Now you should have "Settings" visible under sys-net. -.. Note:: + .. Note:: - If it won't open Settings after clicking on it, please follow the instructions below. + If it won't open Settings after clicking on it, please follow the instructions below. Fix sys-net Settings ~~~~~~~~~~~~~~~~~~~~ @@ -23,13 +23,13 @@ Fix sys-net Settings 1. Go to the sys-net Terminal. 2. Open the bashrc-file with ``sudo vim ~/.bashrc``. -.. figure:: ../images/network-settings/settings_1.png - :alt: img2 + .. figure:: ../images/network-settings/settings_1.png + :alt: img2 3. Press "i" to enable the editing and add ``export XDG_CURRENT_DESKTOP=GNOME`` to the file. -.. figure:: ../images/network-settings/settings_2.png - :alt: img3 + .. figure:: ../images/network-settings/settings_2.png + :alt: img3 4. Save the changes with ``:wq``. 5. Restart your NitroPad. diff --git a/nitropad/qubes/nitrokey-app.rst b/nitropad/qubes/nitrokey-app.rst index d68d6ec7b8..d5f72e90c1 100644 --- a/nitropad/qubes/nitrokey-app.rst +++ b/nitropad/qubes/nitrokey-app.rst @@ -8,18 +8,18 @@ Nitrokey App Installation 1. Set in the "Qubes Settings" of sys-usb "Networking" to default and "Apply" the changes. -.. figure:: /images/qubes/install-nitrokey-app-images/Settings-sys-usb.png - :alt: img1 + .. figure:: /images/qubes/install-nitrokey-app-images/Settings-sys-usb.png + :alt: img1 2. Set in the "Qubes Settings" of fedora template "Networking" to default and "Apply" the changes. -.. figure:: /images/qubes/install-nitrokey-app-images/Settings-fedora.png - :alt: img2 + .. figure:: /images/qubes/install-nitrokey-app-images/Settings-fedora.png + :alt: img2 3. Open the terminal of the fedora template and run ``sudo dnf install nitrokey-app``. -.. figure:: /images/qubes/install-nitrokey-app-images/fedora-terminal.png - :alt: img3 + .. figure:: /images/qubes/install-nitrokey-app-images/fedora-terminal.png + :alt: img3 4. Shut down the template. @@ -27,15 +27,15 @@ Nitrokey App Installation 6. Go to "Application" of sys-usb and select the Nitrokey App. -.. figure:: /images/qubes/install-nitrokey-app-images/Settings-sys-usb_2.png - :alt: img5 + .. figure:: /images/qubes/install-nitrokey-app-images/Settings-sys-usb_2.png + :alt: img5 7. Click the arrow pointing to the right side to move it to the shortcuts and "Apply" the changes. -.. figure:: /images/qubes/install-nitrokey-app-images/Settings-sys-usb_3.png - :alt: img6 + .. figure:: /images/qubes/install-nitrokey-app-images/Settings-sys-usb_3.png + :alt: img6 8. Now you can access the Nitrokey App by clicking on sys-usb. -.. figure:: /images/qubes/install-nitrokey-app-images/sys-usb-nitrokey-app.png - :alt: img7 + .. figure:: /images/qubes/install-nitrokey-app-images/sys-usb-nitrokey-app.png + :alt: img7 diff --git a/nitropad/qubes/user-password-reset.rst b/nitropad/qubes/user-password-reset.rst index cab8eb6c1a..2345b51e26 100644 --- a/nitropad/qubes/user-password-reset.rst +++ b/nitropad/qubes/user-password-reset.rst @@ -3,20 +3,20 @@ User Password Reset 1. Follow the next five steps to boot from the installation media -.. figure:: ./images/user-password-reset/step-one.jpg - :alt: Step 1 + .. figure:: ./images/user-password-reset/step-one.jpg + :alt: Step 1 -.. figure:: ./images/user-password-reset/step-two.jpg - :alt: Step 2 + .. figure:: ./images/user-password-reset/step-two.jpg + :alt: Step 2 -.. figure:: ./images/user-password-reset/step-three.jpg - :alt: Step 3 + .. figure:: ./images/user-password-reset/step-three.jpg + :alt: Step 3 -.. figure:: ./images/user-password-reset/step-four.jpg - :alt: Step 4 + .. figure:: ./images/user-password-reset/step-four.jpg + :alt: Step 4 -.. figure:: ./images/user-password-reset/step-five.jpg - :alt: Step 5 + .. figure:: ./images/user-password-reset/step-five.jpg + :alt: Step 5 2. In the rescue shell, type: `cryptsetup open /dev/sda3 qubes` to unlock the encrypted root drive @@ -24,7 +24,7 @@ User Password Reset 4. Change root to it `chroot /mnt` -5) Change the password `passwd user` (where "user" is your Qubes login) -6) Type in a new password and confirm -7) Type `exit` to exit the chroot -8) Type `reboot` and then boot as usal without the installation medium +5. Change the password `passwd user` (where "user" is your Qubes login) +6. Type in a new password and confirm +7. Type `exit` to exit the chroot +8. Type `reboot` and then boot as usal without the installation medium diff --git a/nitropad/ubuntu/change-disk-encryption-passphrase.rst b/nitropad/ubuntu/change-disk-encryption-passphrase.rst index 16729c2eb0..72aad162d0 100644 --- a/nitropad/ubuntu/change-disk-encryption-passphrase.rst +++ b/nitropad/ubuntu/change-disk-encryption-passphrase.rst @@ -6,32 +6,32 @@ Change Disk Encryption Passphrase bar. Then select the “Disks” program that appears in the middle of the screen. -.. figure:: ../images/change-disk-encryption-passphrase/1.png - :alt: img1 + .. figure:: ../images/change-disk-encryption-passphrase/1.png + :alt: img1 2. Select the field that says “Luks”. Afterwards it should have an orange background. -.. figure:: ../images/change-disk-encryption-passphrase/2.png - :alt: img2 + .. figure:: ../images/change-disk-encryption-passphrase/2.png + :alt: img2 3. Left click on the gears and select “Change Passphrase” from the context menu. -.. figure:: ../images/change-disk-encryption-passphrase/3.png - :alt: img3 + .. figure:: ../images/change-disk-encryption-passphrase/3.png + :alt: img3 4. Enter “PleaseChangeMe” as the current passphrase and select a secure new one. -.. figure:: ../images/change-disk-encryption-passphrase/4.png - :alt: img4 + .. figure:: ../images/change-disk-encryption-passphrase/4.png + :alt: img4 diff --git a/nitrowall/index.rst b/nitrowall/index.rst index 233d5ebeec..80124d9f4d 100644 --- a/nitrowall/index.rst +++ b/nitrowall/index.rst @@ -8,8 +8,8 @@ Getting Started 1. Connect the NitroWalls LAN1 port by a patch cable with the Ethernet port of your laptop or PC -.. important:: - Note that the standard configuration of OPNsense uses LAN2 as the WAN port and LAN1,3,4 as LAN ports. By default LAN3 and LAN4 are disabled. So you have to enable them (i.e. via bridging). + .. important:: + Note that the standard configuration of OPNsense uses LAN2 as the WAN port and LAN1,3,4 as LAN ports. By default LAN3 and LAN4 are disabled. So you have to enable them (i.e. via bridging). 2. Connect the NitroWall with power supply 3. Turn on the NitroWall by I/O switch on the front side @@ -20,33 +20,31 @@ Getting Started 5. Confirm browser security warning 6. After logging in you are at the admin dashboard of the NitroWall -- Login: root -- Password: opnsense + - Login: root + - Password: opnsense 7. Start the system wizard via the menu of the left-hand side: system → system wizard → setup. The wizard is going through the configuration with you step-by-step. + .. figure:: ./images/nitrowall_back.jpg + :alt: NitroWall backside + NitroWall back side -.. figure:: ./images/nitrowall_back.jpg - :alt: NitroWall backside + .. figure:: ./images/nitrowall_front.jpg + :alt: NitroWall frontside - NitroWall back side + NitroWall front side -.. figure:: ./images/nitrowall_front.jpg - :alt: NitroWall frontside - NitroWall front side + .. figure:: ./images/dashboard.png + :alt: dashboard + NitroWall dashboard -.. figure:: ./images/dashboard.png - :alt: dashboard + .. figure:: ./images/reload.png + :alt: reload - NitroWall dashboard - -.. figure:: ./images/reload.png - :alt: reload - - Reload the NitroWall + Reload the NitroWall 8. After configuring your NitroWall reload it to make the changes persistent. As soon as the process terminates, you are back again at the dashboard. 9. After the installation is complete, install the necessary updates. To do this, go to System → Firmware → Updates. diff --git a/start/factory-reset.rst b/start/factory-reset.rst index a40d0708c9..f4b7722715 100644 --- a/start/factory-reset.rst +++ b/start/factory-reset.rst @@ -14,27 +14,25 @@ Usage To change the identity it suffices to send a custom CCID command. This could be achieved with ``pynitrokey`` tool: -1. `Install - pynitrokey `__. +1. `Install pynitrokey `__. 2. Connect your Nitrokey Start and verify that it got recognized. -.. code-block:: bash + .. code-block:: bash - $ nitropy start list - *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start - :: 'Nitrokey Start' keys: - FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.10) + $ nitropy start list + *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start + :: 'Nitrokey Start' keys: + FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.10) -3. Change the identity, by replacing ```` with ``0``, ``1``, or - ``2``. +3. Change the identity, by replacing ```` with ``0``, ``1``, or ``2``. -.. code-block:: bash + .. code-block:: bash - $ nitropy start set-identity - *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start - Trying to set identity to 4 - device has reset, and should now have the new identity + $ nitropy start set-identity + *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start + Trying to set identity to 4 + device has reset, and should now have the new identity Reset ----- diff --git a/start/linux/firmware-update.rst b/start/linux/firmware-update.rst index 8d95b8fde9..441e59789d 100644 --- a/start/linux/firmware-update.rst +++ b/start/linux/firmware-update.rst @@ -16,82 +16,82 @@ To update the firmware of your Nitrokey Start, proceed as follows. 1. Install pip3. -.. code-block:: bash + .. code-block:: bash - $ sudo apt install python3-pip + $ sudo apt install python3-pip 2. Install pynitrokey. For this you need an Internet connection. -.. code-block:: bash + .. code-block:: bash - $ pip3 install --user pynitrokey + $ pip3 install --user pynitrokey 3. Connect your Nitrokey Start and verify its recognition. -.. code-block:: bash + .. code-block:: bash - $ nitropy start list - *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start - :: 'Nitrokey Start' keys: - FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.8) + $ nitropy start list + *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start + :: 'Nitrokey Start' keys: + FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.8) 4. Start the update process. For this you need an Internet connection. -.. code-block:: bash + .. code-block:: bash - $ nitropy start update + $ nitropy start update 5. You will then be asked to enter the Admin PIN of your Nitrokey Start. (Default PIN: 12345678) -.. code-block:: bash + .. code-block:: bash - *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start - Nitrokey Start firmware update tool - Platform: Linux-5.3.0-59-generic-x86_64-with-Ubuntu-18 04-bionic - System: Linux, is_linux: True - Python: 3.6.9 - Saving run log to: /tmp/nitropy.log.d4erqux4 - Admin password: "your admin PIN" + *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start + Nitrokey Start firmware update tool + Platform: Linux-5.3.0-59-generic-x86_64-with-Ubuntu-18 04-bionic + System: Linux, is_linux: True + Python: 3.6.9 + Saving run log to: /tmp/nitropy.log.d4erqux4 + Admin password: "your admin PIN" 6. Under “Device” you will find information about the current version of your Nitrokey Start. In the first item under “Please note” you can see the latest firmware version available. Now you have to confirm the update with “yes”. -.. code-block:: bash + .. code-block:: bash - Firmware data to be used: + Firmware data to be used: - - FirmwareType.REGNUAL: 4504, hash: ...b'65ac82a1' valid (from ...built/RTM.10/regnual.bin) + - FirmwareType.REGNUAL: 4504, hash: ...b'65ac82a1' valid (from ...built/RTM.10/regnual.bin) - - FirmwareType.GNUK: 131072, hash: ...b'f85da8f7' valid (from ...prebuilt/RTM.10/gnuk.bin) - Currently connected device strings: - Device: - Vendor: Nitrokey - Product: Nitrokey Start - Serial: FSIJ-1.2.15-43100927 - Revision: RTM.9 - Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes - Sys: 3.0 - Please note: + - FirmwareType.GNUK: 131072, hash: ...b'f85da8f7' valid (from ...prebuilt/RTM.10/gnuk.bin) + Currently connected device strings: + Device: + Vendor: Nitrokey + Product: Nitrokey Start + Serial: FSIJ-1.2.15-43100927 + Revision: RTM.9 + Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes + Sys: 3.0 + Please note: - - Latest firmware available is: RTM.10 (published: 2020-06-04T12:34:14Z), - provided firmware: None + - Latest firmware available is: RTM.10 (published: 2020-06-04T12:34:14Z), + provided firmware: None - - All data will be removed from the device + - All data will be removed from the device - - Do not interrupt the update process, or the device will not run properly + - Do not interrupt the update process, or the device will not run properly - - Whole process should not take more than 1 minute - Do you want to continue? [yes/no]: yes + - Whole process should not take more than 1 minute + Do you want to continue? [yes/no]: yes 7. You can check the firmware version after the upgrade process has completed. -.. code-block:: bash + .. code-block:: bash - $ nitropy start list - *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start - :: 'Nitrokey Start' keys: - FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.10) + $ nitropy start list + *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start + :: 'Nitrokey Start' keys: + FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.10) diff --git a/start/linux/index.rst b/start/linux/index.rst index 61430848a1..f508f68026 100644 --- a/start/linux/index.rst +++ b/start/linux/index.rst @@ -16,11 +16,11 @@ Nitrokey Start, Linux 3. Use GnuPG to `generate new keys or import existing ones `_. -.. note:: - It is indeed necessary to first import or create new keys and - change the PINs afterwards. Otherwise changing User PIN will fail! - Furthermore overriding keys results in PIN reset (default values), - please keep this in mind! + .. note:: + It is indeed necessary to first import or create new keys and + change the PINs afterwards. Otherwise changing User PIN will fail! + Furthermore overriding keys results in PIN reset (default values), + please keep this in mind! 4. Change the Admin PIN (default: ``12345678``) and then the User PIN (default: ``123456``) to your own choices. diff --git a/start/mac/index.rst b/start/mac/index.rst index 7216177e2d..383a352e55 100644 --- a/start/mac/index.rst +++ b/start/mac/index.rst @@ -17,11 +17,11 @@ Nitrokey Start, Mac 3. Use GnuPG to `generate new keys or import existing ones `_. -.. note:: - It is indeed necessary to first import or create new keys and - change the PINs afterwards. Otherwise changing User PIN will fail! - Furthermore overriding keys results in PIN reset (default values), - please keep this in mind! + .. note:: + It is indeed necessary to first import or create new keys and + change the PINs afterwards. Otherwise changing User PIN will fail! + Furthermore overriding keys results in PIN reset (default values), + please keep this in mind! 4. Change the Admin PIN (default: ``12345678``) and then the User PIN (default: ``123456``) to your own choices. diff --git a/start/windows/index.rst b/start/windows/index.rst index f58c33e2ff..9333e86a0d 100644 --- a/start/windows/index.rst +++ b/start/windows/index.rst @@ -15,13 +15,13 @@ Nitrokey Start, Windows that the USB smart card device driver gets installed almost automatically. -.. note:: - Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning. + .. note:: + Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning. 3. Use GnuPG to `generate new keys or import existing ones `_. -.. note:: - It is indeed necessary to first import or create new keys and change the PINs afterwards. Otherwise changing User PIN will fail! Furthermore overriding keys results in PIN reset (default values), please keep this in mind! + .. note:: + It is indeed necessary to first import or create new keys and change the PINs afterwards. Otherwise changing User PIN will fail! Furthermore overriding keys results in PIN reset (default values), please keep this in mind! 4. Change the Admin PIN (default: ``12345678``) and then the User PIN (default: ``123456``) to your own choices. diff --git a/storage/hidden.rst b/storage/hidden.rst index b9a9d79372..69a28c0604 100644 --- a/storage/hidden.rst +++ b/storage/hidden.rst @@ -32,12 +32,12 @@ Configuring hidden volumes 1. Unlock the encrypted volume using the Nitrokey App. 2. In the menu, select "setup hidden volume". -.. figure:: /storage/images/setup_hidden_volume.png - :alt: menu containing the hidden volume setup utility. + .. figure:: /storage/images/setup_hidden_volume.png + :alt: menu containing the hidden volume setup utility. 3. Enter a strong passphrase twice. Unlike the encrypted volume PIN, there are no limit to the number of attempts at opening hidden volumes, so the strength of the passphrase is extremely important. 4. Define the storage area to be used. Hidden volumes are stored in the free areas of the encrypted volume. When creating multiple hidden volume, you need to allocate a part of the free area for each volume, making sure they do not overlap. -.. figure:: /storage/images/hidden-storage-passphrase.png - :alt: Hidden volume dialog box + .. figure:: /storage/images/hidden-storage-passphrase.png + :alt: Hidden volume dialog box diff --git a/storage/linux/firmware-update.rst b/storage/linux/firmware-update.rst index e420c629eb..138d94ede7 100644 --- a/storage/linux/firmware-update.rst +++ b/storage/linux/firmware-update.rst @@ -20,23 +20,23 @@ Firmware Update 3. Right click on the icon of the Nitrokey App and go to “Configure” -> “Enable Firmware Update”. The default firmware password is ‘12345678’. -.. figure:: /storage/images/enable-firmware-update.png - :alt: Enable firmware update + .. figure:: /storage/images/enable-firmware-update.png + :alt: Enable firmware update -.. note:: + .. note:: - The Nitrokey Storage is not detected by Nitrokey App anymore once update mode got - activated. You have to proceed with the instructions described below - to make it work again. + The Nitrokey Storage is not detected by Nitrokey App anymore once update mode got + activated. You have to proceed with the instructions described below + to make it work again. 4. Open a terminal and execute: -.. code-block:: bash + .. code-block:: bash - sudo dfu-programmer at32uc3a3256s erase - sudo dfu-programmer at32uc3a3256s flash --suppress-bootloader-mem firmware.hex - sudo dfu-programmer at32uc3a3256s launch - # versions <0.7 of dfu-programmer use "start" instead of "launch" + sudo dfu-programmer at32uc3a3256s erase + sudo dfu-programmer at32uc3a3256s flash --suppress-bootloader-mem firmware.hex + sudo dfu-programmer at32uc3a3256s launch + # versions <0.7 of dfu-programmer use "start" instead of "launch" -whereas “firmware.hex” needs to be the path and file name of the firmware which you downloaded in step 2. + whereas “firmware.hex” needs to be the path and file name of the firmware which you downloaded in step 2. diff --git a/storage/linux/openvpn-easyrsa.rst b/storage/linux/openvpn-easyrsa.rst index 1d31ae6dd6..7ecf9f5da8 100644 --- a/storage/linux/openvpn-easyrsa.rst +++ b/storage/linux/openvpn-easyrsa.rst @@ -53,91 +53,89 @@ As a reminder, to build a Certificate Authority on Nitrokey HSM 2, you may follo Alternatively you may set up your own CA on a `on a separate machine `__, or use the OpenVPN tutorial which also relies on `Easy-RSA `__. The last 2 options rely on software solutions for key management. --------------- - Server side ----------- -1. Install OpenVPN -^^^^^^^^^^^^^^^^^^ +Install OpenVPN +^^^^^^^^^^^^^^^ 1. First we need to enable IP Forwarding by editing ``/etc/sysctl.conf`` file -.. code-block:: bash + .. code-block:: bash - $ editor /etc/sysctl.conf + $ editor /etc/sysctl.conf 2. Uncomment or edit accordingly the following line -.. code-block:: bash + .. code-block:: bash - net.ipv4.ip_forward=1 + net.ipv4.ip_forward=1 3. Close after saving it, and enter this command -.. code-block:: bash + .. code-block:: bash - $ sysctl -p + $ sysctl -p -Once IP forwarding is done, we will need to download the latest release of OpenvPN for our Debian 10 server, according to `these instructions `__: + Once IP forwarding is done, we will need to download the latest release of OpenvPN for our Debian 10 server, according to `these instructions `__: 4. Change to root and download the GPG key that signed the package -.. code-block:: bash + .. code-block:: bash - $ sudo -s - # wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add - + $ sudo -s + # wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add - 5. Add the URL of the adequate OpenVPN packages to the ``sources.list`` file -.. code-block:: bash + .. code-block:: bash - # echo "deb http://build.openvpn.net/debian/openvpn/release/2.5 buster main" > /etc/apt/sources.list.d/openvpn-aptrepo.list - # exit + # echo "deb http://build.openvpn.net/debian/openvpn/release/2.5 buster main" > /etc/apt/sources.list.d/openvpn-aptrepo.list + # exit -We downloaded OpenVPN 2.5 as “password prompt” requires at least OpenVPN `version -2.4.8 `__ to login. + We downloaded OpenVPN 2.5 as “password prompt” requires at least OpenVPN `version + 2.4.8 `__ to login. 6. Next we download OpenVPN -.. code-block:: bash + .. code-block:: bash - $ sudo apt install openvpn + $ sudo apt install openvpn -If you want to check the version, it possible by calling ``--version`` -and print the following: + If you want to check the version, it possible by calling ``--version`` + and print the following: -.. code-block:: bash + .. code-block:: bash - $ sudo openvpn --version - OpenVPN 2.5_beta3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 1 2020 - library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 - Originally developed by James Yonan - Copyright (C) 2002-2018 OpenVPN Inc - Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no \ enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes \ enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no \ enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no \ enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no \ enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes \ with_mem_check=no with_sysroot=no + $ sudo openvpn --version + OpenVPN 2.5_beta3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 1 2020 + library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 + Originally developed by James Yonan + Copyright (C) 2002-2018 OpenVPN Inc + Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no \ enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes \ enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no \ enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no \ enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no \ enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes \ with_mem_check=no with_sysroot=no -2. Install Easy-RSA -^^^^^^^^^^^^^^^^^^^ +Install Easy-RSA +^^^^^^^^^^^^^^^^ To build the PKI, we will download the latest version of Easy-RSA on the server and client machines. To get the latest release, go to the `Releases page on the official EasyRSA GitHub project `__, copy the download link for the file ending in ``.tgz``, and then paste it into the following command: 1. Download the latest release -.. code-block:: bash + .. code-block:: bash - $ cd ~ - wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz + $ cd ~ + wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz 2. Extract the tarball -.. code-block:: bash + .. code-block:: bash - $ cd ~ - $ tar xvf EasyRSA-3.0.7.tgz - $ mv EasyRSA-3.0.7/ easyrsa/ # rename folder + $ cd ~ + $ tar xvf EasyRSA-3.0.7.tgz + $ mv EasyRSA-3.0.7/ easyrsa/ # rename folder -3. Create a PKI for OpenVPN server -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Create a PKI for OpenVPN server +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Before you can create your OpenVPN server’s private key and certificate, you need to create a local Public Key Infrastructure directory on your OpenVPN server. You will use this directory to manage the server and clients’ certificate requests, instead of making them directly on your CA server. @@ -145,35 +143,37 @@ To build a PKI directory on your OpenVPN server, you’ll need to populate a fil 1. Create a ``vars`` file -.. code-block:: bash + .. code-block:: bash - $ touch ~/easyrsa/vars - $ cd easyrsa/ - $ editor vars + $ touch ~/easyrsa/vars + $ cd easyrsa/ + $ editor vars 2. Once the file is opened, paste in the following two lines -.. code-block:: bash + .. code-block:: bash - set_var EASYRSA_ALGO "ec" - set_var EASYRSA_DIGEST "sha512" + set_var EASYRSA_ALGO "ec" + set_var EASYRSA_DIGEST "sha512" -These are the only two lines that you need in this ``vars`` file on your OpenVPN server since it will not be used as a Certificate Authority. They will ensure that your private keys and certificate requests are configured to use Elliptic Curve Cryptography (ECC) to generate keys, and secure signatures for your clients and OpenVPN server. + These are the only two lines that you need in this ``vars`` file on your OpenVPN server since it will not be used as a Certificate Authority. + They will ensure that your private keys and certificate requests are configured to use Elliptic Curve Cryptography (ECC) to generate keys, and secure signatures for your clients and OpenVPN server. -In regards to the choice of the cryptographic algorithms, I follow the model in `this tutorial `__, and you can customize these according to your specific needs. + In regards to the choice of the cryptographic algorithms, I follow the model in `this tutorial `__, and you can customize these according to your specific needs. 3. Initialize the PKI -Once you have populated the ``vars`` file you can proceed with creating the PKI directory. To do so, run the easyrsa script with the init-pki option: + Once you have populated the ``vars`` file you can proceed with creating the PKI directory. + To do so, run the easyrsa script with the init-pki option: -.. code-block:: bash + .. code-block:: bash - $ ./easyrsa init-pki + $ ./easyrsa init-pki After you’ve initialized your PKI on the OpenVPN server, you are ready to move on to the next step, which is creating an OpenVPN server certificate request and private key. -4. Create ``server.req`` and ``server.key`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Create ``server.req`` and ``server.key`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Now that your OpenVPN server has all the prerequisites installed, the next step is to generate a key pair composed of a private key (to keep secret), and a Certificate Signing Request (``.csr``) on your OpenVPN server. @@ -193,41 +193,41 @@ In general terms, on systems where we generate a key and request, these files ar 1. Create the signing request for the server -Navigate to the ``~/easyrsa`` directory on your OpenVPN Server as your non-root user, and enter the following commands: + Navigate to the ``~/easyrsa`` directory on your OpenVPN Server as your non-root user, and enter the following commands: -.. code-block:: bash + .. code-block:: bash - $ cd easyrsa/ - $ ./easyrsa gen-req server nopass + $ cd easyrsa/ + $ ./easyrsa gen-req server nopass -This will create a private key for the server and a certificate request file called ``server.req``. + This will create a private key for the server and a certificate request file called ``server.req``. -Once you have a signed certificate, you’ll transfer it back to the OpenVPN server. + Once you have a signed certificate, you’ll transfer it back to the OpenVPN server. 2. Copy the key to the OpenVPN server directory -.. code-block:: bash + .. code-block:: bash - $ sudo cp /home/admin/EasyRSA/pki/private/server.key /etc/openvpn/server/ + $ sudo cp /home/admin/EasyRSA/pki/private/server.key /etc/openvpn/server/ -After completing these steps, you have successfully created a private key for your OpenVPN server. You have also generated a Certificate Signing Request for the OpenVPN server. + After completing these steps, you have successfully created a private key for your OpenVPN server. You have also generated a Certificate Signing Request for the OpenVPN server. -.. tip:: + .. tip:: - File extensions for certificate signing requests + File extensions for certificate signing requests - The file extension that is adopted by the CA and HSM tutorial - indicates the creation of a ``.csr`` file, however Easy-RSA creates - certificate signing requests with a ``.req`` extension. + The file extension that is adopted by the CA and HSM tutorial + indicates the creation of a ``.csr`` file, however Easy-RSA creates + certificate signing requests with a ``.req`` extension. - We will use interchangeably both extensions, while making sure that - we transfer the right files to the Certificate Authority, and - generate a final certificate with a ``.crt`` extension. + We will use interchangeably both extensions, while making sure that + we transfer the right files to the Certificate Authority, and + generate a final certificate with a ``.crt`` extension. In the next section of this guide, we will sign a ``.req`` file with our CA on deployed on the HSM 2 device. For this purpose, I will use a dedicated machine to sign the requests. -5. Sign and retrieve ``server.crt`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Sign and retrieve ``server.crt`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The following instructions require the transfer of the ``server.req`` (or ``server.csr``) file to the CA system. @@ -236,8 +236,8 @@ The transfer itself is not security sensitive, though it is wise to verify if th In order to go through these steps, I will extensively rely on `these instructions `_, to sign the certificate signing requests, once we generated them with Easy-RSA. -5.1. Sign the ``server.req`` file -''''''''''''''''''''''''''''''''' +Sign the ``server.req`` file +'''''''''''''''''''''''''''' On the local machine dedicated to access the HSM, we will use the tools provided by Opensc 0.20 in order to sign the ``.req`` file, and send it back to the OpenVPN server. We assume we have transferred the file from the server machine to the CA machine. @@ -245,64 +245,64 @@ First we start by plugging the HSM Nitrokey, and enter this instruction for list 1. Query the list of available devices -.. code-block:: bash + .. code-block:: bash - $ p11tool --list-all + $ p11tool --list-all - **(Required step)** If this is the first time you sign a certificate with the CA, you might want to retrieve the URI of the CA’s private key from the HSM, and include it in the config file. + **(Required step)** If this is the first time you sign a certificate with the CA, you might want to retrieve the URI of the CA’s private key from the HSM, and include it in the config file. -- The key’s URI should be in this format: + - The key’s URI should be in this format: -.. code-block:: bash + .. code-block:: bash - pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private + pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private 2. Create ``openvpn/`` directory under ``certificate-authority/`` -.. code-block:: bash + .. code-block:: bash - $ mkdir/opt/certificate-authority/ - $ cd /opt/certificate-authority/ + $ mkdir/opt/certificate-authority/ + $ cd /opt/certificate-authority/ 3. Sign the ``server.req`` -.. code-block:: bash + .. code-block:: bash - $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in server.req -out /home/user/pki/issued/server.crt + $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in server.req -out /home/user/pki/issued/server.crt -5.2. Retrieve the ``server.crt`` file to the server machine -''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +Retrieve the ``server.crt`` file to the server machine +'''''''''''''''''''''''''''''''''''''''''''''''''''''' 1. Transfer the signed certificates to the server -From the CA machine, copy the files ``server.crt`` and ``chain.crt`` to the OpenVPN server. In this example we will use the ``scp`` command as following: + From the CA machine, copy the files ``server.crt`` and ``chain.crt`` to the OpenVPN server. In this example we will use the ``scp`` command as following: -.. code-block:: bash + .. code-block:: bash - $ scp openvpn/{server.crt,chain.crt} admin@your_openvpnserver_ip:/tmp + $ scp openvpn/{server.crt,chain.crt} admin@your_openvpnserver_ip:/tmp 2. Place the certificates on the server’s directory -.. code-block:: bash + .. code-block:: bash - $ mv /tmp/{server.crt,chain.crt} /etc/openvpn/server + $ mv /tmp/{server.crt,chain.crt} /etc/openvpn/server -.. warning:: + .. warning:: - CA Certificate and ``chain.crt`` + CA Certificate and ``chain.crt`` - In the above, the CA returns the signed sever certificate, and - includes the CA certificate ``CA.crt`` which is the ``chain.crt`` - file. This can be done over an insecure channel, though the client is - encouraged to confirm if the received ``chain.crt`` is valid, if the - transport is untrusted. + In the above, the CA returns the signed sever certificate, and + includes the CA certificate ``CA.crt`` which is the ``chain.crt`` + file. This can be done over an insecure channel, though the client is + encouraged to confirm if the received ``chain.crt`` is valid, if the + transport is untrusted. - It is possible to rename the file ``chain.crt`` file to ``CA.crt`` on - the target machine, however we will use ``chain.crt`` in the next - instructions. + It is possible to rename the file ``chain.crt`` file to ``CA.crt`` on + the target machine, however we will use ``chain.crt`` in the next + instructions. -6. Configure the OpenVPN server -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Configure the OpenVPN server +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ A connection that uses TLS requires multiple `certificates and keys for authentication `__. Now that we issued and signed those, we can place them in the right directories. The breakdown of the certificates and keys that must be located at the root directory are the following: @@ -360,8 +360,8 @@ To test if the configuration functions properly, we can use this command: $ sudo openvpn --server --config server.conf -7. Start the OpenVPN service on the server -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Start the OpenVPN service on the server +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable the OpenVPN service by adding it to systemctl, and start it using these commands: @@ -378,47 +378,45 @@ To Double check if the OpenVPN service is active use this command: The OpenVPN should be running at this point. --------------- - Client side configuration ------------------------- -1. Install OpenVPN and Easy-RSA +Install OpenVPN and Easy-RSA ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1. Install the software -We can use directly ``dnf install`` to install OpenVPN 2.4.9 and Easy-RSA 3.0.7 + We can use directly ``dnf install`` to install OpenVPN 2.4.9 and Easy-RSA 3.0.7 -.. code-block:: bash + .. code-block:: bash $ sudo dnf install openvpn easy-rsa 2. Then we create as non-root a directory for Easy RSA called ``Easy-RSA`` -.. code-block:: bash + .. code-block:: bash - $ mkdir ~/easyrsa + $ mkdir ~/easyrsa 3. And link it to the Easy RSA package we just installed -.. code-block:: bash + .. code-block:: bash - $ ln -s /usr/share/easy-rsa/3/* ~/easyrsa/ + $ ln -s /usr/share/easy-rsa/3/* ~/easyrsa/ -2. Create a PKI for the OpenVPN client -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Create a PKI for the OpenVPN client +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ In the same manner we created a PKI on the OpenVPN server, we will create a PKI using Easy-RSA on the client side. -3. Create a ``client.req`` and ``client.key`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Create a ``client.req`` and ``client.key`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ In the same manner we issued the key pair on the sever, we generate a key pair for the client which will be composed of the ``client.req`` file and the ``client.key`` file. The latter must be kept secret on the client machine. -4. Sign ``client.req`` and issue the ``client.crt`` file -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Sign ``client.req`` and issue the ``client.crt`` file +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ To transfer the ``client.req`` file to the CA machine, we will use the same method as we did for the ``server.req`` file. @@ -428,8 +426,8 @@ Once transferred, on the CA machine we sign the certificate signing request file $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in client.req -out /home/user/pki/issued/client.crt -5. Import ``client.crt`` on the Nitrokey from the CA machine -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Import ``client.crt`` on the Nitrokey from the CA machine +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ After creating the ``client.crt`` file, we plug the Nitrokey Pro 2 device in the CA machine, and import the ``.crt`` to the Pro 2 device using this command: @@ -451,13 +449,13 @@ Or alternatively Fore more commands you can refer to the `OpenSC wiki `__. -6. Retrieve the ``chain.crt`` file from the CA machine -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Retrieve the ``chain.crt`` file from the CA machine +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ While we keep the ``client.crt``\ stored on the nitrokey Pro 2 device, we must retrieve the ``chain.crt`` file on the client machine, and store it in the adequate directory. We may use ``scp`` as in the method explained in the server section of this guide. -7. Configure the client to interact with the Nitrokey -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Configure the client to interact with the Nitrokey +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Now back on the client machine, we will plug the Nitrokey Pro and use it to establish the VPN connection with the server. In general terms, a connection that uses TLS requires multiple certificates and keys for authentication: @@ -492,47 +490,101 @@ For this guide we can the following ``client.conf`` file, and add the required o 1. Determine the correct object -Each PKCS#11 provider can support multiple devices. In order to view the available object list you can use the following command: + Each PKCS#11 provider can support multiple devices. In order to view the available object list you can use the following command: -.. code-block:: bash + .. code-block:: bash - $ openvpn --show-pkcs11-ids /usr/lib64/pkcs11/opensc-pkcs11.so + $ openvpn --show-pkcs11-ids /usr/lib64/pkcs11/opensc-pkcs11.so - The following objects are available for use. - Each object shown below may be used as parameter to + The following objects are available for use. + Each object shown below may be used as parameter to - --pkcs11-id option please remember to use single quote mark. + --pkcs11-id option please remember to use single quote mark. - Certificate - DN: CN=client - Serial: E53DA75C5B8F1518F520BCEF0128C09F - Serialized id: pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03 + Certificate + DN: CN=client + Serial: E53DA75C5B8F1518F520BCEF0128C09F + Serialized id: pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03 -Each certificate/private key pair have unique ``Serialized id`` string. The serialized id string of the requested certificate should be specified, in the configuration file. We can do this by adding the ``pkcs11-id`` option using single quote marks. + Each certificate/private key pair have unique ``Serialized id`` string. The serialized id string of the requested certificate should be specified, in the configuration file. We can do this by adding the ``pkcs11-id`` option using single quote marks. -.. code-block:: bash + .. code-block:: bash - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' 2. Add retrieved Serialized ID to the configuration file -Using your favorite text editor, open the server.conf file, and add the following lines, while taking care to insert your own ``Serialized id``: + Using your favorite text editor, open the server.conf file, and add the following lines, while taking care to insert your own ``Serialized id``: -.. code-block:: bash + .. code-block:: bash + + pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + For additional `settings related to OpenVPN `__ authentication, you may also add few lines to handle key maganagement, although it is optional. -For additional `settings related to OpenVPN `__ authentication, you may also add few lines to handle key maganagement, although it is optional. + .. note:: -.. note:: + Click to view the code + + .. code-block:: bash - Click to view the code + # nitrokey config + + pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + # pkcs11-pin-cache 300 + # daemon + # auth-retry nointeract + # management-hold + # management-signal + # management 127.0.0.1 8888 + # management-query-passwords + pkcs11-cert-private 1 # Prompt for PIN + + Optional step + + + If you need to test the configuration, with and without the token on the Nitrokey, you may add lines to the same ``client.conf`` and comment/uncomment the relevant lines according to your needs: + + .. note:: + + Click to view the code + + .. code-block:: bash + + # non_nitrokey login + + # cert client.crt + # key client.key + # tls-auth ta.key 1 + +3. Configure the OpenVPN client + + The final configuration file ``client.conf`` should look like this one: .. code-block:: bash - # nitrokey config - + client + dev tun + proto udp + remote 1194 + resolv-retry infinite + nobind + user nobody + group nobody + persist-key + persist-tun + ca ca.crt + remote-cert-tls server + cipher AES-256-CBC + verb 3 + redirect-gateway def1 + tls-version-min 1.2 # Lower boundary for TLS version + tls-version-max 1.2 # Higher boundary for TLS version + + # nitrokey login + pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' # pkcs11-pin-cache 300 @@ -543,141 +595,87 @@ For additional `settings related to OpenVPN 1194 - resolv-retry infinite - nobind - user nobody - group nobody - persist-key - persist-tun - ca ca.crt - remote-cert-tls server - cipher AES-256-CBC - verb 3 - redirect-gateway def1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - - # nitrokey login - - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - # pkcs11-pin-cache 300 - # daemon - # auth-retry nointeract - # management-hold - # management-signal - # management 127.0.0.1 8888 - # management-query-passwords - pkcs11-cert-private 1 # Prompt for PIN - - # OR - - # non_nitrokey login - - # cert client.crt - # key client.key - # tls-auth ta.key 1 - 4. Known issues -There are some known issues related to OpenVPN login with OpenSC. Please consult these issues `here `__. + There are some known issues related to OpenVPN login with OpenSC. Please consult these issues `here `__. -8. Start the OpenVPN client -^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Start the OpenVPN client +^^^^^^^^^^^^^^^^^^^^^^^^ 1. Start the OpenVPN service on the client -Enable the OpenVPN service, and start it using these commands: + Enable the OpenVPN service, and start it using these commands: -.. code-block:: bash + .. code-block:: bash - $ sudo systemctl -f enable openvpn-server@server.service - $ sudo systemctl start openvpn-server@server.service + $ sudo systemctl -f enable openvpn-server@server.service + $ sudo systemctl start openvpn-server@server.service -To double check if the OpenVPN service is active use this command: + To double check if the OpenVPN service is active use this command: -.. code-block:: bash + .. code-block:: bash - $ sudo systemctl status openvpn-server@server.service + $ sudo systemctl status openvpn-server@server.service 2. Enter your User PIN -When executing OpenVPN client, Nitrokey’s PIN needs to be entered: + When executing OpenVPN client, Nitrokey’s PIN needs to be entered: -.. code-block:: bash - - $ sudo openvpn --client --config client.conf - Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 - Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 - Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' - Enter User PIN (OpenPGP card) token Password: ****** + .. code-block:: bash -.. warning:: - - Unfortunately OpenVPN doesn’t seem to be able to establish a handshake and stops at an error as reported `here `__, `here `__ and `here `__ + $ sudo openvpn --client --config client.conf + Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 + Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 + Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' + Enter User PIN (OpenPGP card) token Password: ****** -.. code-block:: bash + .. warning:: - This is what the error output looks like: - - $ sudo openvpn --client --config client.conf - Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 - Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 - Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' - Enter User PIN (OpenPGP card) token Password: ******`` - Fri Sep 11 17:42:12 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]18.157.180.240:1194`` - Fri Sep 11 17:42:12 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]`` - Fri Sep 11 17:42:12 2020 UDP link local: (not bound) - Fri Sep 11 17:42:12 2020 UDP link remote: [AF_INET]18.157.180.240:1194 - Fri Sep 11 17:42:12 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay - Fri Sep 11 17:42:12 2020 TLS: Initial packet from [AF_INET]18.157.180.240:1194, sid=d79690cf 9e38ce89 - Fri Sep 11 17:42:12 2020 VERIFY OK: depth=1, CN=server_CA - Fri Sep 11 17:42:12 2020 VERIFY KU OK - Fri Sep 11 17:42:12 2020 Validating certificate extended key usage - Fri Sep 11 17:42:12 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication - Fri Sep 11 17:42:12 2020 VERIFY EKU OK - Fri Sep 11 17:42:12 2020 VERIFY OK: depth=0, CN=server - Fri Sep 11 17:42:12 2020 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib - Fri Sep 11 17:42:12 2020 TLS_ERROR: BIO read tls_read_plaintext error - Fri Sep 11 17:42:12 2020 TLS Error: TLS object -> incoming plaintext read error - Fri Sep 11 17:42:12 2020 TLS Error: TLS handshake failed - Fri Sep 11 17:42:12 2020 SIGUSR1[soft,tls-error] received, process restarting - Fri Sep 11 17:42:12 2020 Restart pause, 5 second(s) - -In some reported cases it does not prompt for a PIN on the terminal. One workaround would be to use to use this command to login with the PIN: + Unfortunately OpenVPN doesn’t seem to be able to establish a handshake and stops at an error as reported `here `__, `here `__ and `here `__ -.. code-block:: bash + .. code-block:: bash + + This is what the error output looks like: + + $ sudo openvpn --client --config client.conf + Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 + Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 + Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' + Enter User PIN (OpenPGP card) token Password: ******`` + Fri Sep 11 17:42:12 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]18.157.180.240:1194`` + Fri Sep 11 17:42:12 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]`` + Fri Sep 11 17:42:12 2020 UDP link local: (not bound) + Fri Sep 11 17:42:12 2020 UDP link remote: [AF_INET]18.157.180.240:1194 + Fri Sep 11 17:42:12 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay + Fri Sep 11 17:42:12 2020 TLS: Initial packet from [AF_INET]18.157.180.240:1194, sid=d79690cf 9e38ce89 + Fri Sep 11 17:42:12 2020 VERIFY OK: depth=1, CN=server_CA + Fri Sep 11 17:42:12 2020 VERIFY KU OK + Fri Sep 11 17:42:12 2020 Validating certificate extended key usage + Fri Sep 11 17:42:12 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication + Fri Sep 11 17:42:12 2020 VERIFY EKU OK + Fri Sep 11 17:42:12 2020 VERIFY OK: depth=0, CN=server + Fri Sep 11 17:42:12 2020 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib + Fri Sep 11 17:42:12 2020 TLS_ERROR: BIO read tls_read_plaintext error + Fri Sep 11 17:42:12 2020 TLS Error: TLS object -> incoming plaintext read error + Fri Sep 11 17:42:12 2020 TLS Error: TLS handshake failed + Fri Sep 11 17:42:12 2020 SIGUSR1[soft,tls-error] received, process restarting + Fri Sep 11 17:42:12 2020 Restart pause, 5 second(s) + + In some reported cases it does not prompt for a PIN on the terminal. One workaround would be to use to use this command to login with the PIN: + + .. code-block:: bash - $ telnet 8888 password 'User PIN (OpenPGP card) token' + $ telnet 8888 password 'User PIN (OpenPGP card) token' -Alternatively, you could `recompile OpenVPN `__ client with systemd support disabled, and it will prompt you for the PIN as expected. + Alternatively, you could `recompile OpenVPN `__ client with systemd support disabled, and it will prompt you for the PIN as expected. -Another option, would be to login to your OpenVPN instance with the Viscosity client which provides a better user experience especially for entering the PIN. + Another option, would be to login to your OpenVPN instance with the Viscosity client which provides a better user experience especially for entering the PIN. diff --git a/storage/windows/firmware-update.rst b/storage/windows/firmware-update.rst index 258a4ad5c0..825826699d 100644 --- a/storage/windows/firmware-update.rst +++ b/storage/windows/firmware-update.rst @@ -20,25 +20,25 @@ Firmware Update 3. Right click on the icon of the Nitrokey App and go to “Configure” -> “Enable Firmware Update”. The default firmware password is ‘12345678’. -.. figure:: /storage/images/enable-firmware-update.png - :alt: Enable firmware update + .. figure:: /storage/images/enable-firmware-update.png + :alt: Enable firmware update -.. note:: + .. note:: - The Nitrokey Storage is not detected by Nitrokey App anymore once update mode got - activated. You have to proceed with the instructions described below - to make it work again. + The Nitrokey Storage is not detected by Nitrokey App anymore once update mode got + activated. You have to proceed with the instructions described below + to make it work again. -.. note:: + .. note:: - If you are using Microsoft Windows Build 1809 and Nitrokey Storage - Firmware 0.52 or lower, you need to use another system or if this is not - feasible use `these - instructions `_ to - enable the Firmware Update mode. + If you are using Microsoft Windows Build 1809 and Nitrokey Storage + Firmware 0.52 or lower, you need to use another system or if this is not + feasible use `these + instructions `_ to + enable the Firmware Update mode. 4. Start the Nitrokey Update Tool and click “Select firmware file”. Select the previously downloaded firmware ".hex" file. Click on “Update firmware” to start the update process. Your device should get detected by the Nitrokey App again as soon as the update is finished. -.. figure:: /storage/windows/images/nitrokey-update-tool.png - :alt: Nitrokey Update Tool + .. figure:: /storage/windows/images/nitrokey-update-tool.png + :alt: Nitrokey Update Tool diff --git a/storage/windows/index.rst b/storage/windows/index.rst index 359ad9c43b..4e973c3959 100644 --- a/storage/windows/index.rst +++ b/storage/windows/index.rst @@ -12,14 +12,14 @@ Nitrokey Storage, Windows 1. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically. -.. note:: + .. note:: - Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning. + Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning. 2. Download and start the `Nitrokey App `__. Perhaps you want to store it on the unencrypted partition of your Nitrokey Storage. There won’t open a window, but an icon appears in the system tray (see screenshot below). Please right-click on this icon to use all the options of the App. -.. figure:: ./images/Windows10-Systemtray.png - :alt: img1 + .. figure:: ./images/Windows10-Systemtray.png + :alt: img1 3. Open the About window from Nitrokey App’s menu and check if you have the `latest firmware `__ installed. If it’s not the latest, please