diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 781c02bb14..3750ba3341 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,7 +22,7 @@ jobs: - name: Syntax check run: | . venv/bin/activate - rstcheck --recursive --ignore-directives "tabs" fido2/ hsm/ nethsm/ nextbox/ nitrokey3/ nitropad/ nitropc/ nitrophone/ nitrowall/ pro/ software/ start/ storage/ u2f/ + rstcheck --recursive --ignore-directives "tabs" nitrokeys/ nethsm/ nextbox/ nitropad/ nitropc/ nitrophone/ nitrowall/ software/ build-error-check: name: Check build error runs-on: ubuntu-latest diff --git a/_redirects/.htaccess b/_redirects/.htaccess index 07027bb405..9b30326452 100644 --- a/_redirects/.htaccess +++ b/_redirects/.htaccess @@ -15,4 +15,184 @@ #========= RedirectMatch 302 "(/[a-z][a-z])?/path/to/old_article.html$" "$1/path/to/new_article.html" +#Nitrokey FIDO2 +RedirectMatch 301 "(/[a-z][a-z])?/fido2/(mac/|windows/|linux/)?2fa-nextcloud.html$" "$1/nitrokeys/features/fido2/nextcloud.html" +RedirectMatch 301 "(/[a-z][a-z])?/fido2/(mac/|windows/|linux/)?2fa-odoo.html$" "$1/nitrokeys/features/u2f/odoo.html" +RedirectMatch 301 "(/[a-z][a-z])?/fido2/index.html$" "$1/nitrokeys/fido2/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/fido2/faq.html$" "$1/nitrokeys/fido2/faq.html" +RedirectMatch 301 "(/[a-z][a-z])?/fido2/(mac/|windows/|linux/)?firmware-update.html$" "$1/nitrokeys/fido2/firmware-update.html" +RedirectMatch 301 "(/[a-z][a-z])?/fido2/(mac/|windows/|linux/)index.html$" "$1/nitrokeys/fido2/getting-started.html" +RedirectMatch 301 "(/[a-z][a-z])?/fido2/(mac/|windows/|linux/)reset.html$" "$1/nitrokeys/fido2/reset.html" +RedirectMatch 301 "(/[a-z][a-z])?/fido2/linux/desktop-login.html$" "$1/nitrokeys/features/u2f/desktop-login.html" +RedirectMatch 301 "(/[a-z][a-z])?/fido2/windows/passwordless-microsoft.html$" "$1/nitrokeys/features/fido2/passwordless-microsoft.html" +#Nitrokey Passkey +RedirectMatch 301 "(/[a-z][a-z])?/nkpk/index.html$" "$1/nitrokeys/passkey/index.html" +#Nitrokey HSM2 not done +RedirectMatch 301 "(/[a-z][a-z])?/hsm/index.html$" "$1/nitrokeys/hsm/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/faq.html$" "$1/nitrokeys/hsm/faq.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/n-of-m-schemes.html$" "$1/nitrokeys/features/hsm/n-of-m-schemes.html" +#Nitrokey U2F +RedirectMatch 301 "(/[a-z][a-z])?/u2f/index.html$" "$1/nitrokeys/u2f/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/u2f/(mac/|windows/|linux/)index.html$" "$1/nitrokeys/u2f/getting-started.html" +RedirectMatch 301 "(/[a-z][a-z])?/u2f/(mac/|windows/|linux/)?2fa-nextcloud.html$" "$1/nitrokeys/features/fido2/nextcloud.html" +RedirectMatch 301 "(/[a-z][a-z])?/u2f/(mac/|windows/|linux/)?2fa-odoo.html$" "$1/nitrokeys/features/u2f/odoo.html" +RedirectMatch 301 "(/[a-z][a-z])?/fido2/linux/desktop-login.html$" "$1/nitrokeys/features/u2f/desktop-login.html" +#Nitrokey Storage +RedirectMatch 301 "(/[a-z][a-z])?/storage/index.html$" "$1/nitrokeys/storage/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)?factory-reset.html$" "$1/nitrokeys/storage/factory-reset.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/encrypted-mobile-storage.html$" "$1/nitrokeys/features/encrypted-storage/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/faq.html$" "$1/nitrokeys/storage/faq.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/hidden.html$" "$1/nitrokeys/features/hidden-storage/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)?firmware-update-manually.html$" "$1/nitrokeys/storage/firmware-update-manually.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)?firmware-update.html$" "$1/nitrokeys/storage/firmware-update.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)?2fa-nextcloud.html$" "$1/nitrokeys/features/totp/nextcloud.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)?2fa-odoo.html$" "$1/nitrokeys/features/u2f/odoo.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/linux/desktop-login.html$" "$1/nitrokeys/features/u2f/desktop-login.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)index.html$" "$1/nitrokeys/storage/getting-started.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)smime-thunderbird.html$" "$1/nitrokeys/features/openpgp-card/smime/smime-thunderbird.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)smime-outlook.html$" "$1/nitrokeys/features/openpgp-card/smime/smime-outlook.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)smime.html$" "$1/nitrokeys/features/openpgp-card/smime/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)openpgp.html$" "$1/nitrokeys/features/openpgp-card/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)openpgp-thunderbird.html$" "$1/nitrokeys/features/openpgp-card/openpgp-thunderbird.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)openpgp-outlook.html$" "$1/nitrokeys/features/openpgp-card/openpgp-outlook.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)openpgp-keygen-on-device.html$" "$1/nitrokeys/features/openpgp-card/openpgp-keygen-on-device.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)openpgp-keygen-gpa.html$" "$1/nitrokeys/features/openpgp-card/openpgp-keygen-gpa.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)openpgp-keygen-backup.html$" "$1/nitrokeys/features/openpgp-card/openpgp-keygen-backup.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)openpgp-csp.html$" "$1/nitrokeys/features/openpgp-card/openpgp-csp.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/windows/smart-policy.html$" "$1/nitrokeys/features/openpgp-card/desktop-login/smart-policy.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/windows/putty.html$" "$1/nitrokeys/features/openpgp-card/ssh/putty.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)ssh.html$" "$1/nitrokeys/features/openpgp-card/ssh/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)otp.html$" "$1/nitrokeys/features/totp/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)hidden.html$" "$1/nitrokeys/features/hidden-storage/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)hard-disk-encryption.html$" "$1/nitrokeys/features/openpgp-card/hard-disk-encryption/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)disk-encryption-luks.html$" "$1/nitrokeys/features/openpgp-card/hard-disk-encryption/luks.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)gpa.html$" "$1/nitrokeys/features/openpgp-card/gpa.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)encrypted-mobile-storage.html$" "$1/nitrokeys/features/encrypted-storage/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)eid-authenticate.html$" "$1/nitrokeys/features/openpgp-card/eid.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)ecc.html$" "$1/nitrokeys/features/misc/ecc.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)change-pins.html$" "$1/nitrokeys/features/openpgp-card/change-pins.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)2fa-microsoft.html$" "$1/nitrokeys/features/totp/microsoft.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)2fa-google.html$" "$1/nitrokeys/features/totp/google.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)automatic-screen-lock.html$" "$1/nitrokeys/features/misc/automatic-screen-lock.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)certificate-authority.html$" "$1/nitrokeys/features/openpgp-card/certificate-authority.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)openvpn-easyrsa.html$" "$1/nitrokeys/features/openpgp-card/openvpn/easyrsa.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)stunnel.html$" "$1/nitrokeys/features/openpgp-card/stunnel.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)ipsec.html$" "$1/nitrokeys/features/openpgp-card/ipsec.html" +RedirectMatch 301 "(/[a-z][a-z])?/storage/(mac/|windows/|linux/)login-with-pam.html$" "$1/nitrokeys/features/openpgp-card/desktop-login/pam.html" +#Nitrokey Start +RedirectMatch 301 "(/[a-z][a-z])?/start/index.html$" "$1/nitrokeys/start/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)index.html$" "$1/nitrokeys/start/getting-started.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/faq.html$" "$1/nitrokeys/start/faq.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)?factory-reset.html$" "$1/nitrokeys/start/factory-reset.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)smime-thunderbird.html$" "$1/nitrokeys/features/openpgp-card/smime/smime-thunderbird.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)smime-outlook.html$" "$1/nitrokeys/features/openpgp-card/smime/smime-outlook.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)smime.html$" "$1/nitrokeys/features/openpgp-card/smime/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)openpgp.html$" "$1/nitrokeys/features/openpgp-card/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)openpgp-thunderbird.html$" "$1/nitrokeys/features/openpgp-card/openpgp-thunderbird.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)openpgp-outlook.html$" "$1/nitrokeys/features/openpgp-card/openpgp-outlook.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)openpgp-keygen-on-device.html$" "$1/nitrokeys/features/openpgp-card/openpgp-keygen-on-device.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)openpgp-keygen-gpa.html$" "$1/nitrokeys/features/openpgp-card/openpgp-keygen-gpa.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)openpgp-keygen-backup.html$" "$1/nitrokeys/features/openpgp-card/openpgp-keygen-backup.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)openpgp-csp.html$" "$1/nitrokeys/features/openpgp-card/openpgp-csp.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/windows/putty.html$" "$1/nitrokeys/features/openpgp-card/ssh/putty.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)ssh.html$" "$1/nitrokeys/features/openpgp-card/ssh/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)gpa.html$" "$1/nitrokeys/features/openpgp-card/gpa.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)stunnel.html$" "$1/nitrokeys/features/openpgp-card/stunnel.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)ipsec.html$" "$1/nitrokeys/features/openpgp-card/ipsec.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)login-with-pam.html$" "$1/nitrokeys/features/openpgp-card/desktop-login/pam.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/linux/firmware-update.html$" "$1/nitrokeys/start/firmware-update.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)?setting-kdf-do.html$" "$1/nitrokeys/start/setting-kdf-do.html" +RedirectMatch 301 "(/[a-z][a-z])?/start/(mac/|windows/|linux/)?multiple-identities.html$" "$1/nitrokeys/start/multiple-identities.html" +#Nitrokey Pro +RedirectMatch 301 "(/[a-z][a-z])?/pro/index.html$" "$1/nitrokeys/pro/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)index.html$" "$1/nitrokeys/pro/getting-started.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/faq.html$" "$1/nitrokeys/pro/faq.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)?factory-reset.html$" "$1/nitrokeys/pro/factory-reset.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)?firmware-update.html$" "$1/nitrokeys/pro/firmware-update.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)smime-thunderbird.html$" "$1/nitrokeys/features/openpgp-card/smime/smime-thunderbird.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)smime-outlook.html$" "$1/nitrokeys/features/openpgp-card/smime/smime-outlook.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)smime.html$" "$1/nitrokeys/features/openpgp-card/smime/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)openpgp.html$" "$1/nitrokeys/features/openpgp-card/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)openpgp-thunderbird.html$" "$1/nitrokeys/features/openpgp-card/openpgp-thunderbird.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)openpgp-outlook.html$" "$1/nitrokeys/features/openpgp-card/openpgp-outlook.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)openpgp-keygen-on-device.html$" "$1/nitrokeys/features/openpgp-card/openpgp-keygen-on-device.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)openpgp-keygen-gpa.html$" "$1/nitrokeys/features/openpgp-card/openpgp-keygen-gpa.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)openpgp-keygen-backup.html$" "$1/nitrokeys/features/openpgp-card/openpgp-keygen-backup.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)openpgp-csp.html$" "$1/nitrokeys/features/openpgp-card/openpgp-csp.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/windows/putty.html$" "$1/nitrokeys/features/openpgp-card/ssh/putty.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)?ssh.html$" "$1/nitrokeys/features/openpgp-card/ssh/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)?gpa.html$" "$1/nitrokeys/features/openpgp-card/gpa.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)stunnel.html$" "$1/nitrokeys/features/openpgp-card/stunnel.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)ipsec.html$" "$1/nitrokeys/features/openpgp-card/ipsec.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)login-with-pam.html$" "$1/nitrokeys/features/openpgp-card/desktop-login/pam.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)openvpn-easyrsa.html$" "$1/nitrokeys/features/openpgp-card/openvpn/easyrsa.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)openvpn-viscosity.html$" "$1/nitrokeys/features/openpgp-card/openvpn/viscosity.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)change-pins.html$" "$1/nitrokeys/features/openpgp-card/change-pins.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)certificate-authority.html$" "$1/nitrokeys/features/openpgp-card/certificate-authority.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)ecc.html$" "$1/nitrokeys/features/misc/ecc.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)eid-authenticate.html$" "$1/nitrokeys/features/openpgp-card/eid.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/windows/smart-policy.html$" "$1/nitrokeys/features/openpgp-card/desktop-login/smart-policy.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)hard-disk-encryption.html$" "$1/nitrokeys/features/openpgp-card/hard-disk-encryption/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)disk-encryption-luks.html$" "$1/nitrokeys/features/openpgp-card/hard-disk-encryption/luks.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)otp.html$" "$1/nitrokeys/features/totp/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)2fa-microsoft.html$" "$1/nitrokeys/features/totp/microsoft.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)2fa-google.html$" "$1/nitrokeys/features/totp/google.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)?2fa-nextcloud.html$" "$1/nitrokeys/features/fido2/nextcloud.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)?2fa-odoo.html$" "$1/nitrokeys/features/u2f/odoo.html" +RedirectMatch 301 "(/[a-z][a-z])?/pro/(mac/|windows/|linux/)automatic-screen-lock.html$" "$1/nitrokeys/features/misc/automatic-screen-lock.html" +#Nitrokey 3 +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/index.html$" "$1/nitrokeys/nitrokey3/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)index.html$" "$1/nitrokeys/nitrokey3/getting-started.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/faq.html$" "$1/nitrokeys/nitrokey3/faq.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/features.html$" "$1/nitrokeys/nitrokey3/overview.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)?firmware-update.html$" "$1/nitrokeys/nitrokey3/firmware-update.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)?adsk.html$" "$1/nitrokeys/nitrokey3/adsk.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)?reset.html$" "$1/nitrokeys/nitrokey3/reset.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)?set-pins.html$" "$1/nitrokeys/nitrokey3/set-pins.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)?troubleshooting.html$" "$1/nitrokeys/nitrokey3/troubleshooting.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)?nitropy.html$" "$1/nitrokeys/nitrokey3/nitropy.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/shared/main.html$" "$1/nitrokeys/nitrokey3/getting-started.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/linux/firmware-update-qubes.html$" "$1/nitrokeys/nitrokey3/firmware-update-qubes.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)?2fa-odoo.html$" "$1/nitrokeys/features/u2f/odoo.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/linux/desktop-login.html$" "$1/nitrokeys/features/u2f/desktop-login.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/linux/fedora-gnupg-configuration.html$" "$1/nitrokeys/features/openpgp-card/fedora-gnupg-configuration.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/windows/passwordless-microsoft.html$" "$1/nitrokeys/features/fido2/passwordless-microsoft.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)keepassxc.html$" "$1/nitrokeys/features/password-safe/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)smime-thunderbird.html$" "$1/nitrokeys/features/openpgp-card/smime/smime-thunderbird.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)smime-outlook.html$" "$1/nitrokeys/features/openpgp-card/smime/smime-outlook.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)smime.html$" "$1/nitrokeys/features/openpgp-card/smime/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)openpgp.html$" "$1/nitrokeys/features/openpgp-card/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)openpgp-thunderbird.html$" "$1/nitrokeys/features/openpgp-card/openpgp-thunderbird.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)openpgp-outlook.html$" "$1/nitrokeys/features/openpgp-card/openpgp-outlook.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)openpgp-keygen-on-device.html$" "$1/nitrokeys/features/openpgp-card/openpgp-keygen-on-device.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)openpgp-keygen-gpa.html$" "$1/nitrokeys/features/openpgp-card/openpgp-keygen-gpa.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)openpgp-keygen-backup.html$" "$1/nitrokeys/features/openpgp-card/openpgp-keygen-backup.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)openpgp-csp.html$" "$1/nitrokeys/features/openpgp-card/openpgp-csp.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/(mac/|windows/|linux/)openpgp-uif.html$" "$1/nitrokeys/features/openpgp-card/uif.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/windows/piv/index.html$" "$1/nitrokeys/features/piv/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/windows/piv/access_control.html$" "$1/nitrokeys/features/piv/access_control.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/windows/piv/certificate-management.html$" "$1/nitrokeys/features/piv/certificate-management.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/windows/piv/factory_reset.html$" "$1/nitrokeys/features/piv/factory_reset.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/windows/piv/key_management.html$" "$1/nitrokeys/features/piv/key_management.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/windows/piv/guides/index.html$" "$1/nitrokeys/features/piv/guides/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/nitrokey3/windows/piv/guides/client_logon_with_active_directory.html$" "$1/nitrokeys/features/piv/guides/client_logon_with_active_directory.html" +#Nitrokey HSM +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)index.html$" "$1/nitrokeys/hsm/getting-started.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/index.html$" "$1/nitrokeys/hsm/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/faq.html$" "$1/nitrokeys/hsm/faq.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)smime.html$" "$1/nitrokeys/features/openpgp-card/smime/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)smime-thunderbird.html$" "$1/nitrokeys/features/openpgp-card/smime/smime-thunderbird.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)smime-outlook.html$" "$1/nitrokeys/features/openpgp-card/smime/smime-outlook.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)pkcs11-url.html$" "$1/nitrokeys/features/hsm/pkcs11-url.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)import-keys-certs.html$" "$1/nitrokeys/features/hsm/import-keys-certs.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)certificate-authority.html$" "$1/nitrokeys/features/openpgp-card/certificate-authority.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)apache2-tls.html$" "$1/nitrokeys/features/hsm/apache2-tls.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/windows/smart-policy.html$" "$1/nitrokeys/features/openpgp-card/desktop-login/smart-policy.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)?n-of-m-schemes.html$" "$1/nitrokeys/features/hsm/n-of-m-schemes.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)hard-disk-encryption.html$" "$1/nitrokeys/features/openpgp-card/hard-disk-encryption/index.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)ipsec.html$" "$1/nitrokeys/features/openpgp-card/ipsec.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)gpa.html$" "$1/nitrokeys/features/openpgp-card/gpa.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)stunnel.html$" "$1/nitrokeys/features/openpgp-card/stunnel.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)automatic-screen-lock.html$" "$1/nitrokeys/features/misc/automatic-screen-lock.html" +RedirectMatch 301 "(/[a-z][a-z])?/hsm/(mac/|windows/|linux/)dnssec.html$" "$1/nitrokeys/features/hsm/dnssec.html" diff --git a/_static/css/custom.css b/_static/css/custom.css index a7d799f203..767623efe5 100644 --- a/_static/css/custom.css +++ b/_static/css/custom.css @@ -718,3 +718,14 @@ article ul li { #breadcrumbs a:last-child:after { display: none; } + +.products-table td p { + text-align: center; + font-size: 1.25em !important; + margin: 0 !important; +} +.products-table td { + padding: 0 !important; +} + + diff --git a/fido2/2fa-nextcloud.rst b/fido2/2fa-nextcloud.rst deleted file mode 100644 index 2f5bdee469..0000000000 --- a/fido2/2fa-nextcloud.rst +++ /dev/null @@ -1,7 +0,0 @@ - -These are the basic steps for registering the Nitrokey FIDO2 as a second factor or setting up passwordless login of a Nextcloud account. - -.. raw:: html - - - diff --git a/fido2/index.rst b/fido2/index.rst deleted file mode 100644 index 37bfb22c4d..0000000000 --- a/fido2/index.rst +++ /dev/null @@ -1,23 +0,0 @@ -Nitrokey FIDO2 -============== - -.. contents:: :local: - -First check the: - -.. toctree:: - :maxdepth: 1 - :glob: - - Frequently Asked Questions - -or choose your operating system: - -.. toctree:: - :maxdepth: 1 - :glob: - - Windows - macOS - Linux - diff --git a/fido2/linux/2fa-nextcloud.rst b/fido2/linux/2fa-nextcloud.rst deleted file mode 100644 index d71d6f6144..0000000000 --- a/fido2/linux/2fa-nextcloud.rst +++ /dev/null @@ -1,4 +0,0 @@ -Two-Factor Authentication And Passwordless Login For Nextcloud Accounts -======================================================================= - -.. include:: ../2fa-nextcloud.rst diff --git a/fido2/linux/2fa-odoo.rst b/fido2/linux/2fa-odoo.rst deleted file mode 100644 index 374fbfa5dc..0000000000 --- a/fido2/linux/2fa-odoo.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../2fa-odoo.rst.inc diff --git a/fido2/linux/firmware-update.rst b/fido2/linux/firmware-update.rst deleted file mode 100644 index a24e2be178..0000000000 --- a/fido2/linux/firmware-update.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/firmware-update.rst.inc diff --git a/fido2/linux/index.rst b/fido2/linux/index.rst deleted file mode 100644 index 7a78f34194..0000000000 --- a/fido2/linux/index.rst +++ /dev/null @@ -1,26 +0,0 @@ -FIDO2 With Linux -================ - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -.. include:: ../shared/index-content1.rst.inc - -Troubleshooting ---------------- - -If the Nitrokey is not detected, proceed the following: - -1. Copy this file - `41-nitrokey.rules `__ - to ``/etc/udev/rules.d/``. In very rare cases, the system will need - the `older - version `__ - of this file. -2. Restart udev via ``sudo service udev restart`` or ``udevadm control --reload-rules && udevadm trigger`` if you are using Fedora. diff --git a/fido2/linux/reset.rst b/fido2/linux/reset.rst deleted file mode 100644 index fdfea9ff6b..0000000000 --- a/fido2/linux/reset.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/index-content2.rst.inc diff --git a/fido2/mac/2fa-nextcloud.rst b/fido2/mac/2fa-nextcloud.rst deleted file mode 100644 index d71d6f6144..0000000000 --- a/fido2/mac/2fa-nextcloud.rst +++ /dev/null @@ -1,4 +0,0 @@ -Two-Factor Authentication And Passwordless Login For Nextcloud Accounts -======================================================================= - -.. include:: ../2fa-nextcloud.rst diff --git a/fido2/mac/2fa-odoo.rst b/fido2/mac/2fa-odoo.rst deleted file mode 100644 index 374fbfa5dc..0000000000 --- a/fido2/mac/2fa-odoo.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../2fa-odoo.rst.inc diff --git a/fido2/mac/firmware-update.rst b/fido2/mac/firmware-update.rst deleted file mode 100644 index a24e2be178..0000000000 --- a/fido2/mac/firmware-update.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/firmware-update.rst.inc diff --git a/fido2/mac/index.rst b/fido2/mac/index.rst deleted file mode 100644 index 553cd2c90f..0000000000 --- a/fido2/mac/index.rst +++ /dev/null @@ -1,13 +0,0 @@ -FIDO2 With macOS -================ - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -.. include:: ../shared/index-content1.rst.inc diff --git a/fido2/mac/reset.rst b/fido2/mac/reset.rst deleted file mode 100644 index fdfea9ff6b..0000000000 --- a/fido2/mac/reset.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/index-content2.rst.inc diff --git a/fido2/shared/index-content2.rst.inc b/fido2/shared/index-content2.rst.inc deleted file mode 100644 index 53e137388d..0000000000 --- a/fido2/shared/index-content2.rst.inc +++ /dev/null @@ -1,17 +0,0 @@ -Nitrokey Reset --------------- - -.. contents:: :local: - -Factory Reset operation regenerates the secret material stored on the Nitrokey FIDO U2F / Nitrokey FIDO2, which makes it a completely new key logic-side. New owner cannot use it to login to account of the previous one. In case of the FIDO2 Resident Keys the material is erased. - -To avoid accidental and malicious reset of the Nitrokey, the required -touch confirmation time for the FIDO2 reset operation is longer and with -a distinct LED behavior (red LED light) than normal operations. To reset -the Nitrokey FIDO2, confirm by touching the touch button for at least 5 -seconds until the green or blue LED lights up. - -Nitrokey FIDO2 could be reset by: - -* pynitrokey tool: ``nitropy fido2 reset`` (requires Administrator rights to execute) -* Google Chrome: `Manage security keys` via the direct link: `chrome://settings/securityKeys` diff --git a/fido2/windows/2fa-nextcloud.rst b/fido2/windows/2fa-nextcloud.rst deleted file mode 100644 index d71d6f6144..0000000000 --- a/fido2/windows/2fa-nextcloud.rst +++ /dev/null @@ -1,4 +0,0 @@ -Two-Factor Authentication And Passwordless Login For Nextcloud Accounts -======================================================================= - -.. include:: ../2fa-nextcloud.rst diff --git a/fido2/windows/2fa-odoo.rst b/fido2/windows/2fa-odoo.rst deleted file mode 100644 index 374fbfa5dc..0000000000 --- a/fido2/windows/2fa-odoo.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../2fa-odoo.rst.inc diff --git a/fido2/windows/firmware-update.rst b/fido2/windows/firmware-update.rst deleted file mode 100644 index a24e2be178..0000000000 --- a/fido2/windows/firmware-update.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/firmware-update.rst.inc diff --git a/fido2/windows/images/enabling-u2f-on-firefox/1.png b/fido2/windows/images/enabling-u2f-on-firefox/1.png deleted file mode 100644 index 150e64d2d6..0000000000 Binary files a/fido2/windows/images/enabling-u2f-on-firefox/1.png and /dev/null differ diff --git a/fido2/windows/index.rst b/fido2/windows/index.rst deleted file mode 100644 index cb732798f3..0000000000 --- a/fido2/windows/index.rst +++ /dev/null @@ -1,13 +0,0 @@ -Nitrokey FIDO2 With Windows -=========================== - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -.. include:: ../shared/index-content1.rst.inc diff --git a/hsm/ipsec.rst.inc b/hsm/ipsec.rst.inc deleted file mode 100644 index 4fe4c78568..0000000000 --- a/hsm/ipsec.rst.inc +++ /dev/null @@ -1,46 +0,0 @@ -.. contents:: :local: - -`Strong Swan `__ works using the `PKCS#11 driver `__. Basically follow these steps: - -1. Generate a key on Nitrokey via pkcs11-tool. In this example it's a 4096 bit RSA key. - -.. code-block:: bash - - $ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so -l -k --key-type rsa:4096 --id 10 --label 'Staging Access' - -2. Generate a certificate signing request via openssl + pkcs11 module - -.. code-block:: bash - - $ openssl - OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so - OpenSSL> req -engine pkcs11 -sha256 -new -key id_10 -keyform engine -out user@email.com-staging-cert.csr -subj '/C=GB/L=Cambridge/O=Organization/OU=Staging Access/CN=user@email.com/emailAddress=user@email.com' - -3. Sign the certificate with your certificate authority - -4. Convert the certificate to DER - -.. code-block:: bash - - $ openssl x509 -in user@email.com-staging-cert.csr -out user@email.com-staging-cert.der -outform DER - -5. Import the certificate into the Nitrokey via pkcs11-tool - -.. code-block:: bash - - $ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so -l -y cert -w user@email.com-staging-cert.der --id 10 --label 'Staging Access' - -6. Configure Strongswan to load opensc-pkcs11 module then to load the certificate on Nitrokey. Edit /etc/strongswan.d/charon/pkcs11.conf and add the following module: - -.. code-block:: bash - - modules { - Nitrokey { - path = /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so - } - } - - -7. Initiate the VPN connection via IPSec/Strongswan, then prompt for Nitrokey PIN - -8. VPN is now connected diff --git a/hsm/linux/apache2-tls.rst b/hsm/linux/apache2-tls.rst deleted file mode 100644 index 9d6b689cb1..0000000000 --- a/hsm/linux/apache2-tls.rst +++ /dev/null @@ -1,4 +0,0 @@ - - -.. include:: ../apache2-tls.rst.inc - diff --git a/hsm/linux/automatic-screen-lock.rst b/hsm/linux/automatic-screen-lock.rst deleted file mode 100644 index d8f8332ad1..0000000000 --- a/hsm/linux/automatic-screen-lock.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/linux/automatic-screen-lock.rst diff --git a/hsm/linux/certificate-authority.rst b/hsm/linux/certificate-authority.rst deleted file mode 100644 index d414fc892f..0000000000 --- a/hsm/linux/certificate-authority.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../certificate-authority.rst.inc diff --git a/hsm/linux/gpa.rst b/hsm/linux/gpa.rst deleted file mode 100644 index 398ae468bc..0000000000 --- a/hsm/linux/gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/gpa.rst diff --git a/hsm/linux/hard-disk-encryption.rst b/hsm/linux/hard-disk-encryption.rst deleted file mode 100644 index 95e1694368..0000000000 --- a/hsm/linux/hard-disk-encryption.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/linux/hard-disk-encryption.rst diff --git a/hsm/linux/import-keys-certs.rst b/hsm/linux/import-keys-certs.rst deleted file mode 100644 index 95ee7978a4..0000000000 --- a/hsm/linux/import-keys-certs.rst +++ /dev/null @@ -1,4 +0,0 @@ - - -.. include:: ../import-keys-certs.rst.inc - diff --git a/hsm/linux/index.rst b/hsm/linux/index.rst deleted file mode 100644 index edb30900b2..0000000000 --- a/hsm/linux/index.rst +++ /dev/null @@ -1,30 +0,0 @@ -Nitrokey HSM with GNU/Linux -=========================== - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -1. Install `OpenSC `__. You need - at least version 0.19. You can find recent builds for debian-based - systems like Ubuntu - `here `__ if your system - does not have the newest version of OpenSC. Alternatively, install - `this `__ - driver (`source `__). -2. Define SO-PIN and PIN of your own choices. See `these - instructions `__. - Afterwards you can begin to `generate new - keys `__. - -Your Nitrokey is now ready to use. - -* There is `nitrotool `__ as a more comfortable frontend to OpenSC. (hsmwiz) -* Embedded Systems: For systems with minimal memory footprint a read/only PKCS#11 module is provided by the `sc-hsm-embedded `__ project. -* `This PKCS#11 module `__ is useful for deployments where key generation at the user's workplace is not required. The PKCS#11 module also supports major electronic signature cards available in the German market. -* OpenSCDP: The SmartCard-HSM is fully integrated with `OpenSCDP `__, the open smart card development platform. See the `public support scripts `__ for details. diff --git a/hsm/linux/ipsec.rst b/hsm/linux/ipsec.rst deleted file mode 100644 index 4e0695fd04..0000000000 --- a/hsm/linux/ipsec.rst +++ /dev/null @@ -1,4 +0,0 @@ -IPsec -===== - -.. include:: ../ipsec.rst.inc diff --git a/hsm/linux/n-of-m-schemes.rst b/hsm/linux/n-of-m-schemes.rst deleted file mode 100644 index 37e1d8d430..0000000000 --- a/hsm/linux/n-of-m-schemes.rst +++ /dev/null @@ -1,5 +0,0 @@ -N-of-m Schemes -============== - -.. include:: ../n-of-m-schemes.rst - diff --git a/hsm/linux/pkcs11-url.rst b/hsm/linux/pkcs11-url.rst deleted file mode 100644 index 5ad8f40b7a..0000000000 --- a/hsm/linux/pkcs11-url.rst +++ /dev/null @@ -1,4 +0,0 @@ - - -.. include:: ../pkcs11-url.rst.inc - diff --git a/hsm/linux/smime-outlook.rst b/hsm/linux/smime-outlook.rst deleted file mode 100644 index acd45a24a9..0000000000 --- a/hsm/linux/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-outlook.rst.inc diff --git a/hsm/linux/smime-thunderbird.rst b/hsm/linux/smime-thunderbird.rst deleted file mode 100644 index 4ae43d43ba..0000000000 --- a/hsm/linux/smime-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-thunderbird.rst.inc diff --git a/hsm/linux/smime.rst b/hsm/linux/smime.rst deleted file mode 100644 index 9a7ca24e7c..0000000000 --- a/hsm/linux/smime.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../smime.rst.inc diff --git a/hsm/linux/stunnel.rst b/hsm/linux/stunnel.rst deleted file mode 100644 index 263c7fdc22..0000000000 --- a/hsm/linux/stunnel.rst +++ /dev/null @@ -1,4 +0,0 @@ -Stunnel -======= - -.. include:: ../stunnel.rst.inc diff --git a/hsm/mac/apache2-tls.rst b/hsm/mac/apache2-tls.rst deleted file mode 100644 index 9d6b689cb1..0000000000 --- a/hsm/mac/apache2-tls.rst +++ /dev/null @@ -1,4 +0,0 @@ - - -.. include:: ../apache2-tls.rst.inc - diff --git a/hsm/mac/certificate-authority.rst b/hsm/mac/certificate-authority.rst deleted file mode 100644 index d414fc892f..0000000000 --- a/hsm/mac/certificate-authority.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../certificate-authority.rst.inc diff --git a/hsm/mac/gpa.rst b/hsm/mac/gpa.rst deleted file mode 100644 index 398ae468bc..0000000000 --- a/hsm/mac/gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/gpa.rst diff --git a/hsm/mac/hard-disk-encryption.rst b/hsm/mac/hard-disk-encryption.rst deleted file mode 100644 index 97111bfd66..0000000000 --- a/hsm/mac/hard-disk-encryption.rst +++ /dev/null @@ -1,4 +0,0 @@ -Hard Disk Encryption -=========================== - -.. include:: ../../pro/hard-disk-encryption.rst.inc diff --git a/hsm/mac/import-keys-certs.rst b/hsm/mac/import-keys-certs.rst deleted file mode 100644 index 95ee7978a4..0000000000 --- a/hsm/mac/import-keys-certs.rst +++ /dev/null @@ -1,4 +0,0 @@ - - -.. include:: ../import-keys-certs.rst.inc - diff --git a/hsm/mac/index.rst b/hsm/mac/index.rst deleted file mode 100644 index 66fe944024..0000000000 --- a/hsm/mac/index.rst +++ /dev/null @@ -1,27 +0,0 @@ -Nitrokey HSM with macOS -======================= - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -1. Install `OpenSC `__. - Alternatively, install - `this `__ - driver (`source `__). -2. Define SO-PIN and PIN of your own choices. See `these - instructions `__. - Afterwards you can begin to `generate new - keys `__. - -Your Nitrokey is now ready to use. - -* There is `nitrotool `__ as a more comfortable frontend to OpenSC. (hsmwiz) -* Embedded Systems: For systems with minimal memory footprint a read/only PKCS#11 module is provided by the `sc-hsm-embedded `__ project. -* `This PKCS#11 module `__ is useful for deployments where key generation at the user's workplace is not required. The PKCS#11 module also supports major electronic signature cards available in the German market. -* OpenSCDP: The SmartCard-HSM is fully integrated with `OpenSCDP `__, the open smart card development platform. See the `public support scripts `__ for details. diff --git a/hsm/mac/pkcs11-url.rst b/hsm/mac/pkcs11-url.rst deleted file mode 100644 index 5ad8f40b7a..0000000000 --- a/hsm/mac/pkcs11-url.rst +++ /dev/null @@ -1,4 +0,0 @@ - - -.. include:: ../pkcs11-url.rst.inc - diff --git a/hsm/mac/smime-outlook.rst b/hsm/mac/smime-outlook.rst deleted file mode 100644 index acd45a24a9..0000000000 --- a/hsm/mac/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-outlook.rst.inc diff --git a/hsm/mac/smime-thunderbird.rst b/hsm/mac/smime-thunderbird.rst deleted file mode 100644 index 4ae43d43ba..0000000000 --- a/hsm/mac/smime-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-thunderbird.rst.inc diff --git a/hsm/mac/smime.rst b/hsm/mac/smime.rst deleted file mode 100644 index 9a7ca24e7c..0000000000 --- a/hsm/mac/smime.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../smime.rst.inc diff --git a/hsm/smime.rst.inc b/hsm/smime.rst.inc deleted file mode 100644 index 906c5be8b1..0000000000 --- a/hsm/smime.rst.inc +++ /dev/null @@ -1,64 +0,0 @@ -S/MIME Email Encryption -======================= - -.. contents:: :local: - -Prerequisites -------------- - -There are two widely used standards for email encryption. - -- OpenPGP/GnuPG is popular among individuals, - -- S/MIME/X.509 is mostly used by enterprises. - -The Nitrokey HSM 2 currently supports the S/MIME/X.509 standard. This page describes the usage of S/MIME email encryption. - -You need to purchase a S/MIME certificate (e.g. at `CERTUM `__) or may already got one by your company. Furthermore, you need to install `OpenSC `__ on your System. While GNU/Linux users usually can install OpenSC over the package manager (e.g. ``sudo apt install opensc`` on Ubuntu), macOS and Windows users can download the installation files from the `OpenSC `__ page. - -Import Existing Key and Certificate ------------------------------------ - -The following instructions are based on the `wiki of OpenSC `__. We will assume, that you already got a key-certificate pair as a .p12 file. Please have a look at the wiki page, if you got a separate key and certificate file. - -To open the Windows command line please push the Windows-key and R-key. Now type ‘cmd.exe’ in the text field and hit enter. To open a Terminal on macOS or GNU/Linux please use the application search (e.g. spotlight on macOS). - -To make these commands as simple as possible, the .p12 file needs to be in your home folder. On Windows this is usually ``C:\Users\yourusername`` and on macOS and GNU/Linux system it will be ``/home/yourusername``. If you do not store the .p12 file there, you have to adapt the path in the commands below. Please plug in the Nitrokey before submitting the commands. - -Assuming that your key-certificate file reads ‘myprivate.p12’ the commands for Windows looks like this: - -.. code-block:: bash - - "C:\Program Files\OpenSC Project\OpenSC\tools\pkcs15-init" --delete-objects privkey,pubkey --id 3 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin - "C:\Program Files\OpenSC Project\OpenSC\tools\pkcs15-init" --delete-objects privkey,pubkey --id 2 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin - -and on macOS and GNU/Linux it will be - -.. code-block:: bash - - $ pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin - $ pkcs15-init --delete-objects privkey,pubkey --id 2 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin - -The two commands copy the key-certificate pair to the slot 2 (needed for decrypting emails) and slot 3 (needed for signing). The output looks on both systems something like this: - -.. figure:: /pro/images/smime/1.png - :alt: img1 - - - -Please note that there will be error messages that can be safely ignored (see output example above). You now have the key-certificate pair loaded on the Nitrokey. - -Usage ------ - -You can find further information about the usage on these pages: - -- for using `S/MIME encryption on - Thunderbird `_ - -- for using `S/MIME encryption on - Outlook `_ - -- for using - `Evolution `__, - an email client for the Gnome Desktop on Linux systems diff --git a/hsm/stunnel.rst.inc b/hsm/stunnel.rst.inc deleted file mode 100644 index 4869e58c9f..0000000000 --- a/hsm/stunnel.rst.inc +++ /dev/null @@ -1,19 +0,0 @@ -.. contents:: :local: - -`Stunnel `__ works as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. - -Stunnel is able to load OpenSC PKCS#11 engine using this configuration: - -.. code-block:: bash - - engine=dynamic - engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so - engineCtrl=ID:pkcs11 - engineCtrl=LIST_ADD:1 - engineCtrl=LOAD - engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so - engineCtrl=INIT - - [service] - engineNum=1 - key=id_45 diff --git a/hsm/windows/apache2-tls.rst b/hsm/windows/apache2-tls.rst deleted file mode 100644 index 9d6b689cb1..0000000000 --- a/hsm/windows/apache2-tls.rst +++ /dev/null @@ -1,4 +0,0 @@ - - -.. include:: ../apache2-tls.rst.inc - diff --git a/hsm/windows/certificate-authority.rst b/hsm/windows/certificate-authority.rst deleted file mode 100644 index d414fc892f..0000000000 --- a/hsm/windows/certificate-authority.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../certificate-authority.rst.inc diff --git a/hsm/windows/gpa.rst b/hsm/windows/gpa.rst deleted file mode 100644 index 398ae468bc..0000000000 --- a/hsm/windows/gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/gpa.rst diff --git a/hsm/windows/hard-disk-encryption.rst b/hsm/windows/hard-disk-encryption.rst deleted file mode 100644 index 7a15e069ec..0000000000 --- a/hsm/windows/hard-disk-encryption.rst +++ /dev/null @@ -1,4 +0,0 @@ -Hard Disk Encryption -=========================== - -.. include:: ../../pro/hard-disk-encryption.rst.inc diff --git a/hsm/windows/import-keys-certs.rst b/hsm/windows/import-keys-certs.rst deleted file mode 100644 index 95ee7978a4..0000000000 --- a/hsm/windows/import-keys-certs.rst +++ /dev/null @@ -1,4 +0,0 @@ - - -.. include:: ../import-keys-certs.rst.inc - diff --git a/hsm/windows/index.rst b/hsm/windows/index.rst deleted file mode 100644 index b508ac7ff0..0000000000 --- a/hsm/windows/index.rst +++ /dev/null @@ -1,27 +0,0 @@ -Nitrokey HSM With Windows -========================= - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -1. Install `OpenSC `__. - Alternatively, install - `this `__ - driver (`source `__). -2. Define SO-PIN and PIN of your own choices. See `these - instructions `__. - Afterwards you can begin to `generate new - keys `__. - -Your Nitrokey is now ready to use. - -* There is `nitrotool `__ as a more comfortable frontend to OpenSC. (hsmwiz) -* Embedded Systems: For systems with minimal memory footprint a read/only PKCS#11 module is provided by the `sc-hsm-embedded `__ project. -* `This PKCS#11 module `__ is useful for deployments where key generation at the user's workplace is not required. The PKCS#11 module also supports major electronic signature cards available in the German market. -* OpenSCDP: The SmartCard-HSM is fully integrated with `OpenSCDP `__, the open smart card development platform. See the `public support scripts `__ for details. diff --git a/hsm/windows/pkcs11-url.rst b/hsm/windows/pkcs11-url.rst deleted file mode 100644 index 5ad8f40b7a..0000000000 --- a/hsm/windows/pkcs11-url.rst +++ /dev/null @@ -1,4 +0,0 @@ - - -.. include:: ../pkcs11-url.rst.inc - diff --git a/hsm/windows/smart-policy.rst b/hsm/windows/smart-policy.rst deleted file mode 100644 index 7f85805135..0000000000 --- a/hsm/windows/smart-policy.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smart-policy.rst.inc diff --git a/hsm/windows/smime-outlook.rst b/hsm/windows/smime-outlook.rst deleted file mode 100644 index acd45a24a9..0000000000 --- a/hsm/windows/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-outlook.rst.inc diff --git a/hsm/windows/smime-thunderbird.rst b/hsm/windows/smime-thunderbird.rst deleted file mode 100644 index 2167f1b220..0000000000 --- a/hsm/windows/smime-thunderbird.rst +++ /dev/null @@ -1,2 +0,0 @@ -.. include:: ../../pro/smime-thunderbird.rst.inc - diff --git a/hsm/windows/smime.rst b/hsm/windows/smime.rst deleted file mode 100644 index 7080df4aeb..0000000000 --- a/hsm/windows/smime.rst +++ /dev/null @@ -1,8 +0,0 @@ -.. include:: ../smime.rst.inc - :end-line: 20 - -.. note:: - Windows users with 64-bit system (standard) need to install both, the 32-bit and the 64-bit version of OpenSC! - -.. include:: ../smime.rst.inc - :start-line: 20 diff --git a/index.rst b/index.rst index cdb5538a43..59e67c2e75 100644 --- a/index.rst +++ b/index.rst @@ -5,14 +5,7 @@ Nitrokey Documentation :maxdepth: 1 :titlesonly: - nitrokey3/index - nkpk/index - fido2/index - u2f/index - hsm/index - pro/index - start/index - storage/index + nitrokeys/index nitropad/index nitropc/index nitrophone/index diff --git a/nitrokey3/index.rst b/nitrokey3/index.rst deleted file mode 100644 index c672eaf399..0000000000 --- a/nitrokey3/index.rst +++ /dev/null @@ -1,36 +0,0 @@ -Nitrokey 3 -========== - -.. contents:: :local: - - -The Nitrokey 3 currently supports: - -* FIDO2 -* Password-Safe & One-Time Passwords (OTP) -* OpenPGP Card (`Secure Element Backend or Software Backend`_) - -Additional features like PIV are available in test firmware releases. See the `release notes`_ on GitHub for more information. - -.. _Secure Element Backend or Software Backend: faq#how-can-I-use-the-se050-secure-element -.. _release notes: https://github.com/Nitrokey/nitrokey-3-firmware/releases - -First check the: - -.. toctree:: - :maxdepth: 1 - :glob: - - Frequently Asked Questions - features - -Or choose your operating system: - -.. toctree:: - :maxdepth: 1 - :glob: - - Windows - macOS - Linux - diff --git a/nitrokey3/linux/2fa-odoo.rst b/nitrokey3/linux/2fa-odoo.rst deleted file mode 100644 index b4591596e0..0000000000 --- a/nitrokey3/linux/2fa-odoo.rst +++ /dev/null @@ -1,2 +0,0 @@ - -.. include:: ../../fido2/2fa-odoo.rst.inc diff --git a/nitrokey3/linux/adsk.rst b/nitrokey3/linux/adsk.rst deleted file mode 100644 index 00ce644292..0000000000 --- a/nitrokey3/linux/adsk.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../nitrokey3/adsk.rst.inc diff --git a/nitrokey3/linux/desktop-login.rst b/nitrokey3/linux/desktop-login.rst deleted file mode 100644 index 11e6d5e5c6..0000000000 --- a/nitrokey3/linux/desktop-login.rst +++ /dev/null @@ -1,3 +0,0 @@ - -.. include:: ../../fido2/linux/desktop-login.rst - diff --git a/nitrokey3/linux/firmware-update.rst b/nitrokey3/linux/firmware-update.rst deleted file mode 100644 index ba622ba13a..0000000000 --- a/nitrokey3/linux/firmware-update.rst +++ /dev/null @@ -1,16 +0,0 @@ -.. include:: ../firmware-update.rst.inc - -Troubleshooting: ----------------- - -**Issue:** I get ``permission denied for /dev/hidrawX`` during update. - This likely means your user has not the needed permissions to - read/write the device. Please make sure you have set up the correct - `udev-rules`_. Download this `udev-rules`_ set and place it in your - udev rules directory (e.g., ``/etc/udev/rules.d``). Then remove - your Nitrokey 3 from the USB slot and run: - ``udevadm control --reload-rules && udevadm trigger`` or reboot - your machine. Afterwards the update should work without the - permission issue. - -.. _udev-rules: https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules diff --git a/nitrokey3/linux/images b/nitrokey3/linux/images deleted file mode 120000 index c7bda842dd..0000000000 --- a/nitrokey3/linux/images +++ /dev/null @@ -1 +0,0 @@ -../../fido2/linux/images/ \ No newline at end of file diff --git a/nitrokey3/linux/index.rst b/nitrokey3/linux/index.rst deleted file mode 100644 index 18d9b204cf..0000000000 --- a/nitrokey3/linux/index.rst +++ /dev/null @@ -1,13 +0,0 @@ -Nitrokey 3 With Linux -=========================== - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -.. include:: ../shared/main.rst diff --git a/nitrokey3/linux/keepassxc.rst b/nitrokey3/linux/keepassxc.rst deleted file mode 100644 index 148bcb82bd..0000000000 --- a/nitrokey3/linux/keepassxc.rst +++ /dev/null @@ -1,2 +0,0 @@ - -.. include:: ../../software/nk-app2/keepassxc.rst diff --git a/nitrokey3/linux/nitropy.rst b/nitrokey3/linux/nitropy.rst deleted file mode 100644 index 4cb4985709..0000000000 --- a/nitrokey3/linux/nitropy.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/nitropy.rst diff --git a/nitrokey3/linux/openpgp-keygen-backup.rst b/nitrokey3/linux/openpgp-keygen-backup.rst deleted file mode 100644 index b4528e0139..0000000000 --- a/nitrokey3/linux/openpgp-keygen-backup.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-backup.rst.inc diff --git a/nitrokey3/linux/openpgp-keygen-gpa.rst b/nitrokey3/linux/openpgp-keygen-gpa.rst deleted file mode 100644 index 472d298006..0000000000 --- a/nitrokey3/linux/openpgp-keygen-gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-gpa.rst.inc diff --git a/nitrokey3/linux/openpgp-keygen-on-device.rst b/nitrokey3/linux/openpgp-keygen-on-device.rst deleted file mode 100644 index fc90850b8e..0000000000 --- a/nitrokey3/linux/openpgp-keygen-on-device.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-on-device.rst.inc diff --git a/nitrokey3/linux/openpgp-outlook.rst b/nitrokey3/linux/openpgp-outlook.rst deleted file mode 100644 index fa4e7dd855..0000000000 --- a/nitrokey3/linux/openpgp-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-outlook.rst.inc diff --git a/nitrokey3/linux/openpgp-thunderbird.rst b/nitrokey3/linux/openpgp-thunderbird.rst deleted file mode 100644 index 59e0956c63..0000000000 --- a/nitrokey3/linux/openpgp-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-thunderbird.rst.inc diff --git a/nitrokey3/linux/openpgp-uif.rst b/nitrokey3/linux/openpgp-uif.rst deleted file mode 100644 index 05f0ae6925..0000000000 --- a/nitrokey3/linux/openpgp-uif.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/openpgp-uif.rst.inc diff --git a/nitrokey3/linux/openpgp.rst b/nitrokey3/linux/openpgp.rst deleted file mode 100644 index ce0f581887..0000000000 --- a/nitrokey3/linux/openpgp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/openpgp.rst.inc diff --git a/nitrokey3/linux/reset.rst b/nitrokey3/linux/reset.rst deleted file mode 100644 index 3454a004c3..0000000000 --- a/nitrokey3/linux/reset.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/reset.rst.inc diff --git a/nitrokey3/linux/set-pins.rst b/nitrokey3/linux/set-pins.rst deleted file mode 100644 index 9c6dfe6d81..0000000000 --- a/nitrokey3/linux/set-pins.rst +++ /dev/null @@ -1,21 +0,0 @@ -.. include:: ../shared/set-pins.rst.inc - :start-after: start-header - :end-before: end-header -.. include:: ../shared/set-pins.rst.inc - :start-after: start-fido2-header - :end-before: end-fido2-header -.. include:: ../shared/set-pins.rst.inc - :start-after: start-fido2-nitropy - :end-before: end-fido2-nitropy -.. include:: ../shared/set-pins.rst.inc - :start-after: start-fido2-chromeium - :end-before: end-fido2-chromeium -.. include:: ../shared/set-pins.rst.inc - :start-after: start-passwords-otp-secrets - :end-before: end-passwords-otp-secrets -.. include:: ../shared/set-pins.rst.inc - :start-after: start-openpgp-card - :end-before: end-openpgp-card -.. include:: ../shared/set-pins.rst.inc - :start-after: start-piv-card - :end-before: end-piv-card diff --git a/nitrokey3/linux/smime-outlook.rst b/nitrokey3/linux/smime-outlook.rst deleted file mode 100644 index acd45a24a9..0000000000 --- a/nitrokey3/linux/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-outlook.rst.inc diff --git a/nitrokey3/linux/smime-thunderbird.rst b/nitrokey3/linux/smime-thunderbird.rst deleted file mode 100644 index 4ae43d43ba..0000000000 --- a/nitrokey3/linux/smime-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-thunderbird.rst.inc diff --git a/nitrokey3/linux/smime.rst b/nitrokey3/linux/smime.rst deleted file mode 100644 index 5029a3135c..0000000000 --- a/nitrokey3/linux/smime.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime.rst.inc diff --git a/nitrokey3/linux/troubleshooting.rst b/nitrokey3/linux/troubleshooting.rst deleted file mode 100644 index 71e54fdba1..0000000000 --- a/nitrokey3/linux/troubleshooting.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../nitrokey3/troubleshooting.rst.inc diff --git a/nitrokey3/mac/2fa-odoo.rst b/nitrokey3/mac/2fa-odoo.rst deleted file mode 100644 index b4591596e0..0000000000 --- a/nitrokey3/mac/2fa-odoo.rst +++ /dev/null @@ -1,2 +0,0 @@ - -.. include:: ../../fido2/2fa-odoo.rst.inc diff --git a/nitrokey3/mac/adsk.rst b/nitrokey3/mac/adsk.rst deleted file mode 100644 index 00ce644292..0000000000 --- a/nitrokey3/mac/adsk.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../nitrokey3/adsk.rst.inc diff --git a/nitrokey3/mac/firmware-update.rst b/nitrokey3/mac/firmware-update.rst deleted file mode 100644 index 97c722b20c..0000000000 --- a/nitrokey3/mac/firmware-update.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../firmware-update.rst.inc diff --git a/nitrokey3/mac/index.rst b/nitrokey3/mac/index.rst deleted file mode 100644 index be61a80b8a..0000000000 --- a/nitrokey3/mac/index.rst +++ /dev/null @@ -1,13 +0,0 @@ -Nitrokey 3 With macOS -===================== - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -.. include:: ../shared/main.rst diff --git a/nitrokey3/mac/keepassxc.rst b/nitrokey3/mac/keepassxc.rst deleted file mode 100644 index 148bcb82bd..0000000000 --- a/nitrokey3/mac/keepassxc.rst +++ /dev/null @@ -1,2 +0,0 @@ - -.. include:: ../../software/nk-app2/keepassxc.rst diff --git a/nitrokey3/mac/nitropy.rst b/nitrokey3/mac/nitropy.rst deleted file mode 100644 index 4cb4985709..0000000000 --- a/nitrokey3/mac/nitropy.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/nitropy.rst diff --git a/nitrokey3/mac/openpgp-keygen-backup.rst b/nitrokey3/mac/openpgp-keygen-backup.rst deleted file mode 100644 index b4528e0139..0000000000 --- a/nitrokey3/mac/openpgp-keygen-backup.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-backup.rst.inc diff --git a/nitrokey3/mac/openpgp-keygen-gpa.rst b/nitrokey3/mac/openpgp-keygen-gpa.rst deleted file mode 100644 index 472d298006..0000000000 --- a/nitrokey3/mac/openpgp-keygen-gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-gpa.rst.inc diff --git a/nitrokey3/mac/openpgp-keygen-on-device.rst b/nitrokey3/mac/openpgp-keygen-on-device.rst deleted file mode 100644 index fc90850b8e..0000000000 --- a/nitrokey3/mac/openpgp-keygen-on-device.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-on-device.rst.inc diff --git a/nitrokey3/mac/openpgp-outlook.rst b/nitrokey3/mac/openpgp-outlook.rst deleted file mode 100644 index fa4e7dd855..0000000000 --- a/nitrokey3/mac/openpgp-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-outlook.rst.inc diff --git a/nitrokey3/mac/openpgp-thunderbird.rst b/nitrokey3/mac/openpgp-thunderbird.rst deleted file mode 100644 index 59e0956c63..0000000000 --- a/nitrokey3/mac/openpgp-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-thunderbird.rst.inc diff --git a/nitrokey3/mac/openpgp-uif.rst b/nitrokey3/mac/openpgp-uif.rst deleted file mode 100644 index 3a7dcc6aa7..0000000000 --- a/nitrokey3/mac/openpgp-uif.rst +++ /dev/null @@ -1,2 +0,0 @@ -.. include:: ../shared/openpgp-uif.rst.inc - diff --git a/nitrokey3/mac/openpgp.rst b/nitrokey3/mac/openpgp.rst deleted file mode 100644 index ce0f581887..0000000000 --- a/nitrokey3/mac/openpgp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/openpgp.rst.inc diff --git a/nitrokey3/mac/reset.rst b/nitrokey3/mac/reset.rst deleted file mode 100644 index 3454a004c3..0000000000 --- a/nitrokey3/mac/reset.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/reset.rst.inc diff --git a/nitrokey3/mac/set-pins.rst b/nitrokey3/mac/set-pins.rst deleted file mode 100644 index 9c6dfe6d81..0000000000 --- a/nitrokey3/mac/set-pins.rst +++ /dev/null @@ -1,21 +0,0 @@ -.. include:: ../shared/set-pins.rst.inc - :start-after: start-header - :end-before: end-header -.. include:: ../shared/set-pins.rst.inc - :start-after: start-fido2-header - :end-before: end-fido2-header -.. include:: ../shared/set-pins.rst.inc - :start-after: start-fido2-nitropy - :end-before: end-fido2-nitropy -.. include:: ../shared/set-pins.rst.inc - :start-after: start-fido2-chromeium - :end-before: end-fido2-chromeium -.. include:: ../shared/set-pins.rst.inc - :start-after: start-passwords-otp-secrets - :end-before: end-passwords-otp-secrets -.. include:: ../shared/set-pins.rst.inc - :start-after: start-openpgp-card - :end-before: end-openpgp-card -.. include:: ../shared/set-pins.rst.inc - :start-after: start-piv-card - :end-before: end-piv-card diff --git a/nitrokey3/mac/smime-outlook.rst b/nitrokey3/mac/smime-outlook.rst deleted file mode 100644 index acd45a24a9..0000000000 --- a/nitrokey3/mac/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-outlook.rst.inc diff --git a/nitrokey3/mac/smime-thunderbird.rst b/nitrokey3/mac/smime-thunderbird.rst deleted file mode 100644 index 4ae43d43ba..0000000000 --- a/nitrokey3/mac/smime-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-thunderbird.rst.inc diff --git a/nitrokey3/mac/smime.rst b/nitrokey3/mac/smime.rst deleted file mode 100644 index 5029a3135c..0000000000 --- a/nitrokey3/mac/smime.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime.rst.inc diff --git a/nitrokey3/mac/troubleshooting.rst b/nitrokey3/mac/troubleshooting.rst deleted file mode 100644 index 71e54fdba1..0000000000 --- a/nitrokey3/mac/troubleshooting.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../nitrokey3/troubleshooting.rst.inc diff --git a/nitrokey3/shared/openpgp.rst.inc b/nitrokey3/shared/openpgp.rst.inc deleted file mode 100644 index c7efd1430d..0000000000 --- a/nitrokey3/shared/openpgp.rst.inc +++ /dev/null @@ -1,10 +0,0 @@ -OpenPGP Email Encryption -======================== - -.. contents:: :local: - -.. note:: - OpenPGP support was introduced with the `1.4.0 release of the Nitrokey 3 `_ firmware. - If you have an older version, `update your firmware `_ - -.. include:: ../../shared/openpgp.rst.inc diff --git a/nitrokey3/windows/2fa-odoo.rst b/nitrokey3/windows/2fa-odoo.rst deleted file mode 100644 index b4591596e0..0000000000 --- a/nitrokey3/windows/2fa-odoo.rst +++ /dev/null @@ -1,2 +0,0 @@ - -.. include:: ../../fido2/2fa-odoo.rst.inc diff --git a/nitrokey3/windows/adsk.rst b/nitrokey3/windows/adsk.rst deleted file mode 100644 index 00ce644292..0000000000 --- a/nitrokey3/windows/adsk.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../nitrokey3/adsk.rst.inc diff --git a/nitrokey3/windows/firmware-update.rst b/nitrokey3/windows/firmware-update.rst deleted file mode 100644 index 97c722b20c..0000000000 --- a/nitrokey3/windows/firmware-update.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../firmware-update.rst.inc diff --git a/nitrokey3/windows/images/enabling-u2f-on-firefox b/nitrokey3/windows/images/enabling-u2f-on-firefox deleted file mode 120000 index 93ed840643..0000000000 --- a/nitrokey3/windows/images/enabling-u2f-on-firefox +++ /dev/null @@ -1 +0,0 @@ -../../../fido2/windows/images/enabling-u2f-on-firefox \ No newline at end of file diff --git a/nitrokey3/windows/images/passwordless-microsoft b/nitrokey3/windows/images/passwordless-microsoft deleted file mode 120000 index 0164bec391..0000000000 --- a/nitrokey3/windows/images/passwordless-microsoft +++ /dev/null @@ -1 +0,0 @@ -../../../fido2/windows/images/passwordless-microsoft \ No newline at end of file diff --git a/nitrokey3/windows/index.rst b/nitrokey3/windows/index.rst deleted file mode 100644 index 12fbaee4f2..0000000000 --- a/nitrokey3/windows/index.rst +++ /dev/null @@ -1,14 +0,0 @@ -Nitrokey 3 With Windows -=========================== - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - piv/index.rst - -.. include:: ../shared/main.rst diff --git a/nitrokey3/windows/keepassxc.rst b/nitrokey3/windows/keepassxc.rst deleted file mode 100644 index 148bcb82bd..0000000000 --- a/nitrokey3/windows/keepassxc.rst +++ /dev/null @@ -1,2 +0,0 @@ - -.. include:: ../../software/nk-app2/keepassxc.rst diff --git a/nitrokey3/windows/openpgp-csp.rst b/nitrokey3/windows/openpgp-csp.rst deleted file mode 100644 index 947e69d379..0000000000 --- a/nitrokey3/windows/openpgp-csp.rst +++ /dev/null @@ -1,2 +0,0 @@ -.. include:: ../../pro/windows/openpgp-csp.rst - diff --git a/nitrokey3/windows/openpgp-keygen-backup.rst b/nitrokey3/windows/openpgp-keygen-backup.rst deleted file mode 100644 index b4528e0139..0000000000 --- a/nitrokey3/windows/openpgp-keygen-backup.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-backup.rst.inc diff --git a/nitrokey3/windows/openpgp-keygen-gpa.rst b/nitrokey3/windows/openpgp-keygen-gpa.rst deleted file mode 100644 index 472d298006..0000000000 --- a/nitrokey3/windows/openpgp-keygen-gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-gpa.rst.inc diff --git a/nitrokey3/windows/openpgp-keygen-on-device.rst b/nitrokey3/windows/openpgp-keygen-on-device.rst deleted file mode 100644 index fc90850b8e..0000000000 --- a/nitrokey3/windows/openpgp-keygen-on-device.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-on-device.rst.inc diff --git a/nitrokey3/windows/openpgp-outlook.rst b/nitrokey3/windows/openpgp-outlook.rst deleted file mode 100644 index fa4e7dd855..0000000000 --- a/nitrokey3/windows/openpgp-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-outlook.rst.inc diff --git a/nitrokey3/windows/openpgp-thunderbird.rst b/nitrokey3/windows/openpgp-thunderbird.rst deleted file mode 100644 index 59e0956c63..0000000000 --- a/nitrokey3/windows/openpgp-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-thunderbird.rst.inc diff --git a/nitrokey3/windows/openpgp-uif.rst b/nitrokey3/windows/openpgp-uif.rst deleted file mode 100644 index 05f0ae6925..0000000000 --- a/nitrokey3/windows/openpgp-uif.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/openpgp-uif.rst.inc diff --git a/nitrokey3/windows/openpgp.rst b/nitrokey3/windows/openpgp.rst deleted file mode 100644 index ce0f581887..0000000000 --- a/nitrokey3/windows/openpgp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/openpgp.rst.inc diff --git a/nitrokey3/windows/passwordless-microsoft.rst b/nitrokey3/windows/passwordless-microsoft.rst deleted file mode 100644 index d934d793b4..0000000000 --- a/nitrokey3/windows/passwordless-microsoft.rst +++ /dev/null @@ -1,4 +0,0 @@ - - - -.. include:: ../../fido2/windows/passwordless-microsoft.rst diff --git a/nitrokey3/windows/piv/index.rst b/nitrokey3/windows/piv/index.rst deleted file mode 100644 index cbcc6557cc..0000000000 --- a/nitrokey3/windows/piv/index.rst +++ /dev/null @@ -1,22 +0,0 @@ -PIV (Personal Identity Verification) -==================================== - -.. warning:: - The PIV application of the Nitrokey 3 is currently considered unstable and is not available on the stable firmware releases. - To obtain that functionality it is required to install a test firmware. - Subsequent firmware updates may lead to loss of data and cryptographic keys. - Please refer to `the firmware update documentation <../firmware-update.html#firmware-release-types>`__ for more information. - -The *Personal Identity Verfication* (PIV) is based on the NIST special publication `SP 800-73 `__. - -.. toctree:: - :hidden: - :maxdepth: 1 - :glob: - - access_control.rst - certificate_management.rst - factory_reset.rst - key_management.rst - - guides/index.rst diff --git a/nitrokey3/windows/reset.rst b/nitrokey3/windows/reset.rst deleted file mode 100644 index 3454a004c3..0000000000 --- a/nitrokey3/windows/reset.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../shared/reset.rst.inc diff --git a/nitrokey3/windows/set-pins.rst b/nitrokey3/windows/set-pins.rst deleted file mode 100644 index 5d41ae818e..0000000000 --- a/nitrokey3/windows/set-pins.rst +++ /dev/null @@ -1,24 +0,0 @@ -.. include:: ../shared/set-pins.rst.inc - :start-after: start-header - :end-before: end-header -.. include:: ../shared/set-pins.rst.inc - :start-after: start-fido2-header - :end-before: end-fido2-header -.. include:: ../shared/set-pins.rst.inc - :start-after: start-fido2-nitropy - :end-before: end-fido2-nitropy -.. include:: ../shared/set-pins.rst.inc - :start-after: start-fido2-windows-settings-application - :end-before: start-fido2-windows-settings-application -.. include:: ../shared/set-pins.rst.inc - :start-after: start-fido2-chromeium - :end-before: end-fido2-chromeium -.. include:: ../shared/set-pins.rst.inc - :start-after: start-passwords-otp-secrets - :end-before: end-passwords-otp-secrets -.. include:: ../shared/set-pins.rst.inc - :start-after: start-openpgp-card - :end-before: end-openpgp-card -.. include:: ../shared/set-pins.rst.inc - :start-after: start-piv-card - :end-before: end-piv-card diff --git a/nitrokey3/windows/smime-outlook.rst b/nitrokey3/windows/smime-outlook.rst deleted file mode 100644 index acd45a24a9..0000000000 --- a/nitrokey3/windows/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-outlook.rst.inc diff --git a/nitrokey3/windows/smime-thunderbird.rst b/nitrokey3/windows/smime-thunderbird.rst deleted file mode 100644 index 4ae43d43ba..0000000000 --- a/nitrokey3/windows/smime-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-thunderbird.rst.inc diff --git a/nitrokey3/windows/smime.rst b/nitrokey3/windows/smime.rst deleted file mode 100644 index cd746658c8..0000000000 --- a/nitrokey3/windows/smime.rst +++ /dev/null @@ -1,9 +0,0 @@ -.. include:: ../../pro/smime.rst.inc - :end-line: 20 - -.. note:: - Windows users with 64-bit system (standard) need to install both, the 32-bit and the 64-bit version of OpenSC! - -.. include:: ../../pro/smime.rst.inc - :start-line: 20 - diff --git a/nitrokey3/windows/troubleshooting.rst b/nitrokey3/windows/troubleshooting.rst deleted file mode 100644 index 71e54fdba1..0000000000 --- a/nitrokey3/windows/troubleshooting.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../nitrokey3/troubleshooting.rst.inc diff --git a/storage/encrypted-mobile-storage.rst b/nitrokeys/features/encrypted-storage/index.rst similarity index 57% rename from storage/encrypted-mobile-storage.rst rename to nitrokeys/features/encrypted-storage/index.rst index 02d3b64a73..469934c1d0 100644 --- a/storage/encrypted-mobile-storage.rst +++ b/nitrokeys/features/encrypted-storage/index.rst @@ -1,3 +1,29 @@ +Encrypted Mobile Storage +======================== + +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ✓ + Prior of using the encrypted mobile storage you need to install and initialize the Nitrokey Storage and download the latest `Nitrokey App `__. 1. Start the Nitrokey App. @@ -8,5 +34,5 @@ Prior of using the encrypted mobile storage you need to install and initialize t 6. To remove or lock the encrypted volume you should unmount/eject it first. 7. Afterwards you can disconnect the Nitrokey or select "lock encrypted volume" from the Nitrokey App menu. -The Nitrokey Storage is able to create hidden volumes as well. Please have a look at the corresponding instructions for `hidden volumes `_. +The Nitrokey Storage is able to create hidden volumes as well. Please have a look at the corresponding instructions for `hidden volumes <../hidden-storage/index.html>`_. diff --git a/fido2/windows/images/passwordless-microsoft/1.png b/nitrokeys/features/fido2/images/passwordless-microsoft/1.png similarity index 100% rename from fido2/windows/images/passwordless-microsoft/1.png rename to nitrokeys/features/fido2/images/passwordless-microsoft/1.png diff --git a/fido2/windows/images/passwordless-microsoft/10.png b/nitrokeys/features/fido2/images/passwordless-microsoft/10.png similarity index 100% rename from fido2/windows/images/passwordless-microsoft/10.png rename to nitrokeys/features/fido2/images/passwordless-microsoft/10.png diff --git a/fido2/windows/images/passwordless-microsoft/11.png b/nitrokeys/features/fido2/images/passwordless-microsoft/11.png similarity index 100% rename from fido2/windows/images/passwordless-microsoft/11.png rename to nitrokeys/features/fido2/images/passwordless-microsoft/11.png diff --git a/fido2/windows/images/passwordless-microsoft/12.png b/nitrokeys/features/fido2/images/passwordless-microsoft/12.png similarity index 100% rename from fido2/windows/images/passwordless-microsoft/12.png rename to nitrokeys/features/fido2/images/passwordless-microsoft/12.png diff --git a/fido2/windows/images/passwordless-microsoft/2.png b/nitrokeys/features/fido2/images/passwordless-microsoft/2.png similarity index 100% rename from fido2/windows/images/passwordless-microsoft/2.png rename to nitrokeys/features/fido2/images/passwordless-microsoft/2.png diff --git a/fido2/windows/images/passwordless-microsoft/3.png b/nitrokeys/features/fido2/images/passwordless-microsoft/3.png similarity index 100% rename from fido2/windows/images/passwordless-microsoft/3.png rename to nitrokeys/features/fido2/images/passwordless-microsoft/3.png diff --git a/fido2/windows/images/passwordless-microsoft/4.png b/nitrokeys/features/fido2/images/passwordless-microsoft/4.png similarity index 100% rename from fido2/windows/images/passwordless-microsoft/4.png rename to nitrokeys/features/fido2/images/passwordless-microsoft/4.png diff --git a/fido2/windows/images/passwordless-microsoft/5.png b/nitrokeys/features/fido2/images/passwordless-microsoft/5.png similarity index 100% rename from fido2/windows/images/passwordless-microsoft/5.png rename to nitrokeys/features/fido2/images/passwordless-microsoft/5.png diff --git a/fido2/windows/images/passwordless-microsoft/6.png b/nitrokeys/features/fido2/images/passwordless-microsoft/6.png similarity index 100% rename from fido2/windows/images/passwordless-microsoft/6.png rename to nitrokeys/features/fido2/images/passwordless-microsoft/6.png diff --git a/fido2/windows/images/passwordless-microsoft/7.png b/nitrokeys/features/fido2/images/passwordless-microsoft/7.png similarity index 100% rename from fido2/windows/images/passwordless-microsoft/7.png rename to nitrokeys/features/fido2/images/passwordless-microsoft/7.png diff --git a/fido2/windows/images/passwordless-microsoft/8.png b/nitrokeys/features/fido2/images/passwordless-microsoft/8.png similarity index 100% rename from fido2/windows/images/passwordless-microsoft/8.png rename to nitrokeys/features/fido2/images/passwordless-microsoft/8.png diff --git a/fido2/windows/images/passwordless-microsoft/9.png b/nitrokeys/features/fido2/images/passwordless-microsoft/9.png similarity index 100% rename from fido2/windows/images/passwordless-microsoft/9.png rename to nitrokeys/features/fido2/images/passwordless-microsoft/9.png diff --git a/nitrokeys/features/fido2/index.rst b/nitrokeys/features/fido2/index.rst new file mode 100644 index 0000000000..e97bb27a1c --- /dev/null +++ b/nitrokeys/features/fido2/index.rst @@ -0,0 +1,35 @@ +FIDO2 +===== + +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ✓ + - ✓ + - ✓ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ +.. section products-end + +.. toctree:: + :maxdepth: 1 + :glob: + + Website Login + Nextcloud Login + Passwordless Microsoft Login (Windows only) \ No newline at end of file diff --git a/nitrokeys/features/fido2/nextcloud.rst b/nitrokeys/features/fido2/nextcloud.rst new file mode 100644 index 0000000000..0d3eda183d --- /dev/null +++ b/nitrokeys/features/fido2/nextcloud.rst @@ -0,0 +1,13 @@ +Two-Factor Authentication And Passwordless Login For Nextcloud Accounts +======================================================================= + +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + +These are the basic steps for registering the Nitrokey as a second factor or setting up passwordless login of a Nextcloud account. + +.. raw:: html + + + diff --git a/fido2/windows/passwordless-microsoft.rst b/nitrokeys/features/fido2/passwordless-microsoft.rst similarity index 96% rename from fido2/windows/passwordless-microsoft.rst rename to nitrokeys/features/fido2/passwordless-microsoft.rst index 61919f8be2..982945373a 100644 --- a/fido2/windows/passwordless-microsoft.rst +++ b/nitrokeys/features/fido2/passwordless-microsoft.rst @@ -1,6 +1,10 @@ Passwordless Authentication With Microsoft ========================================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: The Nitrokey FIDO2 supports password-less authentication, where entering a password is replaced by logging in with the Nitrokey FIDO2 and a PIN. diff --git a/nitrokeys/features/fido2/website.rst b/nitrokeys/features/fido2/website.rst new file mode 100644 index 0000000000..a35f009d74 --- /dev/null +++ b/nitrokeys/features/fido2/website.rst @@ -0,0 +1,185 @@ +2FA Website Login +================= + +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + +.. contents:: :local: + + +The Nitrokey FIDO2 supports two-factor authentication (2FA) and +passwordless authentication: + +- With **passwordless authentication**, entering a password is replaced + by logging in with the Nitrokey FIDO2 and a PIN. + +- With **two-factor authentication** (2FA), the Nitrokey FIDO2 is + checked in addition to the password. + +The Nitrokey FIDO2 can be used with any current browser. + +.. important:: + + The Nitrokey App can not be used for the Nitrokey FIDO2. + +.. tip:: + + `Check online `__ if your Nitrokey + FIDO2 has the latest firmware installed. + +Passwordless Authentication +--------------------------- + +1. Open a web page that supports FIDO2 (for example + `Google `__). +2. Log in to the website and go to “Passkeys and security keys” in the security + settings of your account. +3. Click on Create passkey. +4. Click on Use a different device. +5. Follow the prompts to set a PIN for your Nitrokey FIDO2. +6. Touch the button of your Nitrokey FIDO2 when prompted. +7. Once you have successfully configured the device, you will need to + activate your Nitrokey FIDO2 this way each time you log in, after + entering your PIN. + + +Touch Button And LED Behavior +----------------------------- + +The first FIDO operation is automatically accepted within two seconds +after connecting Nitrokey FIDO2. In this case touching the touch button +is not required. + +Multiple operations can be accepted by a single touch. For this, keep +the touch button touched for up to 10 seconds. + +To avoid accidental and malicious reset of the Nitrokey, the required +touch confirmation time for the FIDO2 reset operation is longer and with +a distinct LED behavior (red LED light) than normal operations. To reset +the Nitrokey FIDO2, confirm by touching the touch button for at least 5 +seconds until the green or blue LED lights up. + ++-----------------+-----------------+-----------------+-----------------+ +| LED Color | Event | Time Period | Comments | ++=================+=================+=================+=================+ +| Any (blinking) | Awaiting for | Until touch is | | +| | touch | confirmed or | | +| | | timed out | | ++-----------------+-----------------+-----------------+-----------------+ +| Any (blinking | Touch detected, | Until touch is | | +| faster) | counting | confirmed or | | +| | seconds | timed out | | ++-----------------+-----------------+-----------------+-----------------+ +| White (blinks) | Touch request | | Requires 1 | +| | for FIDO | | second touch to | +| | registration or | | complete; | +| | authentication | | timeout is | +| | operation | | usually about | +| | | | 30 seconds | ++-----------------+-----------------+-----------------+-----------------+ +| Yellow (blinks) | Touch request | | Requires 5 | +| | for | | seconds touch | +| | configuration | | to complete; | +| | operation | | e.g. used for | +| | | | activating | +| | | | firmware update | +| | | | mode | ++-----------------+-----------------+-----------------+-----------------+ +| Red (blinks) | Touch request | Available only | Requires 5 | +| | for reset | during the very | seconds touch | +| | operation | first 10 | to complete; | +| | | seconds after | e.g. used for | +| | | Nitrokey is | FIDO2 reset | +| | | powered | operation | ++-----------------+-----------------+-----------------+-----------------+ +| Green | Touch accepted, | After touch was | For the FIDO | +| (constant) | Nitrokey is | registered, 10 | registration or | +| | active and | seconds timeout | authentication | +| | accepting | | operations | +| | further FIDO2 | | after a | +| | operations | | confirmation | +| | | | Nitrokey enters | +| | | | into | +| | | | “activation” | +| | | | mode, | +| | | | auto-accepting | +| | | | any following | +| | | | mentioned | +| | | | operations | +| | | | until touch | +| | | | button is | +| | | | released, but | +| | | | not longer than | +| | | | 10 seconds | ++-----------------+-----------------+-----------------+-----------------+ +| Blue (constant) | Touch consumed | Until touch is | Touch | +| | - accepted and | released | consumption | +| | used up by the | | here means, | +| | operation | | that without | +| | | | releasing the | +| | | | touch button, | +| | | | and touching | +| | | | again the | +| | | | Nitrokey will | +| | | | not confirm any | +| | | | new operations | ++-----------------+-----------------+-----------------+-----------------+ +| White (single | Nitrokey ready | 0.5 seconds | | +| blink) | to work | after powering | | +| | | up | | ++-----------------+-----------------+-----------------+-----------------+ +| (no LED signal) | Nitrokey is | | | +| | idle | | | +| | | | | ++-----------------+-----------------+-----------------+-----------------+ +| (no LED signal) | Auto-accept | Within first 2 | Nitrokey is | +| | single FIDO | seconds after | automatically | +| | registration or | powering up | accepting any | +| | authentication | | single FIDO | +| | operation | | registration or | +| | | | authentication | +| | | | operation upon | +| | | | insertion event | +| | | | - the latter is | +| | | | treated as an | +| | | | equivalent of | +| | | | the touch | +| | | | button | +| | | | registration | +| | | | signal (user | +| | | | presence); the | +| | | | conf | +| | | | iguration/reset | +| | | | operations are | +| | | | not accepted | ++-----------------+-----------------+-----------------+-----------------+ +| All colors | Nitrokey is in | Active until | If the firmware | +| | Firmware Update | firmware update | update fails, | +| | mode | operation is | the Nitrokey | +| | | successful, or | will stay in | +| | | until | the this mode | +| | | reinsertion | until the | +| | | | firmware is | +| | | | written | +| | | | correctly | ++-----------------+-----------------+-----------------+-----------------+ + + +Note: white LED blinking is used as well to signalize the selected device (the so called WINK command). +If you are using Windows, the first time you plug in the Nitrokey it may need some +time to configure the device. + +Troubleshooting (Linux) +----------------------- + +- If the Nitrokey is not accepted immediately, you may need to copy + this file + `41-nitrokey.rules `__ + to ``etc/udev/rules.d/``. In very rare cases, the system will need + the `older + version `__ + of this file. + +- After copying the file, restart udev via + ``sudo service udev restart``. diff --git a/storage/windows/images/format-dialog.png b/nitrokeys/features/hidden-storage/images/hidden/format-dialog.png similarity index 100% rename from storage/windows/images/format-dialog.png rename to nitrokeys/features/hidden-storage/images/hidden/format-dialog.png diff --git a/storage/windows/images/format-tool.png b/nitrokeys/features/hidden-storage/images/hidden/format-tool.png similarity index 100% rename from storage/windows/images/format-tool.png rename to nitrokeys/features/hidden-storage/images/hidden/format-tool.png diff --git a/storage/images/hidden-schema.svg b/nitrokeys/features/hidden-storage/images/hidden/hidden-schema.svg similarity index 100% rename from storage/images/hidden-schema.svg rename to nitrokeys/features/hidden-storage/images/hidden/hidden-schema.svg diff --git a/storage/linux/images/hidden-storage-partition.png b/nitrokeys/features/hidden-storage/images/hidden/hidden-storage-partition.png similarity index 100% rename from storage/linux/images/hidden-storage-partition.png rename to nitrokeys/features/hidden-storage/images/hidden/hidden-storage-partition.png diff --git a/storage/images/hidden-storage-passphrase.png b/nitrokeys/features/hidden-storage/images/hidden/hidden-storage-passphrase.png similarity index 100% rename from storage/images/hidden-storage-passphrase.png rename to nitrokeys/features/hidden-storage/images/hidden/hidden-storage-passphrase.png diff --git a/storage/images/setup_hidden_volume.png b/nitrokeys/features/hidden-storage/images/hidden/setup_hidden_volume.png similarity index 100% rename from storage/images/setup_hidden_volume.png rename to nitrokeys/features/hidden-storage/images/hidden/setup_hidden_volume.png diff --git a/nitrokeys/features/hidden-storage/index.rst b/nitrokeys/features/hidden-storage/index.rst new file mode 100644 index 0000000000..19c557a539 --- /dev/null +++ b/nitrokeys/features/hidden-storage/index.rst @@ -0,0 +1,99 @@ +Hidden Volumes +============== + +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ✓ + +Hidden volumes allow hiding data inside of the encrypted volume. This data is protected by an additional passphrase. Without the passphrase, it is impossible to know whether hidden volumes are present. +They are not configured with a default password so that their existence can be `denied plausibly `__. +The concept is similar to `VeraCrypt's/TrueCrypt's hidden volume `__ but with Nitrokey Storage the entire functionality of hidden volumes is implemented in hardware. + +You can configure up to four hidden volumes. Once unlocked, hidden volumes behave like ordinary storage where you can create various partitions, filesystems and store files as you like. + +.. warning:: + If you chose to use hidden volumes, you must not write any data to the encrypted volume, or you risk loosing data in the hidden volume. + +.. note:: + Hidden volumes are hidden within the free space of the encrypted volume, which will be overwritten when writing data to the encrypted volume. + There are no mechanisms to prevent accidental overwritting of hidden data, as they would reveal the existence of hidden volumes. + Data written to the encrypted volume before the creation of the hidden volume can still be read. + +.. figure:: images/hidden/hidden-schema.svg + :alt: Hidden volume description. The hidden volumes are within the free space of the encrypted volume. + + +Configuring hidden volumes +-------------------------- + +.. tip:: + Copy some files to the encrypted volume prior to creating the hidden volume. + +.. note:: + Using a journaling filesystem may risk overwriting the hidden data. The encrypted filesystem is formated to FAT32 by default, and it is recommended to leave it that way when using hidden volumes. + + +1. Unlock the encrypted volume using the Nitrokey App. +2. In the menu, select "setup hidden volume". + + .. figure:: images/hidden/setup_hidden_volume.png + :alt: menu containing the hidden volume setup utility. + +3. Enter a strong passphrase twice. Unlike the encrypted volume PIN, there are no limit to the number of attempts at opening hidden volumes, so the strength of the passphrase is extremely important. +4. Define the storage area to be used. Hidden volumes are stored in the free areas of the encrypted volume. When creating multiple hidden volume, you need to allocate a part of the free area for each volume, making sure they do not overlap. + + .. figure:: images/hidden/hidden-storage-passphrase.png + :alt: Hidden volume dialog box + +Using hidden volumes +-------------------- + +1. Unlock the encrypted volume. + +2. Select "unlock hidden volume" and enter any of the hidden volume's passwords. + +3. + + .. tabs:: + .. tab:: Linux + + If this is the first time you unlock the hidden volume, you may need to create a partition on the hidden volume. You will need to open a partition manager such as `GParted `__ and create one or more partitions manually. Make sure to create the partitions on the device that appeared when unlocking the hidden volume. + + .. figure:: images/hidden/hidden-storage-partition.png + :alt: Hidden volume partitioning + + .. tab:: MacOS + + If this is the first time you unlock the hidden volume, you may need to create a partition on the hidden volume. You will need to use `Disk Utility `__. Make sure to create the partitions on the device that appeared when unlocking the hidden volume. + + .. tab:: Windows + + If this is the first time you unlock the hidden volume, you may need to create a partition on the hidden volume. In this case, Windows will prompt you to do so. You can then format the hidden volume using FAT32, for compatibility with most operating systems. + + + .. figure:: images/hidden/format-dialog.png + :alt: Windows formating prompt + + .. figure:: images/hidden/format-tool.png + :alt: Windows formating tool + +4. Make sure to unmount/eject all partitions on the hidden volumes before locking or disconnecting the Nitrokey. \ No newline at end of file diff --git a/hsm/apache2-tls.rst.inc b/nitrokeys/features/hsm/apache2-tls.rst similarity index 97% rename from hsm/apache2-tls.rst.inc rename to nitrokeys/features/hsm/apache2-tls.rst index 78a27eafa6..eb7269a511 100644 --- a/hsm/apache2-tls.rst.inc +++ b/nitrokeys/features/hsm/apache2-tls.rst @@ -1,6 +1,10 @@ TLS Setup With Apache2 ====================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: .. hint:: @@ -70,7 +74,7 @@ Complete Apache2 Config Example ------------------------------- A complete Apache2 (``VirtualHost``) config snippet might look like this: -.. code-block:: bash +:: SSLPassPhraseDialog "|/bin/echo 123456" diff --git a/hsm/linux/dnssec.rst b/nitrokeys/features/hsm/dnssec.rst similarity index 89% rename from hsm/linux/dnssec.rst rename to nitrokeys/features/hsm/dnssec.rst index 60a10d0b2b..dcb64e2ad3 100644 --- a/hsm/linux/dnssec.rst +++ b/nitrokeys/features/hsm/dnssec.rst @@ -1,6 +1,10 @@ DNSSEC ====================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: diff --git a/hsm/import-keys-certs.rst.inc b/nitrokeys/features/hsm/import-keys-certs.rst similarity index 97% rename from hsm/import-keys-certs.rst.inc rename to nitrokeys/features/hsm/import-keys-certs.rst index 633a197d5c..758d5d0161 100644 --- a/hsm/import-keys-certs.rst.inc +++ b/nitrokeys/features/hsm/import-keys-certs.rst @@ -1,6 +1,10 @@ Importing Keys And Certificates =============================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: Generally the concept to import key-pairs and/or certificates diff --git a/nitrokeys/features/hsm/index.rst b/nitrokeys/features/hsm/index.rst new file mode 100644 index 0000000000..42c7c7eee8 --- /dev/null +++ b/nitrokeys/features/hsm/index.rst @@ -0,0 +1,44 @@ +HSM Features +============ + +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ✓ + - ⨯ + - ⨯ + - ⨯ +.. section products-end + +.. toctree:: + :maxdepth: 1 + + SMIME <../openpgp-card/smime/index> + Smart <../openpgp-card/desktop-login/smart-policy> + GPA <../openpgp-card/gpa> + DNSSEC (Linux only) + Hard Disk Encryption <../openpgp-card/hard-disk-encryption/index> + Automatic Screen Lock (Linux only) <../misc/automatic-screen-lock> + Import Keys Certs + Stunnel (Linux only) <../openpgp-card/stunnel> + Certificate Authority <../openpgp-card/certificate-authority> + Ipsec (Linux only) <../openpgp-card/ipsec> + N-of-m Schemes + Pkcs11-URL + Apache 2 TLS \ No newline at end of file diff --git a/hsm/n-of-m-schemes.rst b/nitrokeys/features/hsm/n-of-m-schemes.rst similarity index 94% rename from hsm/n-of-m-schemes.rst rename to nitrokeys/features/hsm/n-of-m-schemes.rst index 622ac1ba44..f309c6ef01 100644 --- a/hsm/n-of-m-schemes.rst +++ b/nitrokeys/features/hsm/n-of-m-schemes.rst @@ -1,3 +1,10 @@ +N-of-m Schemes +============== + +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + The Nitrokey HSM 2 supports two different n-of-m schemes - one for secure sharing of key material/passwords and one for public key authentication to control the access to the device. Please see `this blog post `__ for more detailed information. N-of-m for DKEK Shares diff --git a/hsm/pkcs11-url.rst.inc b/nitrokeys/features/hsm/pkcs11-url.rst similarity index 95% rename from hsm/pkcs11-url.rst.inc rename to nitrokeys/features/hsm/pkcs11-url.rst index 67302aaa1f..348a3d94bb 100644 --- a/hsm/pkcs11-url.rst.inc +++ b/nitrokeys/features/hsm/pkcs11-url.rst @@ -1,6 +1,10 @@ PKCS#11 URL Generation ====================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: @@ -41,7 +45,7 @@ Use the following command to get a list of available tokens (Nitrokeys): Choose the token (Nitrokey) URL you want to generate URL tokens for and use it like this: -.. code-block:: bash +:: p11tool --list-all diff --git a/nitrokeys/features/index.rst b/nitrokeys/features/index.rst new file mode 100644 index 0000000000..46cc3be5c0 --- /dev/null +++ b/nitrokeys/features/index.rst @@ -0,0 +1,17 @@ +Features +======== + +.. toctree:: + :maxdepth: 1 + :glob: + + FIDO2 + U2F + TOTP + OpenPGP card + Password Safe + Encrypted Mobile Storage + Hidden Storage + HSM + PIV (Windows only) + Miscellaneous diff --git a/pro/linux/automatic-screen-lock.rst b/nitrokeys/features/misc/automatic-screen-lock.rst similarity index 76% rename from pro/linux/automatic-screen-lock.rst rename to nitrokeys/features/misc/automatic-screen-lock.rst index a79abdc700..720a371e87 100644 --- a/pro/linux/automatic-screen-lock.rst +++ b/nitrokeys/features/misc/automatic-screen-lock.rst @@ -1,6 +1,31 @@ Automatic Screen Lock at Removal ================================ +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ✓ + - ✓ + - ⨯ + - ✓ +.. section products-end + .. contents:: :local: This guide will walk you through the configuration of your computer, to automatically lock your session when you remove the Nitrokey. diff --git a/pro/ecc.rst.inc b/nitrokeys/features/misc/ecc.rst similarity index 91% rename from pro/ecc.rst.inc rename to nitrokeys/features/misc/ecc.rst index 7eb28ac0e4..c6563c4d6b 100644 --- a/pro/ecc.rst.inc +++ b/nitrokeys/features/misc/ecc.rst @@ -1,6 +1,31 @@ Elliptic Curves (ECC) Support ============================= +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ✓ + - ⨯ + - ✓ +.. section products-end + .. contents:: :local: RSA-2048 Becomes Increasingly Insecure @@ -86,7 +111,7 @@ Now we enter ``gpg2 --card-edit`` and see that brainpoolP256r1 is under Then we create the key. -.. code-block:: bash +:: gpg/card> admin Admin commands are allowed diff --git a/nitrokeys/features/misc/index.rst b/nitrokeys/features/misc/index.rst new file mode 100644 index 0000000000..245e11bfcd --- /dev/null +++ b/nitrokeys/features/misc/index.rst @@ -0,0 +1,8 @@ +Miscellaneous +============= + +.. toctree:: + :maxdepth: 1 + + Automatic Screen Lock + Elliptic Curves (ECC) Support \ No newline at end of file diff --git a/hsm/certificate-authority.rst.inc b/nitrokeys/features/openpgp-card/certificate-authority.rst similarity index 97% rename from hsm/certificate-authority.rst.inc rename to nitrokeys/features/openpgp-card/certificate-authority.rst index 6e64e24933..b20fe58ee0 100644 --- a/hsm/certificate-authority.rst.inc +++ b/nitrokeys/features/openpgp-card/certificate-authority.rst @@ -1,6 +1,31 @@ Creating a Certificate Authority ================================ +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ✓ + - ⨯ + - ⨯ + - ⨯ + - ✓ + - ✓ + - ✓ + - ✓ +.. section products-end + .. contents:: :local: This article shows you how to setup your own private certificate authority backed by a Nitrokey HSM. This certificate authority has no automation and does not really scale. Other open source projects can be referenced for automation and scalability. @@ -57,7 +82,7 @@ Creating The Root Certificate Authority We start by generating the private key for the certificate authority directly on the Nitrokey HSM. This allows us to use the private key in the future, but not access it. -.. code-block:: bash +:: # Generate private key on HSM $ pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label root @@ -154,7 +179,7 @@ Fill out the request information in with information for your C Generate the self-signed public certificate from the private key. Use the private key id value from earlier. -.. code-block:: bash +:: $ openssl req -config create_root_cert.ini -engine pkcs11 -keyform engine -key e0161cc8b6f5d66ac6835ecdecb623fc0506a675 -new -x509 -days 3650 -sha512 -extensions v3_ca -out ../certs/root.crt engine "pkcs11" set. @@ -162,7 +187,7 @@ Generate the self-signed public certificate from the private key. Use the privat Verify that the root certificate was generated correctly. Verify that Signature-Algorithm matches above and below. Verify that Issuer and Subject match, all root certificates are self signed. Verify that Key Usage matches what was in the v3_ca information in our config file. -.. code-block:: bash +:: $ openssl x509 -noout -text -in ../certs/root.crt Certificate: @@ -212,7 +237,7 @@ Creating The Intermediate Certificate Authority We continue by generating the private key for the intermediate certificate authority directly on the Nitrokey HSM. This allows us to use the private key in the future, but not access it. -.. code-block:: bash +:: # Generate private key on HSM $ pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label intermediate @@ -276,7 +301,7 @@ Fill out the request information in with information for your C Generate the certificate signing request for the intermediate CA from the intermediate CA’s private key. Use the private key ID value from earlier. -.. code-block:: bash +:: $ openssl req -config create_intermediate_csr.ini -engine pkcs11 -keyform engine -key bcb48fe9b566ae61891aabbfde6a23d4ff3ab639 -new -sha512 -out ../intermediate/csr/intermediate.csr engine "pkcs11" set. @@ -284,7 +309,7 @@ Generate the certificate signing request for the intermediate CA from the interm Verify that the CSR was created correctly. Verify that your Subject is correct. Verify that your Public Key and Signature Algorithm are correct. -.. code-block:: bash +:: $ openssl req -text -noout -verify -in ../intermediate/csr/intermediate.csr verify OK @@ -317,7 +342,7 @@ Verify that the CSR was created correctly. Verify that your Subject is correct. We need to find out the fully qualified PKCS#11 URI for your private key: -.. code-block:: bash +:: $ p11tool --list-all warning: no token URL was provided for this operation; the available tokens are: @@ -413,7 +438,7 @@ Now, we need to create a config file to use the private key of the root certific Then sign the intermediate certificate with the root certificate. -.. code-block:: bash +:: $ openssl ca -config sign_intermediate_csr.ini -engine pkcs11 -keyform engine -extensions v3_intermediate_ca -days 1825 -notext -md sha512 -create_serial -in ../intermediate/csr/intermediate.csr -out ../intermediate/certs/intermediate.crt engine "pkcs11" set. @@ -453,7 +478,7 @@ Then sign the intermediate certificate with the root certificate. Verify that the root certificate was generated correctly. Verify that the Issuer and Subject are different, and correct. Verify that the Key Usage matches the config file. Verify that the signature algorithm are correct above and below. -.. code-block:: bash +:: $ openssl x509 -noout -text -in ../intermediate/certs/intermediate.crt Certificate: @@ -522,7 +547,7 @@ Create a CSR in the normal method for your application. Proper creation of your We need to find out the fully qualified PKCS#11 URI for your private key: -.. code-block:: bash +:: $ p11tool --list-all warning: no token URL was provided for this operation; the available tokens are: @@ -621,7 +646,7 @@ Create a config file to use the private key of the intermediate certificate to s Then run openssl to sign the server’s CSR. -.. code-block:: bash +:: $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server_cert.csr -out server_cert.crt engine "pkcs11" set. diff --git a/pro/change-pins.rst.inc b/nitrokeys/features/openpgp-card/change-pins.rst similarity index 61% rename from pro/change-pins.rst.inc rename to nitrokeys/features/openpgp-card/change-pins.rst index ce87b7b515..bf3126d3b0 100644 --- a/pro/change-pins.rst.inc +++ b/nitrokeys/features/openpgp-card/change-pins.rst @@ -1,6 +1,31 @@ Change User and Admin PIN ========================= +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ✓ + - ⨯ + - ✓ +.. section products-end + .. contents:: :local: User PIN @@ -11,7 +36,7 @@ The user PIN is at least 6-digits long and is used to get access to the content You can change the user PIN with the Nitrokey App if using a Nitrokey Pro or Nitrokey Storage. In the `Nitrokey `__ App open ‘Menu -> Configure -> Change User PIN’ to open the dialog to change the PIN. -.. figure:: /pro/images/change-pins/1.png +.. figure:: /nitrokeys/features/openpgp-card/images/change-pins/1.png :alt: img1 @@ -20,7 +45,7 @@ You can change the User PIN in the dialog window now. The user PIN can have up to 20 digits and other characters (e.g. alphabetic and special characters). But as the user PIN is blocked as soon three wrong PIN attempts were done, it is sufficiently secure to only have a 6 digits PIN. The default PIN is 123456. -.. figure:: /pro/images/change-pins/2.png +.. figure:: /nitrokeys/features/openpgp-card/images/change-pins/2.png :alt: img2 @@ -33,7 +58,7 @@ The admin PIN is at least 8-digits long and is used to change contents/settings You can change the admin PIN with the Nitrokey App if using a Nitrokey Pro or Nitrokey Storage. In the `Nitrokey App `__ open ‘Menu -> Configure -> Change Admin PIN’ to open the dialog to change the PIN. -.. figure:: /pro/images/change-pins/3.png +.. figure:: /nitrokeys/features/openpgp-card/images/change-pins/3.png :alt: img3 @@ -42,7 +67,7 @@ You can change the admin PIN in the dialog window now. The admin PIN can have up to 20 digits and other characters (e.g. alphabetic and special characters). But as the admin PIN is blocked as soon three wrong PIN attempts were done, it is sufficiently secure to only have 8 digits PIN. The default PIN is 12345678. -.. figure:: /pro/images/change-pins/4.png +.. figure:: /nitrokeys/features/openpgp-card/images/change-pins/4.png :alt: img4 diff --git a/pro/images/smart-policy/1.png b/nitrokeys/features/openpgp-card/desktop-login/images/smart-policy/1.png similarity index 100% rename from pro/images/smart-policy/1.png rename to nitrokeys/features/openpgp-card/desktop-login/images/smart-policy/1.png diff --git a/pro/images/smart-policy/2.png b/nitrokeys/features/openpgp-card/desktop-login/images/smart-policy/2.png similarity index 100% rename from pro/images/smart-policy/2.png rename to nitrokeys/features/openpgp-card/desktop-login/images/smart-policy/2.png diff --git a/pro/images/smart-policy/3.png b/nitrokeys/features/openpgp-card/desktop-login/images/smart-policy/3.png similarity index 100% rename from pro/images/smart-policy/3.png rename to nitrokeys/features/openpgp-card/desktop-login/images/smart-policy/3.png diff --git a/pro/images/smart-policy/4.png b/nitrokeys/features/openpgp-card/desktop-login/images/smart-policy/4.png similarity index 100% rename from pro/images/smart-policy/4.png rename to nitrokeys/features/openpgp-card/desktop-login/images/smart-policy/4.png diff --git a/pro/images/smart-policy/5.png b/nitrokeys/features/openpgp-card/desktop-login/images/smart-policy/5.png similarity index 100% rename from pro/images/smart-policy/5.png rename to nitrokeys/features/openpgp-card/desktop-login/images/smart-policy/5.png diff --git a/pro/images/smart-policy/6.png b/nitrokeys/features/openpgp-card/desktop-login/images/smart-policy/6.png similarity index 100% rename from pro/images/smart-policy/6.png rename to nitrokeys/features/openpgp-card/desktop-login/images/smart-policy/6.png diff --git a/nitrokeys/features/openpgp-card/desktop-login/index.rst b/nitrokeys/features/openpgp-card/desktop-login/index.rst new file mode 100644 index 0000000000..dce913093a --- /dev/null +++ b/nitrokeys/features/openpgp-card/desktop-login/index.rst @@ -0,0 +1,13 @@ +Desktop Login +============= + +.. include:: ../index.rst + :start-after: products-begin + :end-before: products-end + +.. toctree:: + :maxdepth: 1 + :glob: + + Pam (Linux) + Smart Policy (Windows) \ No newline at end of file diff --git a/pro/login-with-pam.rst.inc b/nitrokeys/features/openpgp-card/desktop-login/pam.rst similarity index 61% rename from pro/login-with-pam.rst.inc rename to nitrokeys/features/openpgp-card/desktop-login/pam.rst index 42f922fb9a..765b9444e6 100644 --- a/pro/login-with-pam.rst.inc +++ b/nitrokeys/features/openpgp-card/desktop-login/pam.rst @@ -1,3 +1,10 @@ +PAM +=== + +.. include:: ../index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: How to Setup The Login @@ -13,30 +20,30 @@ It is necessary to already have keys generated on the Nitrokey, as the authentic 1. At first you need to find out the Application ID of your Nitrokey. It looks like or similar to ``D00600012401020000000000xxxxxxxx``. -.. code-block:: bash - - gpg --card-status | grep Application + .. code-block:: bash + + gpg --card-status | grep Application 2. Now you have to add a line to ``/etc/poldi/localdb/users`` which contains the following information `` ``. - This could look like ``D00600012401020000000000xxxxxxxx nitrokeyuser``. Now dump the public key from the Nitrokey into Poldis local db: + This could look like ``D00600012401020000000000xxxxxxxx nitrokeyuser``. Now dump the public key from the Nitrokey into Poldis local db: -.. code-block:: bash + .. code-block:: bash - sudo sh -c 'gpg-connect-agent "/datafile /etc/poldi/localdb/keys/" "SCD READKEY --advanced OPENPGP.3" /bye' + sudo sh -c 'gpg-connect-agent "/datafile /etc/poldi/localdb/keys/" "SCD READKEY --advanced OPENPGP.3" /bye' -Please be aware that you have to insert your Application ID in the line above with the one of your Nitrokey! + Please be aware that you have to insert your Application ID in the line above with the one of your Nitrokey! -Then you have to configure PAM. Just add ``auth sufficient pam_poldi.so`` to PAM configuration files according to your needs: + Then you have to configure PAM. Just add ``auth sufficient pam_poldi.so`` to PAM configuration files according to your needs: - * ``/etc/pam.d/common-auth`` for graphical user login - * ``/etc/pam.d/login`` for console login - * ``/etc/pam.d/sudo`` for sudo authentication - * ``/etc/pam.d/gnome-screensaver`` for login back from a locked screen - * and other files in ``/etc/pam.d`` + * ``/etc/pam.d/common-auth`` for graphical user login + * ``/etc/pam.d/login`` for console login + * ``/etc/pam.d/sudo`` for sudo authentication + * ``/etc/pam.d/gnome-screensaver`` for login back from a locked screen + * and other files in ``/etc/pam.d`` -.. note:: PAM is dangerous to play around with, so make sure you have a way of accessing the machine if you break authentication completely. Remember that booting into rescue mode from GRUB requires a root password, so keep that or a live CD which can read your filesystems to hand. + .. note:: PAM is dangerous to play around with, so make sure you have a way of accessing the machine if you break authentication completely. Remember that booting into rescue mode from GRUB requires a root password, so keep that or a live CD which can read your filesystems to hand. Here you find `further instructions `__ (in German, partially outdated). @@ -45,7 +52,7 @@ Troubleshooting If you get an error similar to ``ERR 100663414 Invalid ID `` you should try instead -.. code-block:: bash +:: poldi-ctrl -k > ; sudo mv /etc/poldi/localdb/keys diff --git a/nitrokeys/features/openpgp-card/desktop-login/smart-policy.rst b/nitrokeys/features/openpgp-card/desktop-login/smart-policy.rst new file mode 100644 index 0000000000..4d2d489f97 --- /dev/null +++ b/nitrokeys/features/openpgp-card/desktop-login/smart-policy.rst @@ -0,0 +1,122 @@ +Login to Windows Domain Computers With MS Active Directory +========================================================== + +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ✓ + - ⨯ + - ⨯ + - ⨯ + - ✓ + - ✓ + - ✓ + - ✓ +.. section products-end + +.. contents:: :local: + +1. Download and install the latest + `OpenSC `__. +2. Use a text editor to add the following settings to + ``C:\Program Files:\OpenSC Project\OpenSC\opensc.conf``. + + :: + + # Nitrokey Pro 2, OpenPGP Card, Nitrokey Storage 2 + card_atr 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:f5:73:c0:01:60:00:90:00:1c { + type = 9002; + driver = "openpgp"; + # name = "Nitrokey Pro 2"; + md_read_only = false; + md_supports_X509_enrollment = true; + } + # Nitrokey Pro, OpenPGP Card + card_atr 3B:DA:18:FF:81:B1:FE:75:1F:03:00:31:C5:73:C0:01:40:00:90:00:0C { + type = 9002; + driver = "openpgp"; + # name = "Nitrokey Pro"; + md_read_only = false; + md_supports_X509_enrollment = true; + } + # Nitrokey HSM 2, SmartCard-HSM + card_atr 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c { + type = 26000; + driver = "sc-hsm"; + # name = "Nitrokey HSM 2"; + md_read_only = false; + md_supports_X509_enrollment = true; + } + # Nitrokey HSM, SmartCard-HSM + card_atr 3B:FE:18:00:00:81:31:FE:45:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:FA { + type = 26000; + driver = "sc-hsm"; + # name = "Nitrokey HSM"; + md_read_only = false; + md_supports_X509_enrollment = true; + } + + +3. Open a command terminal and enter “regedit”. Use regedit to import + `this + file `__. +4. Now you can enroll Nitrokeys for your users managed in Microsoft + Active Directory. You may either use Microsoft PKI, + `gpgsm `__, + or `Smart + Policy `__. + The following steps describe the usage of Smart Policy. +5. `Download `__ + and install Smart Policy. +6. Select “Read a smart card” + + .. figure:: images/smart-policy/1.png + :alt: img1 + + + +7. Select the certificate, mapping, and user. + + .. figure:: images/smart-policy/2.png + :alt: img2 + + + +8. Verify the device status via CRL. + + .. figure:: images/smart-policy/3.png + :alt: img3 + + + +9. Choose a Group Policy Object (GPO). + + .. figure:: images/smart-policy/4.png + :alt: img4 + + + +10. Confirm applying the mapping. + +.. figure:: images/smart-policy/5.png + :alt: img5 + + + +From now on, when logging on to your Windows computer you need to connect the Nitrokey and enter your PIN. + +.. figure:: images/smart-policy/6.png + :alt: img6 + diff --git a/pro/eidauthenticate.rst.inc b/nitrokeys/features/openpgp-card/eid.rst similarity index 69% rename from pro/eidauthenticate.rst.inc rename to nitrokeys/features/openpgp-card/eid.rst index 0d763342d9..a735aaf824 100644 --- a/pro/eidauthenticate.rst.inc +++ b/nitrokeys/features/openpgp-card/eid.rst @@ -1,27 +1,32 @@ Login With EIDAuthenticate on Stand Alone Windows Computers =========================================================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: 1. Download and install the latest version of `OpenSC `__. Please install the `OpenPGP-CSP `__ driver **instead** if using Nitrokey Storage 2 or Nitrokey Pro 2. 2. Download and install `EIDAuthenticate `__. - .. note:: - The free community edition is disabled. You may test the enterprise edition instead. + .. note:: + + The free community edition is disabled. You may test the enterprise edition instead. 3. Start EIDConfigurationWizard.exe 4. Select “Associate a new certificate” -.. figure:: /pro/images/eidauthenticate/1.png - :alt: img1 + .. figure:: images/eidauthenticate/1.png + :alt: img1 5. Select or generate a Certificate Authority which should issue the user’s certificate on the Nitrokey. -.. figure:: /pro/images/eidauthenticate/2.png - :alt: img2 + .. figure:: images/eidauthenticate/2.png + :alt: img2 @@ -30,43 +35,43 @@ Login With EIDAuthenticate on Stand Alone Windows Computers your Nitrokey is not detected you may want to execute “certutil -scinfo” for troubleshooting. -.. figure:: /pro/images/eidauthenticate/3.png - :alt: img3 + .. figure:: images/eidauthenticate/3.png + :alt: img3 7. Select the newly generated certificate and press continue. -.. figure:: /pro/images/eidauthenticate/4.png - :alt: img4 + .. figure:: images/eidauthenticate/4.png + :alt: img4 8. All checks should succeed. Press continue. -.. figure:: /pro/images/eidauthenticate/5.png - :alt: img5 + .. figure:: images/eidauthenticate/5.png + :alt: img5 9. Enter the password of your user account. -.. figure:: /pro/images/eidauthenticate/6.png - :alt: img6 + .. figure:: images/eidauthenticate/6.png + :alt: img6 10. Enter the user PIN which you defined previously in step 4. -.. figure:: /pro/images/eidauthenticate/7.png - :alt: img7 + .. figure:: images/eidauthenticate/7.png + :alt: img7 11. The final screen may look like this. -.. figure:: /pro/images/eidauthenticate/8.png - :alt: img8 + .. figure:: images/eidauthenticate/8.png + :alt: img8 @@ -74,6 +79,6 @@ You may perform further configurations such as activate the force smart card pol From now on, when logging on to your Windows computer you need to connect the Nitrokey and enter your PIN. -.. figure:: /pro/images/eidauthenticate/9.png +.. figure:: images/eidauthenticate/9.png :alt: img9 diff --git a/nitrokey3/linux/fedora-gnupg-configuration.rst b/nitrokeys/features/openpgp-card/fedora-gnupg-configuration.rst similarity index 97% rename from nitrokey3/linux/fedora-gnupg-configuration.rst rename to nitrokeys/features/openpgp-card/fedora-gnupg-configuration.rst index 3748b2e8ca..82bc3c8ef4 100644 --- a/nitrokey3/linux/fedora-gnupg-configuration.rst +++ b/nitrokeys/features/openpgp-card/fedora-gnupg-configuration.rst @@ -1,6 +1,10 @@ OpenPGP smartcard with GnuPG on Fedora ====================================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. note:: The following instructions require the Nitrokey 3 to have at least firmware version ``1.4.0`` installed. Please refer to `firmware update <./firmware-update.html>`__ to learn how to update it. diff --git a/pro/gpa.rst b/nitrokeys/features/openpgp-card/gpa.rst similarity index 68% rename from pro/gpa.rst rename to nitrokeys/features/openpgp-card/gpa.rst index dfea076432..867ee0ac31 100644 --- a/pro/gpa.rst +++ b/nitrokeys/features/openpgp-card/gpa.rst @@ -1,55 +1,80 @@ Setup With Gnu Privacy Assistant (GPA) ======================================================= +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ✓ + - ⨯ + - ⨯ + - ⨯ + - ✓ + - ✓ + - ✓ + - ✓ +.. section products-end + This document describes how to use Gnu Privacy Assistant (GPA) to set up the Nitrokey for its first usage. 1. First you need to install Gnu Privacy Assistant (GPA). For Windows you should download and install the `GPG4Win `__ package which contains GPA. For Linux you should install the GPA package of your distribution (e.g. on Ubuntu: sudo apt-get install gpa ). 2. Start GPA and select the Card Manager; either by pressing the icon at the top or by choosing Card Manager in the Windows menu. - .. figure:: /pro/images/gpa/1.png + .. figure:: images/gpa/1.png :alt: img1 3. The window of the Card Manager will appear. Enter your salutation, name and optional other information. While doing so you might be asked to enter the admin PIN. - .. figure:: /pro/images/gpa/2.png + .. figure:: images/gpa/2.png :alt: img2 4. Confirm this window and enter the admin PIN in the next window. - .. figure:: /pro/images/gpa/3.png + .. figure:: images/gpa/3.png :alt: img3 5. In the Card Manager window you might need to scroll down until you see the buttons to change the PINs. The term PIN is used interchangeable with "password". Press the first button "Change PIN" in order to change the user password. Read and confirm the following information window. - .. figure:: /pro/images/gpa/4.png + .. figure:: images/gpa/4.png :alt: img4 6. Choose and enter your own PIN with a minimum length of six characters. This PIN is required for the daily usage of the Nitrokey. - .. figure:: /pro/images/gpa/5.png + .. figure:: images/gpa/5.png :alt: img5 7. Go back to the Card Manager window in step three. This time you choose the third button Change PIN in order to change the admin PIN. The admin PIN is required to change the information on the Nitrokey and to change the cryptographic keys. Proceed as described in steps four and five. 8. After changing both the user and the admin PIN, you are back in the Card Manager window. Select "Generate key" in the "Card" menu. - .. figure:: /pro/images/gpa/6.png + .. figure:: images/gpa/6.png :alt: img6 9. Enter your name and e-mail address. You should keep "backup" enabled in order to create a backup file of your cryptographic keys. Optionally you might select an expiration date for your cryptographic keys. - .. figure:: /pro/images/gpa/7.png + .. figure:: images/gpa/7.png :alt: img7 10. Wait until the keys are generated successfully. - .. figure:: /pro/images/gpa/8.png + .. figure:: images/gpa/8.png :alt: img8 11. Enter a strong passphrase for your backup keys. We strongly recommend to store the backup file on a separate storage(e.g. CD-ROM) and on a safe location. - .. figure:: /pro/images/gpa/9.png + .. figure:: images/gpa/9.png :alt: img9 Congratulations, your Nitrokey is now ready to use. Please see the `applications `__ section for further information of its usage. diff --git a/pro/linux/images/luks_1.png b/nitrokeys/features/openpgp-card/hard-disk-encryption/images/luks/luks_1.png similarity index 100% rename from pro/linux/images/luks_1.png rename to nitrokeys/features/openpgp-card/hard-disk-encryption/images/luks/luks_1.png diff --git a/pro/linux/images/luks_2.png b/nitrokeys/features/openpgp-card/hard-disk-encryption/images/luks/luks_2.png similarity index 100% rename from pro/linux/images/luks_2.png rename to nitrokeys/features/openpgp-card/hard-disk-encryption/images/luks/luks_2.png diff --git a/pro/linux/images/luks_3.png b/nitrokeys/features/openpgp-card/hard-disk-encryption/images/luks/luks_3.png similarity index 100% rename from pro/linux/images/luks_3.png rename to nitrokeys/features/openpgp-card/hard-disk-encryption/images/luks/luks_3.png diff --git a/pro/linux/images/luks_5.png b/nitrokeys/features/openpgp-card/hard-disk-encryption/images/luks/luks_5.png similarity index 100% rename from pro/linux/images/luks_5.png rename to nitrokeys/features/openpgp-card/hard-disk-encryption/images/luks/luks_5.png diff --git a/pro/linux/images/luks_6.png b/nitrokeys/features/openpgp-card/hard-disk-encryption/images/luks/luks_6.png similarity index 100% rename from pro/linux/images/luks_6.png rename to nitrokeys/features/openpgp-card/hard-disk-encryption/images/luks/luks_6.png diff --git a/pro/linux/images/luks_7.png b/nitrokeys/features/openpgp-card/hard-disk-encryption/images/luks/luks_7.png similarity index 100% rename from pro/linux/images/luks_7.png rename to nitrokeys/features/openpgp-card/hard-disk-encryption/images/luks/luks_7.png diff --git a/pro/linux/hard-disk-encryption.rst b/nitrokeys/features/openpgp-card/hard-disk-encryption/index.rst similarity index 86% rename from pro/linux/hard-disk-encryption.rst rename to nitrokeys/features/openpgp-card/hard-disk-encryption/index.rst index cab92c4900..75a37952ae 100644 --- a/pro/linux/hard-disk-encryption.rst +++ b/nitrokeys/features/openpgp-card/hard-disk-encryption/index.rst @@ -1,6 +1,31 @@ Hard Disk Encryption ==================== +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ✓ + - ⨯ + - ⨯ + - ⨯ + - ✓ + - ✓ + - ✓ + - ✓ +.. section products-end + .. contents:: :local: VeraCrypt (formerly TrueCrypt) @@ -41,7 +66,13 @@ Note: `Aloaha Crypt `__ is based on T Hard Disk Encryption on GNU+Linux with LUKS/dm-crypt ---------------------------------------------------- -Here are `excellent instructions `__ how to use Nitrokey to encrypt your hard disk under GNU+Linux with LUKS/dm-crypt. `Other instructions `__. +For setting up LUKS Disk Encryption follow our guide: + +.. toctree:: + :maxdepth: 1 + + Full-Disk Encryption With cryptsetup/LUKS + Purism has created a `simple script `__ to add the Nitrokey/LibremKey as a way to unlock LUKS partitions (not tested by Nitrokey yet). diff --git a/pro/linux/disk-encryption-luks.rst b/nitrokeys/features/openpgp-card/hard-disk-encryption/luks.rst similarity index 96% rename from pro/linux/disk-encryption-luks.rst rename to nitrokeys/features/openpgp-card/hard-disk-encryption/luks.rst index 30ef297953..83ee3e4c57 100644 --- a/pro/linux/disk-encryption-luks.rst +++ b/nitrokeys/features/openpgp-card/hard-disk-encryption/luks.rst @@ -1,6 +1,10 @@ Full-Disk Encryption With cryptsetup/LUKS ========================================= +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: This guide shows how to configure LUKS-encrypted volumes, to authenticate at boot with `Nitrokey Pro `__ or `Nitrokey Storage `__. @@ -107,13 +111,13 @@ and sets up crypttab, LUKS, initramfs, and GRUB. First you will be prompted for the ``User PIN`` -.. figure:: /pro/linux/images/luks_1.png +.. figure:: images/luks/luks_1.png :alt: img1 Once you unlock the Nitrokey, you will be prompted for your ``OLD passphrase``. It is the passphrase you entered to encrypt your volume at installation. -.. figure:: /pro/linux/images/luks_2.png +.. figure:: images/luks/luks_2.png :alt: img2 .. note:: This is a fall-back alternative in case you lose your Nitrokey, or if @@ -125,7 +129,7 @@ Once you enter the passphrase, the script finishes the setup in about one minute. Do not interrupt the script, or you might get locked out of your computer after reboot. -.. figure:: /pro/linux/images/luks_3.png +.. figure:: images/luks/luks_3.png :alt: img3 Done! @@ -138,12 +142,12 @@ Usage After reboot you should be prompted for your User PIN -.. figure:: /pro/linux/images/luks_5.png +.. figure:: images/luks/luks_5.png :alt: img5 Enter your User PIN to unlock the drive -.. figure:: /pro/linux/images/luks_6.png +.. figure:: images/luks/luks_6.png :alt: img6 diff --git a/pro/images/change-pins/1.png b/nitrokeys/features/openpgp-card/images/change-pins/1.png similarity index 100% rename from pro/images/change-pins/1.png rename to nitrokeys/features/openpgp-card/images/change-pins/1.png diff --git a/pro/images/change-pins/2.png b/nitrokeys/features/openpgp-card/images/change-pins/2.png similarity index 100% rename from pro/images/change-pins/2.png rename to nitrokeys/features/openpgp-card/images/change-pins/2.png diff --git a/pro/images/change-pins/3.png b/nitrokeys/features/openpgp-card/images/change-pins/3.png similarity index 100% rename from pro/images/change-pins/3.png rename to nitrokeys/features/openpgp-card/images/change-pins/3.png diff --git a/pro/images/change-pins/4.png b/nitrokeys/features/openpgp-card/images/change-pins/4.png similarity index 100% rename from pro/images/change-pins/4.png rename to nitrokeys/features/openpgp-card/images/change-pins/4.png diff --git a/pro/linux/images/App-change-pin.png b/nitrokeys/features/openpgp-card/images/change-pins/App-change-pin.png similarity index 100% rename from pro/linux/images/App-change-pin.png rename to nitrokeys/features/openpgp-card/images/change-pins/App-change-pin.png diff --git a/pro/images/eidauthenticate/1.png b/nitrokeys/features/openpgp-card/images/eidauthenticate/1.png similarity index 100% rename from pro/images/eidauthenticate/1.png rename to nitrokeys/features/openpgp-card/images/eidauthenticate/1.png diff --git a/pro/images/eidauthenticate/2.png b/nitrokeys/features/openpgp-card/images/eidauthenticate/2.png similarity index 100% rename from pro/images/eidauthenticate/2.png rename to nitrokeys/features/openpgp-card/images/eidauthenticate/2.png diff --git a/pro/images/eidauthenticate/3.png b/nitrokeys/features/openpgp-card/images/eidauthenticate/3.png similarity index 100% rename from pro/images/eidauthenticate/3.png rename to nitrokeys/features/openpgp-card/images/eidauthenticate/3.png diff --git a/pro/images/eidauthenticate/4.png b/nitrokeys/features/openpgp-card/images/eidauthenticate/4.png similarity index 100% rename from pro/images/eidauthenticate/4.png rename to nitrokeys/features/openpgp-card/images/eidauthenticate/4.png diff --git a/pro/images/eidauthenticate/5.png b/nitrokeys/features/openpgp-card/images/eidauthenticate/5.png similarity index 100% rename from pro/images/eidauthenticate/5.png rename to nitrokeys/features/openpgp-card/images/eidauthenticate/5.png diff --git a/pro/images/eidauthenticate/6.png b/nitrokeys/features/openpgp-card/images/eidauthenticate/6.png similarity index 100% rename from pro/images/eidauthenticate/6.png rename to nitrokeys/features/openpgp-card/images/eidauthenticate/6.png diff --git a/pro/images/eidauthenticate/7.png b/nitrokeys/features/openpgp-card/images/eidauthenticate/7.png similarity index 100% rename from pro/images/eidauthenticate/7.png rename to nitrokeys/features/openpgp-card/images/eidauthenticate/7.png diff --git a/pro/images/eidauthenticate/8.png b/nitrokeys/features/openpgp-card/images/eidauthenticate/8.png similarity index 100% rename from pro/images/eidauthenticate/8.png rename to nitrokeys/features/openpgp-card/images/eidauthenticate/8.png diff --git a/pro/images/eidauthenticate/9.png b/nitrokeys/features/openpgp-card/images/eidauthenticate/9.png similarity index 100% rename from pro/images/eidauthenticate/9.png rename to nitrokeys/features/openpgp-card/images/eidauthenticate/9.png diff --git a/pro/images/openpgp-keygen-gpa/1.png b/nitrokeys/features/openpgp-card/images/gpa-keygen/1.png similarity index 100% rename from pro/images/openpgp-keygen-gpa/1.png rename to nitrokeys/features/openpgp-card/images/gpa-keygen/1.png diff --git a/pro/images/openpgp-keygen-gpa/2.png b/nitrokeys/features/openpgp-card/images/gpa-keygen/2.png similarity index 100% rename from pro/images/openpgp-keygen-gpa/2.png rename to nitrokeys/features/openpgp-card/images/gpa-keygen/2.png diff --git a/pro/images/openpgp-keygen-gpa/3.png b/nitrokeys/features/openpgp-card/images/gpa-keygen/3.png similarity index 100% rename from pro/images/openpgp-keygen-gpa/3.png rename to nitrokeys/features/openpgp-card/images/gpa-keygen/3.png diff --git a/pro/images/openpgp-keygen-gpa/4.png b/nitrokeys/features/openpgp-card/images/gpa-keygen/4.png similarity index 100% rename from pro/images/openpgp-keygen-gpa/4.png rename to nitrokeys/features/openpgp-card/images/gpa-keygen/4.png diff --git a/pro/images/openpgp-keygen-gpa/5.png b/nitrokeys/features/openpgp-card/images/gpa-keygen/5.png similarity index 100% rename from pro/images/openpgp-keygen-gpa/5.png rename to nitrokeys/features/openpgp-card/images/gpa-keygen/5.png diff --git a/pro/images/openpgp-keygen-gpa/6.png b/nitrokeys/features/openpgp-card/images/gpa-keygen/6.png similarity index 100% rename from pro/images/openpgp-keygen-gpa/6.png rename to nitrokeys/features/openpgp-card/images/gpa-keygen/6.png diff --git a/pro/images/openpgp-keygen-gpa/7.png b/nitrokeys/features/openpgp-card/images/gpa-keygen/7.png similarity index 100% rename from pro/images/openpgp-keygen-gpa/7.png rename to nitrokeys/features/openpgp-card/images/gpa-keygen/7.png diff --git a/pro/images/gpa/1.png b/nitrokeys/features/openpgp-card/images/gpa/1.png similarity index 100% rename from pro/images/gpa/1.png rename to nitrokeys/features/openpgp-card/images/gpa/1.png diff --git a/pro/images/gpa/2.png b/nitrokeys/features/openpgp-card/images/gpa/2.png similarity index 100% rename from pro/images/gpa/2.png rename to nitrokeys/features/openpgp-card/images/gpa/2.png diff --git a/pro/images/gpa/3.png b/nitrokeys/features/openpgp-card/images/gpa/3.png similarity index 100% rename from pro/images/gpa/3.png rename to nitrokeys/features/openpgp-card/images/gpa/3.png diff --git a/pro/images/gpa/4.png b/nitrokeys/features/openpgp-card/images/gpa/4.png similarity index 100% rename from pro/images/gpa/4.png rename to nitrokeys/features/openpgp-card/images/gpa/4.png diff --git a/pro/images/gpa/5.png b/nitrokeys/features/openpgp-card/images/gpa/5.png similarity index 100% rename from pro/images/gpa/5.png rename to nitrokeys/features/openpgp-card/images/gpa/5.png diff --git a/pro/images/gpa/6.png b/nitrokeys/features/openpgp-card/images/gpa/6.png similarity index 100% rename from pro/images/gpa/6.png rename to nitrokeys/features/openpgp-card/images/gpa/6.png diff --git a/pro/images/gpa/7.png b/nitrokeys/features/openpgp-card/images/gpa/7.png similarity index 100% rename from pro/images/gpa/7.png rename to nitrokeys/features/openpgp-card/images/gpa/7.png diff --git a/pro/images/gpa/8.png b/nitrokeys/features/openpgp-card/images/gpa/8.png similarity index 100% rename from pro/images/gpa/8.png rename to nitrokeys/features/openpgp-card/images/gpa/8.png diff --git a/pro/images/gpa/9.png b/nitrokeys/features/openpgp-card/images/gpa/9.png similarity index 100% rename from pro/images/gpa/9.png rename to nitrokeys/features/openpgp-card/images/gpa/9.png diff --git a/pro/windows/images/openpgp-csp/1.png b/nitrokeys/features/openpgp-card/images/openpgp-csp/1.png similarity index 100% rename from pro/windows/images/openpgp-csp/1.png rename to nitrokeys/features/openpgp-card/images/openpgp-csp/1.png diff --git a/pro/windows/images/openpgp-csp/10.png b/nitrokeys/features/openpgp-card/images/openpgp-csp/10.png similarity index 100% rename from pro/windows/images/openpgp-csp/10.png rename to nitrokeys/features/openpgp-card/images/openpgp-csp/10.png diff --git a/pro/windows/images/openpgp-csp/11.png b/nitrokeys/features/openpgp-card/images/openpgp-csp/11.png similarity index 100% rename from pro/windows/images/openpgp-csp/11.png rename to nitrokeys/features/openpgp-card/images/openpgp-csp/11.png diff --git a/pro/windows/images/openpgp-csp/2.png b/nitrokeys/features/openpgp-card/images/openpgp-csp/2.png similarity index 100% rename from pro/windows/images/openpgp-csp/2.png rename to nitrokeys/features/openpgp-card/images/openpgp-csp/2.png diff --git a/pro/windows/images/openpgp-csp/3.png b/nitrokeys/features/openpgp-card/images/openpgp-csp/3.png similarity index 100% rename from pro/windows/images/openpgp-csp/3.png rename to nitrokeys/features/openpgp-card/images/openpgp-csp/3.png diff --git a/pro/windows/images/openpgp-csp/4.png b/nitrokeys/features/openpgp-card/images/openpgp-csp/4.png similarity index 100% rename from pro/windows/images/openpgp-csp/4.png rename to nitrokeys/features/openpgp-card/images/openpgp-csp/4.png diff --git a/pro/windows/images/openpgp-csp/5.png b/nitrokeys/features/openpgp-card/images/openpgp-csp/5.png similarity index 100% rename from pro/windows/images/openpgp-csp/5.png rename to nitrokeys/features/openpgp-card/images/openpgp-csp/5.png diff --git a/pro/windows/images/openpgp-csp/6.png b/nitrokeys/features/openpgp-card/images/openpgp-csp/6.png similarity index 100% rename from pro/windows/images/openpgp-csp/6.png rename to nitrokeys/features/openpgp-card/images/openpgp-csp/6.png diff --git a/pro/windows/images/openpgp-csp/7.png b/nitrokeys/features/openpgp-card/images/openpgp-csp/7.png similarity index 100% rename from pro/windows/images/openpgp-csp/7.png rename to nitrokeys/features/openpgp-card/images/openpgp-csp/7.png diff --git a/pro/windows/images/openpgp-csp/8.png b/nitrokeys/features/openpgp-card/images/openpgp-csp/8.png similarity index 100% rename from pro/windows/images/openpgp-csp/8.png rename to nitrokeys/features/openpgp-card/images/openpgp-csp/8.png diff --git a/pro/windows/images/openpgp-csp/9.png b/nitrokeys/features/openpgp-card/images/openpgp-csp/9.png similarity index 100% rename from pro/windows/images/openpgp-csp/9.png rename to nitrokeys/features/openpgp-card/images/openpgp-csp/9.png diff --git a/pro/windows/images/openpgp-outlook/1.png b/nitrokeys/features/openpgp-card/images/outlook/1.png similarity index 100% rename from pro/windows/images/openpgp-outlook/1.png rename to nitrokeys/features/openpgp-card/images/outlook/1.png diff --git a/pro/windows/images/openpgp-outlook/2.png b/nitrokeys/features/openpgp-card/images/outlook/2.png similarity index 100% rename from pro/windows/images/openpgp-outlook/2.png rename to nitrokeys/features/openpgp-card/images/outlook/2.png diff --git a/pro/windows/images/openpgp-outlook/3.png b/nitrokeys/features/openpgp-card/images/outlook/3.png similarity index 100% rename from pro/windows/images/openpgp-outlook/3.png rename to nitrokeys/features/openpgp-card/images/outlook/3.png diff --git a/pro/windows/images/openpgp-outlook/4.png b/nitrokeys/features/openpgp-card/images/outlook/4.png similarity index 100% rename from pro/windows/images/openpgp-outlook/4.png rename to nitrokeys/features/openpgp-card/images/outlook/4.png diff --git a/pro/images/openpgp-thunderbird/1.png b/nitrokeys/features/openpgp-card/images/thunderbird/1.png similarity index 100% rename from pro/images/openpgp-thunderbird/1.png rename to nitrokeys/features/openpgp-card/images/thunderbird/1.png diff --git a/pro/images/openpgp-thunderbird/10.png b/nitrokeys/features/openpgp-card/images/thunderbird/10.png similarity index 100% rename from pro/images/openpgp-thunderbird/10.png rename to nitrokeys/features/openpgp-card/images/thunderbird/10.png diff --git a/pro/images/openpgp-thunderbird/11.png b/nitrokeys/features/openpgp-card/images/thunderbird/11.png similarity index 100% rename from pro/images/openpgp-thunderbird/11.png rename to nitrokeys/features/openpgp-card/images/thunderbird/11.png diff --git a/pro/images/openpgp-thunderbird/12.png b/nitrokeys/features/openpgp-card/images/thunderbird/12.png similarity index 100% rename from pro/images/openpgp-thunderbird/12.png rename to nitrokeys/features/openpgp-card/images/thunderbird/12.png diff --git a/pro/images/openpgp-thunderbird/13.png b/nitrokeys/features/openpgp-card/images/thunderbird/13.png similarity index 100% rename from pro/images/openpgp-thunderbird/13.png rename to nitrokeys/features/openpgp-card/images/thunderbird/13.png diff --git a/pro/images/openpgp-thunderbird/14.png b/nitrokeys/features/openpgp-card/images/thunderbird/14.png similarity index 100% rename from pro/images/openpgp-thunderbird/14.png rename to nitrokeys/features/openpgp-card/images/thunderbird/14.png diff --git a/pro/images/openpgp-thunderbird/2.png b/nitrokeys/features/openpgp-card/images/thunderbird/2.png similarity index 100% rename from pro/images/openpgp-thunderbird/2.png rename to nitrokeys/features/openpgp-card/images/thunderbird/2.png diff --git a/pro/images/openpgp-thunderbird/3.png b/nitrokeys/features/openpgp-card/images/thunderbird/3.png similarity index 100% rename from pro/images/openpgp-thunderbird/3.png rename to nitrokeys/features/openpgp-card/images/thunderbird/3.png diff --git a/pro/images/openpgp-thunderbird/4.png b/nitrokeys/features/openpgp-card/images/thunderbird/4.png similarity index 100% rename from pro/images/openpgp-thunderbird/4.png rename to nitrokeys/features/openpgp-card/images/thunderbird/4.png diff --git a/pro/images/openpgp-thunderbird/5.png b/nitrokeys/features/openpgp-card/images/thunderbird/5.png similarity index 100% rename from pro/images/openpgp-thunderbird/5.png rename to nitrokeys/features/openpgp-card/images/thunderbird/5.png diff --git a/pro/images/openpgp-thunderbird/6.png b/nitrokeys/features/openpgp-card/images/thunderbird/6.png similarity index 100% rename from pro/images/openpgp-thunderbird/6.png rename to nitrokeys/features/openpgp-card/images/thunderbird/6.png diff --git a/pro/images/openpgp-thunderbird/7.png b/nitrokeys/features/openpgp-card/images/thunderbird/7.png similarity index 100% rename from pro/images/openpgp-thunderbird/7.png rename to nitrokeys/features/openpgp-card/images/thunderbird/7.png diff --git a/pro/images/openpgp-thunderbird/8.png b/nitrokeys/features/openpgp-card/images/thunderbird/8.png similarity index 100% rename from pro/images/openpgp-thunderbird/8.png rename to nitrokeys/features/openpgp-card/images/thunderbird/8.png diff --git a/pro/images/openpgp-thunderbird/9.png b/nitrokeys/features/openpgp-card/images/thunderbird/9.png similarity index 100% rename from pro/images/openpgp-thunderbird/9.png rename to nitrokeys/features/openpgp-card/images/thunderbird/9.png diff --git a/nitrokeys/features/openpgp-card/index.rst b/nitrokeys/features/openpgp-card/index.rst new file mode 100644 index 0000000000..11b1e142c0 --- /dev/null +++ b/nitrokeys/features/openpgp-card/index.rst @@ -0,0 +1,53 @@ +OpenPGP Card +============ + +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ✓ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ✓ + - ✓ + - ✓ +.. section products-end + +.. toctree:: + :maxdepth: 1 + + Overview + Keygen with GPA + Keygen with Backup + Keygen on device + Windows Login and S/MIME Email Encryption with Active Directory + OpenPGP encryption with Thunderbird + OpenPGP encryption with Outlook + OpenPGP Touch Confirmation (Nitrokey 3 only) + OpenVPN + Claws Mail, an email client (and news reader) for Linux and Windows + Evolution, an email client for the Gnome Desktop on Linux systems + GPGTools on macOS + Desktop Login + SSH + IPSec + Hard Disk Encryption + Stunnel + Gnu Privacy Assistant (GPA) + EID + Certificate-authority + GnuPG with Fedora + Change Pins \ No newline at end of file diff --git a/nitrokeys/features/openpgp-card/ipsec.rst b/nitrokeys/features/openpgp-card/ipsec.rst new file mode 100644 index 0000000000..add74577d7 --- /dev/null +++ b/nitrokeys/features/openpgp-card/ipsec.rst @@ -0,0 +1,74 @@ +IPSec +===== + +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ✓ + - ⨯ + - ⨯ + - ⨯ + - ✓ + - ✓ + - ✓ + - ✓ +.. section products-end + +.. contents:: :local: + +`Strong Swan `__ works using the `PKCS#11 driver `__. Basically follow these steps: + +1. Generate a key on Nitrokey via pkcs11-tool. In this example it's a 4096 bit RSA key. + + .. code-block:: bash + + $ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so -l -k --key-type rsa:4096 --id 10 --label 'Staging Access' + +2. Generate a certificate signing request via openssl + pkcs11 module + + .. code-block:: bash + + $ openssl + OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so + OpenSSL> req -engine pkcs11 -sha256 -new -key id_10 -keyform engine -out user@email.com-staging-cert.csr -subj '/C=GB/L=Cambridge/O=Organization/OU=Staging Access/CN=user@email.com/emailAddress=user@email.com' + +3. Sign the certificate with your certificate authority + +4. Convert the certificate to DER + + .. code-block:: bash + + $ openssl x509 -in user@email.com-staging-cert.csr -out user@email.com-staging-cert.der -outform DER + +5. Import the certificate into the Nitrokey via pkcs11-tool + + .. code-block:: bash + + $ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so -l -y cert -w user@email.com-staging-cert.der --id 10 --label 'Staging Access' + +6. Configure Strongswan to load opensc-pkcs11 module then to load the certificate on Nitrokey. Edit /etc/strongswan.d/charon/pkcs11.conf and add the following module: + + :: + + modules { + Nitrokey { + path = /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so + } + } + + +7. Initiate the VPN connection via IPSec/Strongswan, then prompt for Nitrokey PIN + +8. VPN is now connected diff --git a/pro/windows/openpgp-csp.rst b/nitrokeys/features/openpgp-card/openpgp-csp.rst similarity index 84% rename from pro/windows/openpgp-csp.rst rename to nitrokeys/features/openpgp-card/openpgp-csp.rst index 5565c27e8f..c1c8272e31 100644 --- a/pro/windows/openpgp-csp.rst +++ b/nitrokeys/features/openpgp-card/openpgp-csp.rst @@ -1,6 +1,10 @@ Windows Login and S/MIME Email Encryption with Active Directory =============================================================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: Please note that this driver is still in development/testing. Please tell us your experiences! See our `contact page `__. @@ -22,45 +26,45 @@ Creating Certificate Template on Server Side On Active Directory Server open certsrv.msc to manage your certificate templates. Right click on ‘Certificate Templates’ and choose ‘Manage’ -.. figure:: /pro/windows/images/openpgp-csp/1.png +.. figure:: images/openpgp-csp/1.png :alt: img1 Now right click on ‘Smartcard Logon’ template and click ‘Duplicate’, to create a new template on basis of this standard template. Rename template to ‘OpenPGP Card Logon and Email’ or alike. -.. figure:: /pro/windows/images/openpgp-csp/2.png +.. figure:: images/openpgp-csp/2.png :alt: img2 Under ‘Request Handling’, you can choose the OpenPGP-CSP as the one and only Cryptography Service Provider (click the Button labeled ‘CSPs…’). For this to work, you need to install the driver on the server as well and you have to insert a Nitrokey beforehand. This is optional. You can let the user choose, which CSP to use. -.. figure:: /pro/windows/images/openpgp-csp/3.png +.. figure:: images/openpgp-csp/3.png :alt: img3 -.. figure:: /pro/windows/images/openpgp-csp/4.png +.. figure:: images/openpgp-csp/4.png :alt: img4 For enabling S/MIME email encryption go to ‘Subject name’. Tick the checkbox ‘E-Mail name’ (note: You must save the mail addresses of your users in the corresponding Active Directory field!). -.. figure:: /pro/windows/images/openpgp-csp/5.png +.. figure:: images/openpgp-csp/5.png :alt: img5 Then go to ‘Extensions’, there you edit the applications guideline and add ‘Secure Email’. -.. figure:: /pro/windows/images/openpgp-csp/6.png +.. figure:: images/openpgp-csp/6.png :alt: img6 -.. figure:: /pro/windows/images/openpgp-csp/7.png +.. figure:: images/openpgp-csp/7.png :alt: img7 @@ -71,19 +75,19 @@ Request Certificate on Client (Domain Member) To request a certificate for a domain member, you have to open certmgr.msc. Right click on folder ‘Personal->Certificates’ and click ’All Tasks->Request New Certificate and choose the template you created on the AD. -.. figure:: /pro/windows/images/openpgp-csp/8.png +.. figure:: images/openpgp-csp/8.png :alt: img8 If you did not enforce the usage of OpenPGP-CSP you have to choose it here now. -.. figure:: /pro/windows/images/openpgp-csp/9.png +.. figure:: images/openpgp-csp/9.png :alt: img9 -.. figure:: /pro/windows/images/openpgp-csp/10.png +.. figure:: images/openpgp-csp/10.png :alt: img10 @@ -92,6 +96,6 @@ Next you choose the Authentication slot for the certificate. You are now ready to logon on the computer with the Nitrokey instead of your password and you can use `S/MIME email encryption/signing `_ with the Nitrokey. The driver has to be installed on every computer you want to use the certificate on. -.. figure:: /pro/windows/images/openpgp-csp/11.png +.. figure:: images/openpgp-csp/11.png :alt: img11 diff --git a/pro/openpgp-keygen-backup.rst.inc b/nitrokeys/features/openpgp-card/openpgp-keygen-backup.rst similarity index 98% rename from pro/openpgp-keygen-backup.rst.inc rename to nitrokeys/features/openpgp-card/openpgp-keygen-backup.rst index 9249a0f871..09bdb1f739 100644 --- a/pro/openpgp-keygen-backup.rst.inc +++ b/nitrokeys/features/openpgp-card/openpgp-keygen-backup.rst @@ -1,6 +1,10 @@ OpenPGP Key Generation With Backup ================================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: The following instructions explain the generation of OpenPGP keys and how to copy them to the Nitrokey. This method has the advantage of providing a backup of the keys in case of losing or breaking the Nitrokey. The instructions are based on the command line interface of GnuPG. Thus, you need to have GnuPG installed on your system. The newest GnuPG version for Windows can be found `here `__ and the newest version for MacOS can be found `here `__. Users of Linux systems please install GnuPG with help of the package manager. @@ -15,7 +19,7 @@ Main Key and Encryption Subkey We can use the command ``gpg --full-generate-key --expert`` to start a guided key generation with all possible options. You can choose the key type (usually RSA (1) or ECC (9)), the length of the key and other attributes. The following output is just a simple example, you may choose other values. -.. code-block:: bash +:: > gpg --full-generate-key --expert gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc. @@ -86,7 +90,7 @@ Subkey for Authentication You now have a main key with the capability to sign and certify (marked as [SC]) and a subkey for encryption (marked as [E]). It is necessary to have another subkey for use cases in which authentication is needed. This subkey is generated in the next step. Type in ``gpg --edit-key --expert keyID`` to start the process, whereas “keyID” is either the id of the key or the email address used during key generation. -.. code-block:: bash +:: > gpg --edit-key --expert jane@example.com gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc. @@ -106,7 +110,7 @@ is either the id of the key or the email address used during key generation. Now you are in the interactive mode of GnuPG and you can add a key by simply typing ``addkey``. You need to choose the key you want to use. It is crucial to choose “set your own capabilities”, because we want to have the “authenticate” capability which is not available otherwise. We toggle sign and encrypt by typing ``s`` and ``e`` and we activate authenticate by typing ``a``. -.. code-block:: bash +:: gpg> addkey Please select what kind of key you want: @@ -164,7 +168,7 @@ Now you are in the interactive mode of GnuPG and you can add a key by simply typ We quit with ``q``. Afterwards we need to answer the same questions as before. Finally, we have a ready-to-go key set which we can import to our device. -.. code-block:: bash +:: RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) @@ -209,7 +213,7 @@ You have a main key and two subkeys which can be imported to your Nitrokey. Befo We start the process by accessing the interactive interface of GnuPG again with ``gpg --edit-key --expert keyID``, whereas ``keyID`` is either the id of the key or the email address used during key generation. -.. code-block:: bash +:: > gpg --edit-key --expert jane@example.com gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc. @@ -245,7 +249,7 @@ We start the process by accessing the interactive interface of GnuPG again with We just imported the main key to the card. Now we proceed with the two subkeys. We type ``key 1`` to select the encryption subkey and type in ``keytocard`` again and select the slot to use. -.. code-block:: bash +:: gpg> key 1 @@ -274,7 +278,7 @@ We just imported the main key to the card. Now we proceed with the two subkeys. Now we deselect the first key with ``key 1`` and select the second subkey with ``key 2`` and move it as well with ``keytocard``. Afterwards we quit and save the changes. -.. code-block:: bash +:: gpg> key 1 diff --git a/pro/openpgp-keygen-gpa.rst.inc b/nitrokeys/features/openpgp-card/openpgp-keygen-gpa.rst similarity index 92% rename from pro/openpgp-keygen-gpa.rst.inc rename to nitrokeys/features/openpgp-card/openpgp-keygen-gpa.rst index 04a2b828c3..4c7a3b382a 100644 --- a/pro/openpgp-keygen-gpa.rst.inc +++ b/nitrokeys/features/openpgp-card/openpgp-keygen-gpa.rst @@ -1,6 +1,10 @@ OpenPGP Key Generation Using GPA ================================ +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: The following instructions explain the generation of OpenPGP keys directly on the Nitrokey with help of the GNU Privacy Assistant (GPA). You won’t be able to create a backup of these keys. Thus, if you lose the Nitrokey or it breaks you can not decrypt mails or use these keys anymore. Please see `here `_ for a comparison of the different methods to generate OpenPGP keys. @@ -12,14 +16,14 @@ Key Generation At first, open the GNU Privacy Assistant (GPA). You may are asked to generate a key, you can skip this step for now by clicking “Do it later”. In the main window, please click on “Card” or “Card Manager”. -.. figure:: /pro/images/openpgp-keygen-gpa/1.png +.. figure:: images/gpa-keygen/1.png :alt: img1 Another windows opens. Please go to “Card” -> “Generate key” to start the key generation process. -.. figure:: /pro/images/openpgp-keygen-gpa/2.png +.. figure:: images/gpa-keygen/2.png :alt: img2 @@ -28,21 +32,21 @@ Now you can put in your name and the email address you want to use for the key t **Please do not use the backup checkbox**. This “backup” does only save the encryption key. In case of a loss of the device, you will not be able to restore the whole key set. So on the one hand it is no full backup (use `these instructions `_ instead, if you need one) and on the other hand you risk that someone else can get in possession of your encryption key. The advantage of generating keys on-device is to make sure that keys are stored securely. Therefore, we recommend to skip this half-backup. -.. figure:: /pro/images/openpgp-keygen-gpa/3.png +.. figure:: images/gpa-keygen/3.png :alt: img3 You will be asked for the admin PIN (default: 12345678) and the user PIN (default: 123456). When the key generation is finished, you can see the fingerprints of the keys on the bottom of the window. You may fill up the fields shown above, which are saved on your Nitrokey as well. -.. figure:: /pro/images/openpgp-keygen-gpa/4.png +.. figure:: images/gpa-keygen/4.png :alt: img4 Now you can close the window and go back to the main window. Your key will be visible in the key manager after refreshing. Every application which makes use of GnuPG will work with your Nitrokey as well, because GnuPG is fully aware of the fact, that the keys are stored on your Nitrokey. -.. figure:: /pro/images/openpgp-keygen-gpa/5.png +.. figure:: images/gpa-keygen/5.png :alt: img5 @@ -52,7 +56,7 @@ Exporting Public Key and Keyserver Usage Although you can start to use your Nitrokey right away after generating the keys on your system, you need to import your public key on every system, you want to use the Nitrokey on. So to be prepared you have two options: You either save the public key anywhere you like and use it on another system or you save the public key on a webpage/keyserver. -.. figure:: /pro/images/openpgp-keygen-gpa/6.png +.. figure:: images/gpa-keygen/6.png :alt: img6 @@ -66,6 +70,6 @@ If you do not want to carry a public keyfile with you, you can upload it to keys Another possibility is to change the URL setting on your card. Open the card manager again and fill in the URL where the key is situated (e.g. on the keyserver or on your webpage etc.). From now on you can import the key on another system by right-clicking on the URL and click on “Fetch Key”. -.. figure:: /pro/images/openpgp-keygen-gpa/7.png +.. figure:: images/gpa-keygen/7.png :alt: img7 diff --git a/pro/openpgp-keygen-on-device.rst.inc b/nitrokeys/features/openpgp-card/openpgp-keygen-on-device.rst similarity index 98% rename from pro/openpgp-keygen-on-device.rst.inc rename to nitrokeys/features/openpgp-card/openpgp-keygen-on-device.rst index 3012967dae..b44bf2940c 100644 --- a/pro/openpgp-keygen-on-device.rst.inc +++ b/nitrokeys/features/openpgp-card/openpgp-keygen-on-device.rst @@ -1,6 +1,10 @@ OpenPGP Key Generation On-Device ================================ +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: The following instructions explain the generation of OpenPGP keys directly on the Nitrokey. This is done by using the command line interface of GnuPG. Thus, you need to have GnuPG installed on your system. The newest GnuPG version for Windows can be found `here `__ and the newest version for MacOS can be found `here `__. Users of Linux systems please install GnuPG with help of the package manager. @@ -10,7 +14,7 @@ The following instructions explain the generation of OpenPGP keys directly on th These instructions are based on GnuPG version 2.2.6 or higher. Some Linux Distributions have an older version installed. In this case please choose a different method as listed - `here `_ + `here `_ or install a newer version if possible. Key Generation @@ -22,7 +26,7 @@ Open a command line and type ``gpg2 --card-edit``. To open the Windows command line please push the Windows-key and R-key. Now type ‘cmd.exe’ in the text field and hit enter. To open a Terminal on macOS or GNU/Linux please use the application search (e.g. spotlight on macOS). -.. code-block:: bash +:: > gpg2 --card-edit @@ -50,7 +54,7 @@ To open the Windows command line please push the Windows-key and R-key. Now type Now you are in the interactive interface of GnuPG. Activate the admin commands with ``admin`` and use ``generate`` afterwards to start the generation of keys. -.. code-block:: bash +:: gpg/card> admin Admin commands are allowed @@ -102,7 +106,7 @@ This section is about changing the key attributes. If you want to use the defaul Open a command line and type ``gpg2 --card-edit --expert``. -.. code-block:: bash +:: > gpg2 --card-edit --expert @@ -129,7 +133,7 @@ Open a command line and type ``gpg2 --card-edit --expert``. Now you are in the interactive interface of GnuPG. As you can see in the “Key attributes” field above, the default value rsa2048 is set. To change them, activate the admin commands with ``admin`` and use ``key-attr`` afterwards to change the attributes of the keys. -.. code-block:: bash +:: gpg/card> admin Admin commands are allowed @@ -159,7 +163,7 @@ Now you are in the interactive interface of GnuPG. As you can see in the You can choose the attribute for each key (that is, signature, encryption and authentication key). Most people will use the same attributes for every key. Type ``list`` to see the results (have look at the “Key attributes” field, which now reads rsa4096). -.. code-block:: bash +.. code-block:: gpg/card> list diff --git a/pro/openpgp-outlook.rst.inc b/nitrokeys/features/openpgp-card/openpgp-outlook.rst similarity index 84% rename from pro/openpgp-outlook.rst.inc rename to nitrokeys/features/openpgp-card/openpgp-outlook.rst index 2b53d3239f..9fb5e72b20 100644 --- a/pro/openpgp-outlook.rst.inc +++ b/nitrokeys/features/openpgp-card/openpgp-outlook.rst @@ -1,6 +1,10 @@ OpenPGP Email Encryption with Outlook ===================================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: .. note:: @@ -15,7 +19,7 @@ If you do not have PGP-Keys on your Nitrokey yet, please look at `this page `__. You need to make sure to have “GpgOL” checked during installation process (see below). -.. figure:: /pro/windows/images/openpgp-outlook/1.png +.. figure:: images/outlook/1.png :alt: img1 @@ -25,21 +29,21 @@ Usage After installing GPG4Win along with GpgOL, you will see a new icon labeled “Secure” in the composing window. To encrypt and sign a mail you just click on the sign like seen below. -.. figure:: /pro/windows/images/openpgp-outlook/2.png +.. figure:: images/outlook/2.png :alt: img2 GnuPG will start signing and encrypting the mail as soon as you click on ‘send’. You are requested to choose the identity you want to sign with and encrypt for. -.. figure:: /pro/windows/images/openpgp-outlook/3.png +.. figure:: images/outlook/3.png :alt: img3 Furthermore, you are asked for typing in the User PIN of the Nitrokey for signing the mail. -.. figure:: /pro/windows/images/openpgp-outlook/4.png +.. figure:: images/outlook/4.png :alt: img4 diff --git a/pro/openpgp-thunderbird.rst.inc b/nitrokeys/features/openpgp-card/openpgp-thunderbird.rst similarity index 72% rename from pro/openpgp-thunderbird.rst.inc rename to nitrokeys/features/openpgp-card/openpgp-thunderbird.rst index a0bf2846df..40adce8072 100644 --- a/pro/openpgp-thunderbird.rst.inc +++ b/nitrokeys/features/openpgp-card/openpgp-thunderbird.rst @@ -1,6 +1,10 @@ OpenPGP Email Encryption With Thunderbird ========================================= +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: Thunderbird 78.3 and newer @@ -55,15 +59,15 @@ Procedure 3. In Thunderbird, select as shown in the following picture. “OpenPGP” → “Manage smart card” -.. figure:: /pro/images/openpgp-thunderbird/1.png - :alt: img1 + .. figure:: images/thunderbird/1.png + :alt: img1 4. In the “SmartCard Details” window, select “SmartCard → Change PIN” -.. figure:: /pro/images/openpgp-thunderbird/2.png - :alt: img2 + .. figure:: images/thunderbird/2.png + :alt: img2 @@ -73,15 +77,15 @@ Procedure () [] {}% +. The PIN should be at least 6 characters long. Click “OK”. -.. figure:: /pro/images/openpgp-thunderbird/3.png - :alt: img3 + .. figure:: images/thunderbird/3.png + :alt: img3 6. Repeat the procedure for the Admin PIN. “SmartCard → Change PIN” -.. figure:: /pro/images/openpgp-thunderbird/4.png - :alt: img4 + .. figure:: images/thunderbird/4.png + :alt: img4 @@ -91,8 +95,8 @@ Procedure .;;:- !? () [] {}% +. The PIN should be at least 8 characters long. Click “OK”. -.. figure:: /pro/images/openpgp-thunderbird/5.png - :alt: img5 + .. figure:: images/thunderbird/5.png + :alt: img5 @@ -118,16 +122,16 @@ To encrypt data and e-mails, a key pair consisting of a public key and a private “User ID” is correct. You can also specify whether a private key backup copy should be stored on your computer. -.. figure:: /pro/images/openpgp-thunderbird/6.png - :alt: img6 + .. figure:: images/thunderbird/6.png + :alt: img6 5. If you do not create a backup copy, you have no chance to get your encrypted data if the Nitrokey is lost or damaged! -.. figure:: /pro/images/openpgp-thunderbird/7.png - :alt: img7 + .. figure:: images/thunderbird/7.png + :alt: img7 @@ -139,39 +143,39 @@ To encrypt data and e-mails, a key pair consisting of a public key and a private avoid known prose or lyric. Also, no name or known term should be used. -**Allowed characters**: a-z A-Z 0-9 /.,;:-!?( )%+ (no umlauts ä,ü,ö,Ä,Ü,Ö or ß) + **Allowed characters**: a-z A-Z 0-9 /.,;:-!?( )%+ (no umlauts ä,ü,ö,Ä,Ü,Ö or ß) -**Poor Passwords**: qwerty123, ILoveSusi3, Password, If you can dream it, you can do it. + **Poor Passwords**: qwerty123, ILoveSusi3, Password, If you can dream it, you can do it. -**Strong Passwords**: g(Ak?2Pn7Yn or Ki.stg2bLqzp%d or A dog with greeen Earz and fife legs (spelling errors increase security) + **Strong Passwords**: g(Ak?2Pn7Yn or Ki.stg2bLqzp%d or A dog with greeen Earz and fife legs (spelling errors increase security) -You do **not** need this password for daily work. It is only necessary for the restoration of the secret key, e.g. if you have lost the Nitrokey. Therefore, keep the password in a safe place. + You do **not** need this password for daily work. It is only necessary for the restoration of the secret key, e.g. if you have lost the Nitrokey. Therefore, keep the password in a safe place. -You can also specify whether and when the key should be automatically invalid. This means, from this point onwards, no more e-mails can be encrypted with this key and you have to create a new key pair. + You can also specify whether and when the key should be automatically invalid. This means, from this point onwards, no more e-mails can be encrypted with this key and you have to create a new key pair. 1. Finally, click on “Generate key pair”. -.. figure:: /pro/images/openpgp-thunderbird/8.png - :alt: img8 + .. figure:: images/thunderbird/8.png + :alt: img8 2. You are now asked if the key should be generated. Confirm with “Yes”. -.. figure:: /pro/images/openpgp-thunderbird/9.png - :alt: img9 + .. figure:: images/thunderbird/9.png + :alt: img9 3. In order for the program to write your keys to the stick, you must enter the admin PIN and the user PIN (changed above). -.. figure:: /pro/images/openpgp-thunderbird/10.png - :alt: img10 + .. figure:: images/thunderbird/10.png + :alt: img10 -The key generation can take a few minutes. Do not terminate the program prematurely! + The key generation can take a few minutes. Do not terminate the program prematurely! 4. When the key generation is complete, you receive the following message. A certificate is now created that allows you to invalidate @@ -180,34 +184,41 @@ The key generation can take a few minutes. Do not terminate the program prematur least one other external medium so that you can revoke the validity of the keys if your keys and backups are lost. Click “Yes” -You can now select the directory in which the backup copy is stored. This copy is encrypted with your password entered above. This means that no one can read or use the keys without your password. Do not give your password to anyone. This file with the name of your e-mail address and the suffix “.asc” should be backed up on another medium. After selecting the directory, click “Save”. + You can now select the directory in which the backup copy is stored. This copy is encrypted with your password entered above. This means that no one can read or use the keys without your password. Do not give your password to anyone. This file with the name of your e-mail address and the suffix “.asc” should be backed up on another medium. After selecting the directory, click “Save”. -.. figure:: /pro/images/openpgp-thunderbird/11.png - :alt: img11 + .. figure:: images/thunderbird/11.png + :alt: img11 5. Here you must again specify your user PIN or passphrase. Then click “OK” -.. figure:: /pro/images/openpgp-thunderbird/12.png - :alt: img12 + .. figure:: images/thunderbird/12.png + :alt: img12 + + + +6. Repeat the procedure for the Admin PIN. “SmartCard → Change PIN” + + .. figure:: images/thunderbird/4.png + :alt: img4 7. You will now see the message that the certificate was created and saved. Click “OK” -.. figure:: /pro/images/openpgp-thunderbird/13.png - :alt: img13 + .. figure:: images/thunderbird/13.png + :alt: img13 8. Key generation is now complete. You can now exit the program (File - Close). -.. figure:: /pro/images/openpgp-thunderbird/14.png - :alt: img14 + .. figure:: images/thunderbird/14.png + :alt: img14 diff --git a/pro/linux/openvpn-easyrsa.rst b/nitrokeys/features/openpgp-card/openvpn/easyrsa.rst similarity index 74% rename from pro/linux/openvpn-easyrsa.rst rename to nitrokeys/features/openpgp-card/openvpn/easyrsa.rst index c43491fc62..f5fe0c04b0 100644 --- a/pro/linux/openvpn-easyrsa.rst +++ b/nitrokeys/features/openpgp-card/openvpn/easyrsa.rst @@ -1,6 +1,10 @@ OpenVPN Configuration with Easy-RSA =================================== +.. include:: ../index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: :depth: 2 @@ -75,18 +79,18 @@ Server side 3. Close after saving it, and enter this command - .. code-block:: bash + .. code-block:: bash - $ sysctl -p + $ sysctl -p - Once IP forwarding is done, we will need to download the latest release of OpenvPN for our Debian 10 server, according to `these instructions `__: + Once IP forwarding is done, we will need to download the latest release of OpenvPN for our Debian 10 server, according to `these instructions `__: 4. Change to root and download the GPG key that signed the package - .. code-block:: bash + .. code-block:: bash - $ sudo -s - # wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add - + $ sudo -s + # wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add - 5. Add the URL of the adequate OpenVPN packages to the ``sources.list`` file @@ -119,14 +123,14 @@ Server side 2. Install Easy-RSA ^^^^^^^^^^^^^^^^^^^ -To build the PKI, we will download the latest version of Easy-RSA on the server and client machines. To get the latest release, go to the `Releases page on the official EasyRSA GitHub project `__, copy the download link for the file ending in ``.tgz``, and then paste it into the following command: + To build the PKI, we will download the latest version of Easy-RSA on the server and client machines. To get the latest release, go to the `Releases page on the official EasyRSA GitHub project `__, copy the download link for the file ending in ``.tgz``, and then paste it into the following command: 1. Download the latest release .. code-block:: bash $ cd ~ - wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz + $ wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz 2. Extract the tarball @@ -139,92 +143,92 @@ To build the PKI, we will download the latest version of Easy-RSA on the server 3. Create a PKI for OpenVPN server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Before you can create your OpenVPN server’s private key and certificate, you need to create a local Public Key Infrastructure directory on your OpenVPN server. You will use this directory to manage the server and clients’ certificate requests, instead of making them directly on your CA server. + Before you can create your OpenVPN server’s private key and certificate, you need to create a local Public Key Infrastructure directory on your OpenVPN server. You will use this directory to manage the server and clients’ certificate requests, instead of making them directly on your CA server. -To build a PKI directory on your OpenVPN server, you’ll need to populate a file called ``vars`` with some default values. + To build a PKI directory on your OpenVPN server, you’ll need to populate a file called ``vars`` with some default values. - 1. Create a ``vars`` file + 1. Create a ``vars`` file - .. code-block:: bash + .. code-block:: bash - $ touch ~/easyrsa/vars - $ cd easyrsa/ - $ editor vars + $ touch ~/easyrsa/vars + $ cd easyrsa/ + $ editor vars - 2. Once the file is opened, paste in the following two lines + 2. Once the file is opened, paste in the following two lines - .. code-block:: bash + .. code-block:: bash - set_var EASYRSA_ALGO "ec" - set_var EASYRSA_DIGEST "sha512" + set_var EASYRSA_ALGO "ec" + set_var EASYRSA_DIGEST "sha512" - These are the only two lines that you need in this ``vars`` file on your OpenVPN server since it will not be used as a Certificate Authority. They will ensure that your private keys and certificate requests are configured to use Elliptic Curve Cryptography (ECC) to generate keys, and secure signatures for your clients and OpenVPN server. + These are the only two lines that you need in this ``vars`` file on your OpenVPN server since it will not be used as a Certificate Authority. They will ensure that your private keys and certificate requests are configured to use Elliptic Curve Cryptography (ECC) to generate keys, and secure signatures for your clients and OpenVPN server. - In regards to the choice of the cryptographic algorithms, I follow the model in `this tutorial `__, and you can customize these according to your specific needs. + In regards to the choice of the cryptographic algorithms, I follow the model in `this tutorial `__, and you can customize these according to your specific needs. - 3. Initialize the PKI + 3. Initialize the PKI - Once you have populated the ``vars`` file you can proceed with creating the PKI directory. To do so, run the easyrsa script with the init-pki option: + Once you have populated the ``vars`` file you can proceed with creating the PKI directory. To do so, run the easyrsa script with the init-pki option: - .. code-block:: bash + .. code-block:: bash - $ ./easyrsa init-pki + $ ./easyrsa init-pki - After you’ve initialized your PKI on the OpenVPN server, you are ready to move on to the next step, which is creating an OpenVPN server certificate request and private key. + After you’ve initialized your PKI on the OpenVPN server, you are ready to move on to the next step, which is creating an OpenVPN server certificate request and private key. 4. Create ``server.req`` and ``server.key`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - Now that your OpenVPN server has all the prerequisites installed, the next step is to generate a key pair composed of a private key (to keep secret), and a Certificate Signing Request (``.csr``) on your OpenVPN server. + Now that your OpenVPN server has all the prerequisites installed, the next step is to generate a key pair composed of a private key (to keep secret), and a Certificate Signing Request (``.csr``) on your OpenVPN server. - In general terms, on systems where we generate a key and request, these files are left unencrypted by using the ``nopass`` argument, since servers usually need to start up without any password input. This generates an *unencrypted key*, so mind *protect its access and file permissions* carefully. + In general terms, on systems where we generate a key and request, these files are left unencrypted by using the ``nopass`` argument, since servers usually need to start up without any password input. This generates an *unencrypted key*, so mind *protect its access and file permissions* carefully. - .. tip:: + .. tip:: - Configuration notes from OpenVPN: + Configuration notes from OpenVPN: - 1. The server, and each client, must have their own cert and key - file. The server and all clients will use the same CA file. - 2. Server certificate should have the following: + 1. The server, and each client, must have their own cert and key + file. The server and all clients will use the same CA file. + 2. Server certificate should have the following: - - ``keyUsage: digitalSignature, keyEncipherment`` + - ``keyUsage: digitalSignature, keyEncipherment`` - - ``extendedKeyUsage: serverAuth`` + - ``extendedKeyUsage: serverAuth`` - 1. Create the signing request for the server + 1. Create the signing request for the server - Navigate to the ``~/easyrsa`` directory on your OpenVPN Server as your non-root user, and enter the following commands: + Navigate to the ``~/easyrsa`` directory on your OpenVPN Server as your non-root user, and enter the following commands: - .. code-block:: bash + .. code-block:: bash - $ cd easyrsa/ - $ ./easyrsa gen-req server nopass + $ cd easyrsa/ + $ ./easyrsa gen-req server nopass - This will create a private key for the server and a certificate request file called ``server.req``. + This will create a private key for the server and a certificate request file called ``server.req``. - Once you have a signed certificate, you’ll transfer it back to the OpenVPN server. + Once you have a signed certificate, you’ll transfer it back to the OpenVPN server. - 2. Copy the key to the OpenVPN server directory + 2. Copy the key to the OpenVPN server directory - .. code-block:: bash + .. code-block:: bash - $ sudo cp /home/admin/EasyRSA/pki/private/server.key /etc/openvpn/server/ + $ sudo cp /home/admin/EasyRSA/pki/private/server.key /etc/openvpn/server/ - After completing these steps, you have successfully created a private key for your OpenVPN server. You have also generated a Certificate Signing Request for the OpenVPN server. + After completing these steps, you have successfully created a private key for your OpenVPN server. You have also generated a Certificate Signing Request for the OpenVPN server. - .. tip:: + .. tip:: - File extensions for certificate signing requests + File extensions for certificate signing requests - The file extension that is adopted by the CA and HSM tutorial - indicates the creation of a ``.csr`` file, however Easy-RSA creates - certificate signing requests with a ``.req`` extension. + The file extension that is adopted by the CA and HSM tutorial + indicates the creation of a ``.csr`` file, however Easy-RSA creates + certificate signing requests with a ``.req`` extension. - We will use interchangeably both extensions, while making sure that - we transfer the right files to the Certificate Authority, and - generate a final certificate with a ``.crt`` extension. + We will use interchangeably both extensions, while making sure that + we transfer the right files to the Certificate Authority, and + generate a final certificate with a ``.crt`` extension. - In the next section of this guide, we will sign a ``.req`` file with our CA on deployed on the HSM 2 device. For this purpose, I will use a dedicated machine to sign the requests. + In the next section of this guide, we will sign a ``.req`` file with our CA on deployed on the HSM 2 device. For this purpose, I will use a dedicated machine to sign the requests. 5. Sign and retrieve ``server.crt`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -413,19 +417,19 @@ Client side configuration 3. Create a ``client.req`` and ``client.key`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - In the same manner we issued the key pair on the sever, we generate a key pair for the client which will be composed of the ``client.req`` - file and the ``client.key`` file. The latter must be kept secret on the client machine. + In the same manner we issued the key pair on the sever, we generate a key pair for the client which will be composed of the ``client.req`` + file and the ``client.key`` file. The latter must be kept secret on the client machine. 4. Sign ``client.req`` and issue the ``client.crt`` file ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - To transfer the ``client.req`` file to the CA machine, we will use the same method as we did for the ``server.req`` file. + To transfer the ``client.req`` file to the CA machine, we will use the same method as we did for the ``server.req`` file. - Once transferred, on the CA machine we sign the certificate signing request file with this command + Once transferred, on the CA machine we sign the certificate signing request file with this command - .. code-block:: bash + .. code-block:: bash - $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in client.req -out /home/user/pki/issued/client.crt + $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in client.req -out /home/user/pki/issued/client.crt 5. Import ``client.crt`` on the Nitrokey from the CA machine ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -562,50 +566,74 @@ Client side configuration 3. Configure the OpenVPN client - The final configuration file ``client.conf`` should look like this one: + The final configuration file ``client.conf`` should look like this one: - .. code-block:: bash + .. code-block:: bash - client - dev tun - proto udp - remote 1194 - resolv-retry infinite - nobind - user nobody - group nobody - persist-key - persist-tun - ca ca.crt - remote-cert-tls server - cipher AES-256-CBC - verb 3 - redirect-gateway def1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - - # nitrokey login + client + dev tun + proto udp + remote 1194 + resolv-retry infinite + nobind + user nobody + group nobody + persist-key + persist-tun + ca ca.crt + remote-cert-tls server + cipher AES-256-CBC + verb 3 + redirect-gateway def1 + tls-version-min 1.2 # Lower boundary for TLS version + tls-version-max 1.2 # Higher boundary for TLS version + + # nitrokey login + + pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + # pkcs11-pin-cache 300 + # daemon + # auth-retry nointeract + # management-hold + # management-signal + # management 127.0.0.1 8888 + # management-query-passwords + pkcs11-cert-private 1 # Prompt for PIN + + # OR + + # non_nitrokey login + + # cert client.crt + # key client.key + # tls-auth ta.key 1 + + + 4. Configure OpenVPN (Windows only) + + In order to establish a handshake, you must configure OpenSSL included in OpenVPN. + + Create the directory ``ssl`` in ``C:\Program Files\OpenVPN`` and create file ``openssl.cnf`` with the following content : + + openssl_conf = default_conf + + [ default_conf ] + ssl_conf = ssl_sect + + [ ssl_sect ] + system_default = ssl_default_sect + + [ ssl_default_sect ] + SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512:RSA+SHA384:ECDSA+SHA384:RSA+SHA256:ECDSA+SHA256 + MaxProtocol = TLSv1.2 + MinProtocol = TLSv1.2 - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - # pkcs11-pin-cache 300 - # daemon - # auth-retry nointeract - # management-hold - # management-signal - # management 127.0.0.1 8888 - # management-query-passwords - pkcs11-cert-private 1 # Prompt for PIN - - # OR - # non_nitrokey login + With this modification, you will not have error as reported `here `__, `here `__ and `here `__ - # cert client.crt - # key client.key - # tls-auth ta.key 1 - 4. Known issues + 5. Known issues There are some known issues related to OpenVPN login with OpenSC. Please consult these issues `here `__. @@ -641,7 +669,7 @@ Client side configuration .. warning:: - Unfortunately OpenVPN doesn’t seem to be able to establish a handshake and stops at an error as reported `here `__, `here `__ and `here `__ + Unfortunately OpenVPN doesn’t seem to be able to establish a handshake on some operating systems and stops at an error as reported `here `__, `here `__ and `here `__ :: diff --git a/pro/windows/images/openvpn-viscosity/viscosity-1.jpg b/nitrokeys/features/openpgp-card/openvpn/images/viscosity/viscosity-1.jpg similarity index 100% rename from pro/windows/images/openvpn-viscosity/viscosity-1.jpg rename to nitrokeys/features/openpgp-card/openvpn/images/viscosity/viscosity-1.jpg diff --git a/pro/windows/images/openvpn-viscosity/viscosity-2.jpg b/nitrokeys/features/openpgp-card/openvpn/images/viscosity/viscosity-2.jpg similarity index 100% rename from pro/windows/images/openvpn-viscosity/viscosity-2.jpg rename to nitrokeys/features/openpgp-card/openvpn/images/viscosity/viscosity-2.jpg diff --git a/pro/windows/images/openvpn-viscosity/viscosity-3.jpg b/nitrokeys/features/openpgp-card/openvpn/images/viscosity/viscosity-3.jpg similarity index 100% rename from pro/windows/images/openvpn-viscosity/viscosity-3.jpg rename to nitrokeys/features/openpgp-card/openvpn/images/viscosity/viscosity-3.jpg diff --git a/pro/windows/images/openvpn-viscosity/viscosity-4.jpg b/nitrokeys/features/openpgp-card/openvpn/images/viscosity/viscosity-4.jpg similarity index 100% rename from pro/windows/images/openvpn-viscosity/viscosity-4.jpg rename to nitrokeys/features/openpgp-card/openvpn/images/viscosity/viscosity-4.jpg diff --git a/nitrokeys/features/openpgp-card/openvpn/index.rst b/nitrokeys/features/openpgp-card/openvpn/index.rst new file mode 100644 index 0000000000..2ebab4e8ee --- /dev/null +++ b/nitrokeys/features/openpgp-card/openvpn/index.rst @@ -0,0 +1,12 @@ +OpenVPN +======= + +.. include:: ../index.rst + :start-after: products-begin + :end-before: products-end + +.. toctree:: + :maxdepth: 1 + + EasyRSA + Viscosity \ No newline at end of file diff --git a/pro/windows/openvpn-viscosity.rst b/nitrokeys/features/openpgp-card/openvpn/viscosity.rst similarity index 93% rename from pro/windows/openvpn-viscosity.rst rename to nitrokeys/features/openpgp-card/openvpn/viscosity.rst index 62bddd0fb8..e7e92bee65 100644 --- a/pro/windows/openvpn-viscosity.rst +++ b/nitrokeys/features/openpgp-card/openvpn/viscosity.rst @@ -5,6 +5,10 @@ Viscosity Client Configuration with OpenVPN =========================================== +.. include:: ../index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: This guide will show to configure `Viscosity client `__ to connect to an OpenVPN instance, using a `Nitrokey Pro @@ -39,13 +43,13 @@ Usage 1. Start Viscosity and create a new connection “openVPN” (you can name it as you wish) - .. figure:: ./images/openvpn-viscosity/viscosity-1.jpg + .. figure:: images/viscosity/viscosity-1.jpg :alt: img1 :scale: 75 2. Right click on the connection and click edit - .. figure:: ./images/openvpn-viscosity/viscosity-2.jpg + .. figure:: images/viscosity/viscosity-2.jpg :alt: img2 :scale: 75 @@ -59,7 +63,7 @@ Usage Optional: Select the ``ta.key`` in the ``TLS-Auth`` section - .. figure:: ./images/openvpn-viscosity/viscosity-3.jpg + .. figure:: images/viscosity/viscosity-3.jpg :alt: img3 :scale: 75 @@ -74,7 +78,7 @@ Usage 7. Choose a retrieval method from the Retrieval drop down menu - .. figure:: ./images/openvpn-viscosity/viscosity-4.jpg + .. figure:: images/viscosity/viscosity-4.jpg :alt: img4 - If only one Nitrokey will ever be used on this computer, select diff --git a/shared/openpgp.rst.inc b/nitrokeys/features/openpgp-card/overview.rst similarity index 69% rename from shared/openpgp.rst.inc rename to nitrokeys/features/openpgp-card/overview.rst index 91f1d4d60e..e962caf9a3 100644 --- a/shared/openpgp.rst.inc +++ b/nitrokeys/features/openpgp-card/overview.rst @@ -1,10 +1,17 @@ +OpenPGP Email Encryption +======================== + +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + There are two widely used standards for email encryption. - OpenPGP/GnuPG is popular among individuals, - S/MIME/X.509 is mostly used by enterprises. -If you are in doubt which one to choose, you should use OpenPGP. While this page describes the usage of OpenPGP, S/MIME is described `here `_. +If you are in doubt which one to choose, you should use OpenPGP. While this page describes the usage of OpenPGP, S/MIME is described `here `_. Please familiarize yourself with the general concept behind the OpenPGP standard first, for example by reading `this info graphic `__ of the Free Software Foundation. @@ -43,18 +50,38 @@ Usage You can find further information about the usage on these pages: -- to use `OpenPGP encryption with - Thunderbird `_ -- to use `OpenPGP encryption with - Outlook `_ +.. toctree:: + :maxdepth: 1 + + OpenPGP encryption with Thunderbird + + OpenPGP encryption with Outlook + + OpenPGP Touch Confirmation (Nitrokey 3 only) + + OpenVPN + + Claws Mail, an email client (and news reader) for Linux and Windows + + Evolution, an email client for the Gnome Desktop on Linux systems + + GPGTools on macOS + + Desktop Login + + SSH + + IPSec + + Hard Disk Encryption + + Stunnel + + Gnu Privacy Assistant (GPA) -- to use `Claws - Mail `__, an email - client (and news reader) for Linux and Windows + EID -- to use - `Evolution `__, - an email client for the Gnome Desktop on Linux systems + Certificate-authority -- to use `GPGTools `__ on macOS. + GnuPG with Fedora \ No newline at end of file diff --git a/pro/images/smime-outlook/1.png b/nitrokeys/features/openpgp-card/smime/images/smime-outlook/1.png similarity index 100% rename from pro/images/smime-outlook/1.png rename to nitrokeys/features/openpgp-card/smime/images/smime-outlook/1.png diff --git a/pro/images/smime-outlook/2.png b/nitrokeys/features/openpgp-card/smime/images/smime-outlook/2.png similarity index 100% rename from pro/images/smime-outlook/2.png rename to nitrokeys/features/openpgp-card/smime/images/smime-outlook/2.png diff --git a/pro/images/smime-outlook/3.png b/nitrokeys/features/openpgp-card/smime/images/smime-outlook/3.png similarity index 100% rename from pro/images/smime-outlook/3.png rename to nitrokeys/features/openpgp-card/smime/images/smime-outlook/3.png diff --git a/pro/images/smime-thunderbird/1.png b/nitrokeys/features/openpgp-card/smime/images/smime-thunderbird/1.png similarity index 100% rename from pro/images/smime-thunderbird/1.png rename to nitrokeys/features/openpgp-card/smime/images/smime-thunderbird/1.png diff --git a/pro/images/smime-thunderbird/2.png b/nitrokeys/features/openpgp-card/smime/images/smime-thunderbird/2.png similarity index 100% rename from pro/images/smime-thunderbird/2.png rename to nitrokeys/features/openpgp-card/smime/images/smime-thunderbird/2.png diff --git a/pro/images/smime-thunderbird/3.png b/nitrokeys/features/openpgp-card/smime/images/smime-thunderbird/3.png similarity index 100% rename from pro/images/smime-thunderbird/3.png rename to nitrokeys/features/openpgp-card/smime/images/smime-thunderbird/3.png diff --git a/pro/images/smime-thunderbird/4.png b/nitrokeys/features/openpgp-card/smime/images/smime-thunderbird/4.png similarity index 100% rename from pro/images/smime-thunderbird/4.png rename to nitrokeys/features/openpgp-card/smime/images/smime-thunderbird/4.png diff --git a/pro/images/smime/1.png b/nitrokeys/features/openpgp-card/smime/images/smime/1.png similarity index 100% rename from pro/images/smime/1.png rename to nitrokeys/features/openpgp-card/smime/images/smime/1.png diff --git a/pro/smime.rst.inc b/nitrokeys/features/openpgp-card/smime/index.rst similarity index 65% rename from pro/smime.rst.inc rename to nitrokeys/features/openpgp-card/smime/index.rst index 405d4c06e8..122582d251 100644 --- a/pro/smime.rst.inc +++ b/nitrokeys/features/openpgp-card/smime/index.rst @@ -1,6 +1,31 @@ S/MIME Email Encryption ======================= +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ✓ + - ⨯ + - ⨯ + - ⨯ + - ✓ + - ✓ + - ✓ + - ✓ +.. section products-end + .. contents:: :local: Prerequisites @@ -12,10 +37,15 @@ There are two widely used standards for email encryption. - S/MIME/X.509 is mostly used by enterprises. -If you are in doubt which one to choose, you should use OpenPGP, see `here `_. This page describes the usage of S/MIME email encryption. +If you are in doubt which one to choose, you should use OpenPGP, see `here <../openpgp/index.html>`_ (not applicable for the Nitrokey HSM 2, the Nitrokey HSM 2 currently supports the S/MIME/X.509 standard though, therefore the rest of the guide is applicable for the HSM 2 and other Nitrokeys). This page describes the usage of S/MIME email encryption. You need to purchase a S/MIME certificate (e.g. at `CERTUM `__) or may already got one by your company. Furthermore, you need to install `OpenSC `__ on your System. While GNU/Linux users usually can install OpenSC over the package manager (e.g. ``sudo apt install opensc`` on Ubuntu), macOS and Windows users can download the installation files from the `OpenSC `__ page. +.. note:: + + Windows users with 64-bit system (standard) need to install both, the 32-bit and the 64-bit version of OpenSC! + + Import Existing Key and Certificate ----------------------------------- @@ -41,7 +71,7 @@ and on macOS and GNU/Linux it will be The two commands copy the key-certificate pair to the slot 2 (needed for decrypting emails) and slot 3 (needed for signing). The output looks on both systems something like this: -.. figure:: /pro/images/smime/1.png +.. figure:: images/smime/1.png :alt: img1 @@ -53,12 +83,11 @@ Usage You can find further information about the usage on these pages: -- for using `S/MIME encryption on - Thunderbird `_ +.. toctree:: + :maxdepth: 1 + + S/MIME encryption on Thunderbird -- for using `S/MIME encryption on - Outlook `_ + S/MIME encryption on Outlook -- for using - `Evolution `__, - an email client for the Gnome Desktop on Linux systems + Evolution, an email client for the Gnome Desktop on Linux systems diff --git a/pro/smime-outlook.rst.inc b/nitrokeys/features/openpgp-card/smime/smime-outlook.rst similarity index 86% rename from pro/smime-outlook.rst.inc rename to nitrokeys/features/openpgp-card/smime/smime-outlook.rst index 23e82e1386..417b8291d9 100644 --- a/pro/smime-outlook.rst.inc +++ b/nitrokeys/features/openpgp-card/smime/smime-outlook.rst @@ -1,12 +1,16 @@ S/MIME Email Encryption with Outlook ==================================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: Prerequisites ------------- -If you do not have a S/MIME key-certificate pair installed on your Nitrokey yet, please look at `this page `_ first. +If you do not have a S/MIME key-certificate pair installed on your Nitrokey yet, please look at `this page `_ first. You need to have OpenSC installed on your System. Please have a look at the `wiki page of the OpenSC project `__. @@ -21,12 +25,12 @@ Settings in Outlook Before you can use the Nitrokey in Outlook you have to activate S/MIME encryption. You can achieve this by clicking on to ‘Start’ -> ‘Options’ and clicking on ‘Trust Center’ in the options window. In section ‘Email Security’ you can choose your S/MIME identity. Your certificate should already be recognized by Outlook. -.. figure:: /pro/images/smime-outlook/1.png +.. figure:: images/smime-outlook/1.png :alt: img1 -.. figure:: /pro/images/smime-outlook/2.png +.. figure:: images/smime-outlook/2.png :alt: img2 @@ -35,7 +39,7 @@ Usage When composing a mail you can now choose to encrypt and sign the message in the ‘Options’ ribbon of the compose window. -.. figure:: /pro/images/smime-outlook/3.png +.. figure:: images/smime-outlook/3.png :alt: img3 .. note:: diff --git a/pro/smime-thunderbird.rst.inc b/nitrokeys/features/openpgp-card/smime/smime-thunderbird.rst similarity index 86% rename from pro/smime-thunderbird.rst.inc rename to nitrokeys/features/openpgp-card/smime/smime-thunderbird.rst index b1e3a5ca87..e70c3eaa38 100644 --- a/pro/smime-thunderbird.rst.inc +++ b/nitrokeys/features/openpgp-card/smime/smime-thunderbird.rst @@ -1,12 +1,16 @@ S/MIME Email Encryption with Thunderbird ======================================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: Prerequisites ------------- -If you do not have a S/MIME key-certificate pair installed on your Nitrokey yet or if you did not installed OpenSC, please look at `this page `_ first. +If you do not have a S/MIME key-certificate pair installed on your Nitrokey yet or if you did not installed OpenSC, please look at `this page `_ first. You need to have `OpenSC installed `__ on your System. While GNU/Linux users usually can install OpenSC over the package manager (e.g. ``sudo apt update && sudo apt install opensc`` on Ubuntu), macOS and Windows users can download the installation files from OpenSC directly. @@ -20,21 +24,21 @@ Settings in Thunderbird Before you can use the Nitrokey in Thunderbird you have to activate S/MIME encryption in the account settings. You can achieve this by clicking on the menu and go to ‘Preferences’ -> ‘Account Settings’ and clicking on ‘Security’ in the account settings window. -.. figure:: /pro/images/smime-thunderbird/1.png +.. figure:: images/smime-thunderbird/1.png :alt: img1 Click on “Security Devices” to import the right PCKS11 module. Click on “Load” on the right-hand side. Now give the Module a name (like “OpenSC Module”) and click on “Browse” to choose the location of the Module (see below). -.. figure:: /pro/images/smime-thunderbird/2.png +.. figure:: images/smime-thunderbird/2.png :alt: img2 On Windows the right file lays under “C:\Windows\System32\opensc-pkcs11.dll”. On macOS and GNU/Linux the file should be in “/lib/pkcs11/opensc-pkcs11.so” or “/usr/lib/pkcs11/opensc-pkcs11.so” or alike. Press “OK” twice and you are back in security section of the account settings. Now you can actually choose a certificate on the upper part of the window. You should get asked for a PIN to unlock your Nitrokey. Please type in your User PIN. -.. figure:: /pro/images/smime-thunderbird/3.png +.. figure:: images/smime-thunderbird/3.png :alt: img3 @@ -44,6 +48,6 @@ Usage When composing an email you can now choose to encrypt and sign the message. -.. figure:: /pro/images/smime-thunderbird/4.png +.. figure:: images/smime-thunderbird/4.png :alt: img4 diff --git a/pro/images/putty/1.png b/nitrokeys/features/openpgp-card/ssh/images/putty/1.png similarity index 100% rename from pro/images/putty/1.png rename to nitrokeys/features/openpgp-card/ssh/images/putty/1.png diff --git a/pro/images/putty/2.png b/nitrokeys/features/openpgp-card/ssh/images/putty/2.png similarity index 100% rename from pro/images/putty/2.png rename to nitrokeys/features/openpgp-card/ssh/images/putty/2.png diff --git a/pro/images/putty/3.png b/nitrokeys/features/openpgp-card/ssh/images/putty/3.png similarity index 100% rename from pro/images/putty/3.png rename to nitrokeys/features/openpgp-card/ssh/images/putty/3.png diff --git a/pro/images/putty/4.png b/nitrokeys/features/openpgp-card/ssh/images/putty/4.png similarity index 100% rename from pro/images/putty/4.png rename to nitrokeys/features/openpgp-card/ssh/images/putty/4.png diff --git a/pro/images/putty/5.png b/nitrokeys/features/openpgp-card/ssh/images/putty/5.png similarity index 100% rename from pro/images/putty/5.png rename to nitrokeys/features/openpgp-card/ssh/images/putty/5.png diff --git a/pro/images/putty/6.png b/nitrokeys/features/openpgp-card/ssh/images/putty/6.png similarity index 100% rename from pro/images/putty/6.png rename to nitrokeys/features/openpgp-card/ssh/images/putty/6.png diff --git a/pro/images/putty/7.png b/nitrokeys/features/openpgp-card/ssh/images/putty/7.png similarity index 100% rename from pro/images/putty/7.png rename to nitrokeys/features/openpgp-card/ssh/images/putty/7.png diff --git a/pro/ssh.rst b/nitrokeys/features/openpgp-card/ssh/index.rst similarity index 93% rename from pro/ssh.rst rename to nitrokeys/features/openpgp-card/ssh/index.rst index a8f799377a..327e42e966 100644 --- a/pro/ssh.rst +++ b/nitrokeys/features/openpgp-card/ssh/index.rst @@ -1,4 +1,18 @@ +SSH +=== + +.. include:: ../index.rst + :start-after: products-begin + :end-before: products-end + This guide explains how to prepare your SSH server and client for use with the Nitrokey. +For configuring PuTTY, see this guide: + +.. toctree:: + :maxdepth: 1 + + Putty + The Nitrokey should already have PGP keys installed and the local GnuPG keyring should know the keys. diff --git a/pro/putty.rst.inc b/nitrokeys/features/openpgp-card/ssh/putty.rst similarity index 86% rename from pro/putty.rst.inc rename to nitrokeys/features/openpgp-card/ssh/putty.rst index 54e1ecf07b..7c89381fde 100644 --- a/pro/putty.rst.inc +++ b/nitrokeys/features/openpgp-card/ssh/putty.rst @@ -1,6 +1,10 @@ PuTTY ===== +.. include:: ../index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: This mini-howto assumes that the Nitrokey has been initialized and contains cryptographic keys. @@ -21,35 +25,35 @@ This mini-howto assumes that the Nitrokey has been initialized and contains cryp start pageant.exe. That this is running is shown in the notification area of the taskbar. -.. figure:: /pro/images/putty/1.png +.. figure:: images/putty/1.png :alt: img1 A double click opens the view of the current keys. -.. figure:: /pro/images/putty/2.png +.. figure:: images/putty/2.png :alt: img2 After inserting the key it looks like this. -.. figure:: /pro/images/putty/3.png +.. figure:: images/putty/3.png :alt: img3 If nothing is displayed here, pageant may have to be restarted or another application is already using the stick. A possibly running pgp-agent must be terminated! Now we only need the public key we want to store in the ssh configuration of the server. Therefore we press CTRL while inserting the stick… -.. figure:: /pro/images/putty/4.png +.. figure:: images/putty/4.png :alt: img4 and then view the Pageant-PublicKeys.txt. -.. figure:: /pro/images/putty/5.png +.. figure:: images/putty/5.png :alt: img5 @@ -60,7 +64,7 @@ I searched for the ssh-rsa entry of the auth key and added the line on the serve There is surprisingly little to say about PuTTY itself. -.. figure:: /pro/images/putty/6.png +.. figure:: images/putty/6.png :alt: img6 @@ -73,6 +77,6 @@ That’s it, as soon as you connect to the server while pageant is running and y If you are annoyed that Windows reports every time you plug in the stick that no driver could be found for “Smartcard”, you can get rid of it. You just have to install the x86 or x64 version of the above mentioned driver and the smartcard looks like this: -.. figure:: /pro/images/putty/7.png +.. figure:: images/putty/7.png :alt: img7 diff --git a/nitrokeys/features/openpgp-card/stunnel.rst b/nitrokeys/features/openpgp-card/stunnel.rst new file mode 100644 index 0000000000..60cc589bc4 --- /dev/null +++ b/nitrokeys/features/openpgp-card/stunnel.rst @@ -0,0 +1,47 @@ +Stunnel +======= + +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ✓ + - ⨯ + - ⨯ + - ⨯ + - ✓ + - ✓ + - ✓ + - ✓ +.. section products-end + +.. contents:: :local: + +`Stunnel `__ works as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. + +Stunnel is able to load OpenSC PKCS#11 engine using this configuration: + +.. code-block:: bash + + engine=dynamic + engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so + engineCtrl=ID:pkcs11 + engineCtrl=LIST_ADD:1 + engineCtrl=LOAD + engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so + engineCtrl=INIT + + [service] + engineNum=1 + key=id_45 diff --git a/nitrokey3/shared/openpgp-uif.rst.inc b/nitrokeys/features/openpgp-card/uif.rst similarity index 55% rename from nitrokey3/shared/openpgp-uif.rst.inc rename to nitrokeys/features/openpgp-card/uif.rst index bd56e48e0e..568043fabf 100644 --- a/nitrokey3/shared/openpgp-uif.rst.inc +++ b/nitrokeys/features/openpgp-card/uif.rst @@ -1,6 +1,31 @@ OpenPGP Touch Confirmation (UIF) ================================ +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ✓ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ +.. section products-end + .. contents:: :local: The Nitrokey 3 OpenPGP Card functionality supports touch button confirmations (so called User Interaction Flags, UIF) when performing cryptographic key operations. It can be configured separately for each operation (Signature, Decryption and Authentication). @@ -16,7 +41,7 @@ Configuration With GnuPG 2.3 or more recent: -.. code-block:: +:: $ gpg --card-edit … diff --git a/nitrokeys/features/password-safe/index.rst b/nitrokeys/features/password-safe/index.rst new file mode 100644 index 0000000000..31eb0e69a9 --- /dev/null +++ b/nitrokeys/features/password-safe/index.rst @@ -0,0 +1,32 @@ +Password Safe +============= + + +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ✓ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + +.. toctree:: + :maxdepth: 1 + :glob: + + KeepassXC <../../../software/nk-app2/keepassxc> \ No newline at end of file diff --git a/nitrokey3/windows/piv/access_control.rst b/nitrokeys/features/piv/access_control.rst similarity index 97% rename from nitrokey3/windows/piv/access_control.rst rename to nitrokeys/features/piv/access_control.rst index 5e4e169bf0..fec07de9f8 100644 --- a/nitrokey3/windows/piv/access_control.rst +++ b/nitrokeys/features/piv/access_control.rst @@ -1,6 +1,10 @@ Access Control ============== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + The following access matrix shows what authentication a certain operation requires. +-------------------+-----+-----+-----+-------------------------------------------------+ diff --git a/nitrokey3/windows/piv/certificate_management.rst b/nitrokeys/features/piv/certificate_management.rst similarity index 86% rename from nitrokey3/windows/piv/certificate_management.rst rename to nitrokeys/features/piv/certificate_management.rst index a267521865..d8ecb46144 100644 --- a/nitrokey3/windows/piv/certificate_management.rst +++ b/nitrokeys/features/piv/certificate_management.rst @@ -1,6 +1,10 @@ Certificate Management ====================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + Every private key has a certificate associated. The certificates can be read and written. The size of a certificate is limited by the transport layer and about 6kB. @@ -12,7 +16,7 @@ Certificates can be read from the Nitrokey per key slot. The certificate can be retrieved as follows. -.. code-block:: +:: nitropy nk3 piv read-certificate --key-slot `` @@ -22,6 +26,6 @@ Write Certificate Certificates can be written to the Nitrokey per key slot. -.. code-block:: +:: nitropy nk3 piv write-certificate --key-slot diff --git a/nitrokey3/windows/piv/factory_reset.rst b/nitrokeys/features/piv/factory_reset.rst similarity index 80% rename from nitrokey3/windows/piv/factory_reset.rst rename to nitrokeys/features/piv/factory_reset.rst index 27739ada7a..587c33596b 100644 --- a/nitrokey3/windows/piv/factory_reset.rst +++ b/nitrokeys/features/piv/factory_reset.rst @@ -1,6 +1,10 @@ Factory Reset ============= +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + The PIV application can be reset to factory defaults. It can only be reset if the PIN and PUK are blocked. @@ -9,6 +13,6 @@ It can only be reset if the PIN and PUK are blocked. The reset to factory defaults can be performed as follows. -.. code-block:: +:: nitropy nk3 piv factory-reset diff --git a/nitrokey3/windows/piv/guides/client_logon_with_active_directory.rst b/nitrokeys/features/piv/guides/client_logon_with_active_directory.rst similarity index 98% rename from nitrokey3/windows/piv/guides/client_logon_with_active_directory.rst rename to nitrokeys/features/piv/guides/client_logon_with_active_directory.rst index d87a471b34..b1caaf0108 100644 --- a/nitrokey3/windows/piv/guides/client_logon_with_active_directory.rst +++ b/nitrokeys/features/piv/guides/client_logon_with_active_directory.rst @@ -1,6 +1,10 @@ Client Logon with Active Directory ================================== +.. include:: ../index.rst + :start-after: products-begin + :end-before: products-end + This document explains how to use the PIV application of a Nitrokey 3 for smartcard logon with Active Directory. In the future, this manual provisioning may be automated through a Windows MiniDriver. @@ -94,7 +98,7 @@ The certificate is then written to the Nitrokey. 1. Generate a private key and write the CSR to file with the command below. - .. code-block:: + :: nitropy nk3 piv generate-key --key 9A --algo --subject-name --subject-alt-name-upn --out-file @@ -103,7 +107,7 @@ The certificate is then written to the Nitrokey. 2. Sign the CSR with the certificate authority (CA) of the domain with the command below. - .. code-block:: + :: certreq -attrib CertificateTemplate: -submit @@ -112,7 +116,7 @@ The certificate is then written to the Nitrokey. 3. Write the signed certificate to the Nitrokey with the command below. - .. code-block:: + :: nitropy nk3 piv write-certificate --format PEM --path diff --git a/nitrokey3/windows/piv/guides/index.rst b/nitrokeys/features/piv/guides/index.rst similarity index 53% rename from nitrokey3/windows/piv/guides/index.rst rename to nitrokeys/features/piv/guides/index.rst index b28244ef94..7118942771 100644 --- a/nitrokey3/windows/piv/guides/index.rst +++ b/nitrokeys/features/piv/guides/index.rst @@ -1,6 +1,10 @@ Guides ====== +.. include:: ../index.rst + :start-after: products-begin + :end-before: products-end + .. toctree:: :maxdepth: 1 :glob: diff --git a/nitrokeys/features/piv/index.rst b/nitrokeys/features/piv/index.rst new file mode 100644 index 0000000000..28bad4cf71 --- /dev/null +++ b/nitrokeys/features/piv/index.rst @@ -0,0 +1,46 @@ +PIV (Personal Identity Verification) +==================================== + +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ✓ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ +.. section products-end + +.. warning:: + The PIV application of the Nitrokey 3 is currently considered unstable and is not available on the stable firmware releases. + To obtain that functionality it is required to install a test firmware. + Subsequent firmware updates may lead to loss of data and cryptographic keys. + Please refer to `the firmware update documentation <../firmware-update.html#firmware-release-types>`__ for more information. + +The *Personal Identity Verfication* (PIV) is based on the NIST special publication `SP 800-73 `__. + +.. toctree:: + :maxdepth: 1 + :glob: + + Access Control + Certificate Management + Factory Reset + Key Management + + Guides diff --git a/nitrokey3/windows/piv/key_management.rst b/nitrokeys/features/piv/key_management.rst similarity index 97% rename from nitrokey3/windows/piv/key_management.rst rename to nitrokeys/features/piv/key_management.rst index c86eedca9b..3cd237c493 100644 --- a/nitrokey3/windows/piv/key_management.rst +++ b/nitrokeys/features/piv/key_management.rst @@ -1,6 +1,10 @@ Key Management ============== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + Key Slots --------- @@ -55,6 +59,6 @@ The PIV application can generate a new private key on the Nitrokey. The command below will create private key in key slot ``9a`` for the user with the subject name ``John Doe`` and subject alternative name ``jd@nitrokey.local``. -.. code-block:: +:: nitropy nk3 piv generate-key --key-slot 9a --subject-name "John Doe" --subject-alt-name-upn "jd@nitrokey.local" diff --git a/pro/otp.rst.inc b/nitrokeys/features/totp/general.rst similarity index 89% rename from pro/otp.rst.inc rename to nitrokeys/features/totp/general.rst index fe35ca9c48..83f83da1e3 100644 --- a/pro/otp.rst.inc +++ b/nitrokeys/features/totp/general.rst @@ -1,6 +1,10 @@ Two-factor Authentication with One-Time Passwords (OTP) ======================================================= +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: The use of One-time Passwords (OTP) is called very differently on the various services supporting it. Sometimes it is referred to as Multi-factor Authentication (MFA), sometimes it is Two-factor Authentication (2FA) or just “authentication via authenticator app” like Google Authenticator. Most of these services are compatible for usage with the Nitrokey Pro and Nitrokey Storage. The following instructions show how to enable OTP on our `support forum `__. The procedure is quite similar on most services. For a list of websites supporting OTP have a look at `dongleauth.com `__. @@ -12,14 +16,14 @@ Configure a Website/Application to Use OTP Login to the website which supports OTP (in this example, the `support forum `__). Usually you find the option to enable two-factor-authentication under your profile or in the settings. -.. figure:: /pro/images/otp/1.png +.. figure:: images/otp/1.png :alt: img1 Most of the time, you will get a QR-Code as seen below. There should be an option, to show the secret key directly. -.. figure:: /pro/images/otp/2.png +.. figure:: images/otp/2.png :alt: img2 @@ -28,21 +32,21 @@ We need to copy the secret code. This is what the Nitrokey is actually protecting. You may create a backup of it now (in case the Nitrokey get lost or breaks) by writing it down on a sheet of paper and storing it securely. But be aware that anybody who is in possession of this secret code, can create one-time passwords for your account! *Please note that you won’t be able to backup this code, once it is stored in the Nitrokey!* -.. figure:: /pro/images/otp/3.png +.. figure:: images/otp/3.png :alt: img3 Now start the Nitrokey App and open the “OTP Slot Configuration”. -.. figure:: /pro/images/otp/4.png +.. figure:: images/otp/4.png :alt: img4 Paste in the secret key in the corresponding field and choose an appropiate slot name. Click on “Save” and type in your admin PIN if requested. -.. figure:: /pro/images/otp/5.png +.. figure:: images/otp/5.png :alt: img5 @@ -50,14 +54,14 @@ Paste in the secret key in the corresponding field and choose an appropiate slot After saving the slot you can go to “Menu” -> “Passwords” -> YourSlotName to get your very first one-time password. -.. figure:: /pro/images/otp/6.png +.. figure:: images/otp/6.png :alt: img6 The one-time password is copied to your clipboard automatically. You just need to paste it to the field on the website to confirm the correct setup and thus to activate the two-factor authentication. -.. figure:: /pro/images/otp/7.png +.. figure:: images/otp/7.png :alt: img7 @@ -68,6 +72,6 @@ Securely Login to Website/Application From now on you will get asked for a one-time password additionally to your other credentials if you try to login the the website. You just need to open the Nitrokey App and go to “Menu” -> “Passwords” -> YourSlotName again to get the one-time password. -.. figure:: /pro/images/otp/8.png +.. figure:: images/otp/8.png :alt: img8 diff --git a/pro/2fa-google.rst.inc b/nitrokeys/features/totp/google.rst similarity index 94% rename from pro/2fa-google.rst.inc rename to nitrokeys/features/totp/google.rst index 401bc1bf1a..41bef000c3 100644 --- a/pro/2fa-google.rst.inc +++ b/nitrokeys/features/totp/google.rst @@ -1,6 +1,10 @@ Two-factor Authentication for Google ==================================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: These are the basic steps for registering the Nitrokey Pro or Nitrokey Storage as a second factor of a Google account: diff --git a/pro/windows/images/2fa-microsoft/1.png b/nitrokeys/features/totp/images/microsoft/1.png similarity index 100% rename from pro/windows/images/2fa-microsoft/1.png rename to nitrokeys/features/totp/images/microsoft/1.png diff --git a/pro/windows/images/2fa-microsoft/10.png b/nitrokeys/features/totp/images/microsoft/10.png similarity index 100% rename from pro/windows/images/2fa-microsoft/10.png rename to nitrokeys/features/totp/images/microsoft/10.png diff --git a/pro/windows/images/2fa-microsoft/11.png b/nitrokeys/features/totp/images/microsoft/11.png similarity index 100% rename from pro/windows/images/2fa-microsoft/11.png rename to nitrokeys/features/totp/images/microsoft/11.png diff --git a/pro/windows/images/2fa-microsoft/12.png b/nitrokeys/features/totp/images/microsoft/12.png similarity index 100% rename from pro/windows/images/2fa-microsoft/12.png rename to nitrokeys/features/totp/images/microsoft/12.png diff --git a/pro/windows/images/2fa-microsoft/13.png b/nitrokeys/features/totp/images/microsoft/13.png similarity index 100% rename from pro/windows/images/2fa-microsoft/13.png rename to nitrokeys/features/totp/images/microsoft/13.png diff --git a/pro/windows/images/2fa-microsoft/14.png b/nitrokeys/features/totp/images/microsoft/14.png similarity index 100% rename from pro/windows/images/2fa-microsoft/14.png rename to nitrokeys/features/totp/images/microsoft/14.png diff --git a/pro/windows/images/2fa-microsoft/2.png b/nitrokeys/features/totp/images/microsoft/2.png similarity index 100% rename from pro/windows/images/2fa-microsoft/2.png rename to nitrokeys/features/totp/images/microsoft/2.png diff --git a/pro/windows/images/2fa-microsoft/3.png b/nitrokeys/features/totp/images/microsoft/3.png similarity index 100% rename from pro/windows/images/2fa-microsoft/3.png rename to nitrokeys/features/totp/images/microsoft/3.png diff --git a/pro/windows/images/2fa-microsoft/4.png b/nitrokeys/features/totp/images/microsoft/4.png similarity index 100% rename from pro/windows/images/2fa-microsoft/4.png rename to nitrokeys/features/totp/images/microsoft/4.png diff --git a/pro/windows/images/2fa-microsoft/5.png b/nitrokeys/features/totp/images/microsoft/5.png similarity index 100% rename from pro/windows/images/2fa-microsoft/5.png rename to nitrokeys/features/totp/images/microsoft/5.png diff --git a/pro/windows/images/2fa-microsoft/6.png b/nitrokeys/features/totp/images/microsoft/6.png similarity index 100% rename from pro/windows/images/2fa-microsoft/6.png rename to nitrokeys/features/totp/images/microsoft/6.png diff --git a/pro/windows/images/2fa-microsoft/7.png b/nitrokeys/features/totp/images/microsoft/7.png similarity index 100% rename from pro/windows/images/2fa-microsoft/7.png rename to nitrokeys/features/totp/images/microsoft/7.png diff --git a/pro/windows/images/2fa-microsoft/8.png b/nitrokeys/features/totp/images/microsoft/8.png similarity index 100% rename from pro/windows/images/2fa-microsoft/8.png rename to nitrokeys/features/totp/images/microsoft/8.png diff --git a/pro/windows/images/2fa-microsoft/9.png b/nitrokeys/features/totp/images/microsoft/9.png similarity index 100% rename from pro/windows/images/2fa-microsoft/9.png rename to nitrokeys/features/totp/images/microsoft/9.png diff --git a/pro/images/2fa-nextcloud/1.png b/nitrokeys/features/totp/images/nextcloud/1.png similarity index 100% rename from pro/images/2fa-nextcloud/1.png rename to nitrokeys/features/totp/images/nextcloud/1.png diff --git a/pro/images/2fa-nextcloud/2.png b/nitrokeys/features/totp/images/nextcloud/2.png similarity index 100% rename from pro/images/2fa-nextcloud/2.png rename to nitrokeys/features/totp/images/nextcloud/2.png diff --git a/pro/images/2fa-nextcloud/3.png b/nitrokeys/features/totp/images/nextcloud/3.png similarity index 100% rename from pro/images/2fa-nextcloud/3.png rename to nitrokeys/features/totp/images/nextcloud/3.png diff --git a/pro/images/2fa-nextcloud/4.png b/nitrokeys/features/totp/images/nextcloud/4.png similarity index 100% rename from pro/images/2fa-nextcloud/4.png rename to nitrokeys/features/totp/images/nextcloud/4.png diff --git a/pro/images/2fa-nextcloud/5.png b/nitrokeys/features/totp/images/nextcloud/5.png similarity index 100% rename from pro/images/2fa-nextcloud/5.png rename to nitrokeys/features/totp/images/nextcloud/5.png diff --git a/pro/images/2fa-nextcloud/6.png b/nitrokeys/features/totp/images/nextcloud/6.png similarity index 100% rename from pro/images/2fa-nextcloud/6.png rename to nitrokeys/features/totp/images/nextcloud/6.png diff --git a/pro/images/2fa-nextcloud/7.png b/nitrokeys/features/totp/images/nextcloud/7.png similarity index 100% rename from pro/images/2fa-nextcloud/7.png rename to nitrokeys/features/totp/images/nextcloud/7.png diff --git a/pro/images/2fa-nextcloud/8.png b/nitrokeys/features/totp/images/nextcloud/8.png similarity index 100% rename from pro/images/2fa-nextcloud/8.png rename to nitrokeys/features/totp/images/nextcloud/8.png diff --git a/pro/images/2fa-nextcloud/9.png b/nitrokeys/features/totp/images/nextcloud/9.png similarity index 100% rename from pro/images/2fa-nextcloud/9.png rename to nitrokeys/features/totp/images/nextcloud/9.png diff --git a/pro/images/otp/1.png b/nitrokeys/features/totp/images/otp/1.png similarity index 100% rename from pro/images/otp/1.png rename to nitrokeys/features/totp/images/otp/1.png diff --git a/pro/images/otp/2.png b/nitrokeys/features/totp/images/otp/2.png similarity index 100% rename from pro/images/otp/2.png rename to nitrokeys/features/totp/images/otp/2.png diff --git a/pro/images/otp/3.png b/nitrokeys/features/totp/images/otp/3.png similarity index 100% rename from pro/images/otp/3.png rename to nitrokeys/features/totp/images/otp/3.png diff --git a/pro/images/otp/4.png b/nitrokeys/features/totp/images/otp/4.png similarity index 100% rename from pro/images/otp/4.png rename to nitrokeys/features/totp/images/otp/4.png diff --git a/pro/images/otp/5.png b/nitrokeys/features/totp/images/otp/5.png similarity index 100% rename from pro/images/otp/5.png rename to nitrokeys/features/totp/images/otp/5.png diff --git a/pro/images/otp/6.png b/nitrokeys/features/totp/images/otp/6.png similarity index 100% rename from pro/images/otp/6.png rename to nitrokeys/features/totp/images/otp/6.png diff --git a/pro/images/otp/7.png b/nitrokeys/features/totp/images/otp/7.png similarity index 100% rename from pro/images/otp/7.png rename to nitrokeys/features/totp/images/otp/7.png diff --git a/pro/images/otp/8.png b/nitrokeys/features/totp/images/otp/8.png similarity index 100% rename from pro/images/otp/8.png rename to nitrokeys/features/totp/images/otp/8.png diff --git a/nitrokeys/features/totp/index.rst b/nitrokeys/features/totp/index.rst new file mode 100644 index 0000000000..4e053eed01 --- /dev/null +++ b/nitrokeys/features/totp/index.rst @@ -0,0 +1,35 @@ +Two-factor Authentication with One-Time Passwords (OTP) +======================================================= + +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ⨯ + - ✓ + - ⨯ + - ✓ +.. section products-end + +.. toctree:: + :maxdepth: 1 + + General Instructions + Microsoft + Google + Nextcloud \ No newline at end of file diff --git a/pro/windows/2fa-microsoft.rst b/nitrokeys/features/totp/microsoft.rst similarity index 57% rename from pro/windows/2fa-microsoft.rst rename to nitrokeys/features/totp/microsoft.rst index 1b28d54d83..a12f8d5dcb 100644 --- a/pro/windows/2fa-microsoft.rst +++ b/nitrokeys/features/totp/microsoft.rst @@ -1,94 +1,98 @@ Two-factor Authentication for Microsoft Account =============================================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: These are the basic steps for registering the Nitrokey Pro or Nitrokey Storage as a second factor of a Microsoft account. Visit https://account.live.com/proofs/Manage/additional and log in to your Microsoft account if prompted. -.. figure:: /pro/windows/images/2fa-microsoft/1.png +.. figure:: images/microsoft/1.png :alt: img1 -.. figure:: /pro/windows/images/2fa-microsoft/2.png +.. figure:: images/microsoft/2.png :alt: img2 Click on “Set up two-step verification”. -.. figure:: /pro/windows/images/2fa-microsoft/3.png +.. figure:: images/microsoft/3.png :alt: img3 Click on “Next”. -.. figure:: /pro/windows/images/2fa-microsoft/4.png +.. figure:: images/microsoft/4.png :alt: img4 Now it is important to click on “set up a different Authenticator app”. -.. figure:: /pro/windows/images/2fa-microsoft/5.png +.. figure:: images/microsoft/5.png :alt: img5 Click on “I can’t scan the bar code”. -.. figure:: /pro/windows/images/2fa-microsoft/6.png +.. figure:: images/microsoft/6.png :alt: img6 Insert and save secret code into the Nitrokey App. -.. figure:: /pro/windows/images/2fa-microsoft/7.png +.. figure:: images/microsoft/7.png :alt: img7 -.. figure:: /pro/windows/images/2fa-microsoft/8.png +.. figure:: images/microsoft/8.png :alt: img8 -.. figure:: /pro/windows/images/2fa-microsoft/9.png +.. figure:: images/microsoft/9.png :alt: img9 Enter code generated by Nitrokey App to confirm. -.. figure:: /pro/windows/images/2fa-microsoft/10.png +.. figure:: images/microsoft/10.png :alt: img10 -.. figure:: /pro/windows/images/2fa-microsoft/11.png +.. figure:: images/microsoft/11.png :alt: img11 Click “Next” and then “Finish”. -.. figure:: /pro/windows/images/2fa-microsoft/12.png +.. figure:: images/microsoft/12.png :alt: img12 -.. figure:: /pro/windows/images/2fa-microsoft/13.png +.. figure:: images/microsoft/13.png :alt: img13 From now on, when signing in you need an OTP additionally to your password. -.. figure:: /pro/windows/images/2fa-microsoft/14.png +.. figure:: images/microsoft/14.png :alt: img14 diff --git a/pro/2fa-nextcloud.rst.inc b/nitrokeys/features/totp/nextcloud.rst similarity index 76% rename from pro/2fa-nextcloud.rst.inc rename to nitrokeys/features/totp/nextcloud.rst index b0efcab989..43a23c32a7 100644 --- a/pro/2fa-nextcloud.rst.inc +++ b/nitrokeys/features/totp/nextcloud.rst @@ -1,65 +1,69 @@ Two-factor Authentication for Nextcloud accounts ================================================ +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: These are the basic steps for registering the Nitrokey Pro or Nitrokey Storage as a second factor of a Nextcloud account. At first, log in to your Nextcloud account, click on the top right symbol of your account and open the settings menu. -.. figure:: /pro/images/2fa-nextcloud/1.png +.. figure:: images/nextcloud/1.png :alt: img1 Now choose “Security” on the left hand side. -.. figure:: /pro/images/2fa-nextcloud/2.png +.. figure:: images/nextcloud/2.png :alt: img2 Now you can tick the box reading “Enable TOTP”. There is shown the TOTP secret which we need to add to our Nitrokey via the Nitrokey App. -.. figure:: /pro/images/2fa-nextcloud/3.png +.. figure:: images/nextcloud/3.png :alt: img3 Copy and save secret code into the Nitrokey App. -.. figure:: /pro/images/2fa-nextcloud/4.png +.. figure:: images/nextcloud/4.png :alt: img4 -.. figure:: /pro/images/2fa-nextcloud/5.png +.. figure:: images/nextcloud/5.png :alt: img5 Now we request a one-time password for the Nextcloud to verify the process by inserting the password on the website and pressing “verify”. -.. figure:: /pro/images/2fa-nextcloud/6.png +.. figure:: images/nextcloud/6.png :alt: img6 -.. figure:: /pro/images/2fa-nextcloud/7.png +.. figure:: images/nextcloud/7.png :alt: img7 From now on, when signing in you need an OTP additionally to your password. Get one by the Nitrokey App like before and insert it in when logging in. -.. figure:: /pro/images/2fa-nextcloud/8.png +.. figure:: images/nextcloud/8.png :alt: img8 Nextcloud provides you with backup codes, in case you lost your Nitrokey. It is recommended to print out these codes and store them somewhere save otherwise you might not be able to log in to your account anymore! -.. figure:: /pro/images/2fa-nextcloud/9.png +.. figure:: images/nextcloud/9.png :alt: img9 diff --git a/nitrokeys/features/u2f/2fa.rst b/nitrokeys/features/u2f/2fa.rst new file mode 100644 index 0000000000..538bd25367 --- /dev/null +++ b/nitrokeys/features/u2f/2fa.rst @@ -0,0 +1,36 @@ +Two-Factor Authentication (2FA) +=============================== + +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + +1. Open one of the `websites that support FIDO + U2F `__. +2. Log in to the website and enable two-factor authentication in your + account settings. (In most cases you will find a link to the + documentation of the supported web service at + `dongleauth.com `__) +3. Register your Nitrokey in the account settings by touching the + button to activate the Nitrokey. After you have successfully + configured the device, you must activate the Nitrokey this way + each time you log in. + +You are now ready to go. + +.. important:: + The Nitrokey App can not be used for the Nitrokey U2F. + +Troubleshooting (Linux) +----------------------- + +- If the Nitrokey is not accepted immediately, you may need to copy + this file + `41-nitrokey.rules `__ + to ``etc/udev/rules.d/``. In very rare cases, the system will need + the `older + version `__ + of this file. + +- After copying the file, restart udev via + ``sudo service udev restart``. diff --git a/fido2/linux/desktop-login.rst b/nitrokeys/features/u2f/desktop-login.rst similarity index 96% rename from fido2/linux/desktop-login.rst rename to nitrokeys/features/u2f/desktop-login.rst index bcd48b8fca..10bebd4024 100644 --- a/fido2/linux/desktop-login.rst +++ b/nitrokeys/features/u2f/desktop-login.rst @@ -1,6 +1,10 @@ Desktop Login And Linux User Authentication =========================================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. contents:: :local: Introduction @@ -28,29 +32,29 @@ GUI Method 1. **In the lower left corner click on** ``Show Applications`` **and type settings in the search bar as following:** - .. figure:: /fido2/linux/images/fidou2f-1.png + .. figure:: images/desktop-login/fidou2f-1.png :alt: img1 2. **Scroll down in the right bar to** ``Users`` - .. figure:: /fido2/linux/images/fidou2f-2.png + .. figure:: images/desktop-login/fidou2f-2.png :alt: img2 3. **In the left corner click on** ``Unlock`` **and that would prompt for your password** - .. figure:: /fido2/linux/images/fidou2f-3.png + .. figure:: images/desktop-login/fidou2f-3.png :alt: img3 4. **Select** ``Administrator`` **and enter the user name and password of your choice** - .. figure:: /fido2/linux/images/fidou2f-4.png + .. figure:: images/desktop-login/fidou2f-4.png :alt: img4 5. **Once you finish Step 4 you should be done** - .. figure:: /fido2/linux/images/fidou2f-5.png + .. figure:: images/desktop-login/fidou2f-5.png :alt: img5 CLI Method @@ -230,7 +234,7 @@ CLI Method You can also test your configuration by logging out of the user session and logging back. A similar screen should be displayed once you you unplug/replug yout Nitrokey FIDO2 and type your password: - .. figure:: /fido2/linux/images/u2f-fido-pam-2.png + .. figure:: images/desktop-login/u2f-fido-pam-2.png :alt: img6 Usage diff --git a/fido2/linux/images/fidou2f-1.png b/nitrokeys/features/u2f/images/desktop-login/fidou2f-1.png similarity index 100% rename from fido2/linux/images/fidou2f-1.png rename to nitrokeys/features/u2f/images/desktop-login/fidou2f-1.png diff --git a/fido2/linux/images/fidou2f-2.png b/nitrokeys/features/u2f/images/desktop-login/fidou2f-2.png similarity index 100% rename from fido2/linux/images/fidou2f-2.png rename to nitrokeys/features/u2f/images/desktop-login/fidou2f-2.png diff --git a/fido2/linux/images/fidou2f-3.png b/nitrokeys/features/u2f/images/desktop-login/fidou2f-3.png similarity index 100% rename from fido2/linux/images/fidou2f-3.png rename to nitrokeys/features/u2f/images/desktop-login/fidou2f-3.png diff --git a/fido2/linux/images/fidou2f-4.png b/nitrokeys/features/u2f/images/desktop-login/fidou2f-4.png similarity index 100% rename from fido2/linux/images/fidou2f-4.png rename to nitrokeys/features/u2f/images/desktop-login/fidou2f-4.png diff --git a/fido2/linux/images/fidou2f-5.png b/nitrokeys/features/u2f/images/desktop-login/fidou2f-5.png similarity index 100% rename from fido2/linux/images/fidou2f-5.png rename to nitrokeys/features/u2f/images/desktop-login/fidou2f-5.png diff --git a/fido2/linux/images/u2f-fido-pam-2.png b/nitrokeys/features/u2f/images/desktop-login/u2f-fido-pam-2.png similarity index 100% rename from fido2/linux/images/u2f-fido-pam-2.png rename to nitrokeys/features/u2f/images/desktop-login/u2f-fido-pam-2.png diff --git a/nitrokeys/features/u2f/index.rst b/nitrokeys/features/u2f/index.rst new file mode 100644 index 0000000000..921cd6159c --- /dev/null +++ b/nitrokeys/features/u2f/index.rst @@ -0,0 +1,34 @@ +U2F +=== + +.. section products-begin +.. list-table:: + :width: 100% + :header-rows: 1 + :class: products-table + + * - `Nitrokey 3 `_ + - `Nitrokey Passkey `_ + - `Nitrokey FIDO2 `_ + - `Nitrokey U2F `_ + - `Nitrokey HSM 2 `_ + - `Nitrokey Pro 2 `_ + - `Nitrokey Start `_ + - `Nitrokey Storage 2 `_ + + * - ✓ + - ✓ + - ✓ + - ✓ + - ⨯ + - ✓ + - ⨯ + - ✓ +.. section products-end + +.. toctree:: + :maxdepth: 1 + + Desktop Login (Linux only) + Odoo Login + Two Factor Authentication <2fa> \ No newline at end of file diff --git a/fido2/2fa-odoo.rst.inc b/nitrokeys/features/u2f/odoo.rst similarity index 88% rename from fido2/2fa-odoo.rst.inc rename to nitrokeys/features/u2f/odoo.rst index bc568fa24c..aa7c189a83 100644 --- a/fido2/2fa-odoo.rst.inc +++ b/nitrokeys/features/u2f/odoo.rst @@ -1,6 +1,10 @@ Two-Factor Authentication For ERP Software Odoo =============================================== +.. include:: index.rst + :start-after: products-begin + :end-before: products-end + .. only:: comment .. contents:: :local: @@ -17,8 +21,8 @@ The FIDO solution was developed together with our partner `initOS `__ -Video: Two-Factor Authentication With The Nitrokey FIDO U2F in Odoo -------------------------------------------------------------------- +Video: Two-Factor Authentication With The Nitrokey U2F in Odoo +-------------------------------------------------------------- .. raw:: html diff --git a/fido2/faq.rst b/nitrokeys/fido2/faq.rst similarity index 95% rename from fido2/faq.rst rename to nitrokeys/fido2/faq.rst index ad7cf5f98e..8021edfbc8 100644 --- a/fido2/faq.rst +++ b/nitrokeys/fido2/faq.rst @@ -24,4 +24,4 @@ Nitrokey FIDO2 FAQ After `disabling Enforce Attestation`_ Nitrokey FIDO2 is supported by Azure Entra ID out of the box. -.. include:: ../shared-faqs/hyperlinks.rst.inc \ No newline at end of file +.. include:: ../../shared-faqs/hyperlinks.rst.inc \ No newline at end of file diff --git a/fido2/shared/firmware-update.rst.inc b/nitrokeys/fido2/firmware-update.rst similarity index 93% rename from fido2/shared/firmware-update.rst.inc rename to nitrokeys/fido2/firmware-update.rst index 350bb2b4e2..8a4e2399e4 100644 --- a/fido2/shared/firmware-update.rst.inc +++ b/nitrokeys/fido2/firmware-update.rst @@ -33,7 +33,6 @@ In case of any errors please take the logs from ``/tmp`` directory (``/tmp/nitro -.. _Nitrokey 3 Firmware - GitHub Releases: https://github.com/Nitrokey/nitrokey-3-firmware/releases .. _installation instructions: /software/nitropy/all-platforms/installation.html diff --git a/fido2/shared/index-content1.rst.inc b/nitrokeys/fido2/getting-started.rst similarity index 94% rename from fido2/shared/index-content1.rst.inc rename to nitrokeys/fido2/getting-started.rst index 5acb9a02b5..5e08e1384e 100644 --- a/fido2/shared/index-content1.rst.inc +++ b/nitrokeys/fido2/getting-started.rst @@ -1,3 +1,6 @@ +Getting Started +=============== + The Nitrokey FIDO2 supports two-factor authentication (2FA) and passwordless authentication: @@ -172,3 +175,17 @@ seconds until the green or blue LED lights up. Note: white LED blinking is used as well to signalize the selected device (the so called WINK command). + +Troubleshooting (Linux) +----------------------- + +If the Nitrokey is not detected, proceed the following: + +1. Copy this file + `41-nitrokey.rules `__ + to ``/etc/udev/rules.d/``. In very rare cases, the system will need + the `older + version `__ + of this file. +2. Restart udev via ``sudo service udev restart`` or ``udevadm control --reload-rules && udevadm trigger`` if you are using Fedora. + diff --git a/nitrokeys/fido2/index.rst b/nitrokeys/fido2/index.rst new file mode 100644 index 0000000000..afb48aefef --- /dev/null +++ b/nitrokeys/fido2/index.rst @@ -0,0 +1,27 @@ +Nitrokey FIDO2 +============== + +.. contents:: :local: + +First check the: + +.. toctree:: + :maxdepth: 1 + :glob: + + Getting Started + Frequently Asked Questions + +and the product guides: + +.. toctree:: + :maxdepth: 1 + + Firmware update + Reset + +or check out the features: + +* `FIDO2 <../features/fido2/index.html>`_ +* `U2F <../features/u2f/index.html>`_ + diff --git a/fido2/windows/reset.rst b/nitrokeys/fido2/reset.rst similarity index 67% rename from fido2/windows/reset.rst rename to nitrokeys/fido2/reset.rst index c568a0757d..3a2bed2fe6 100644 --- a/fido2/windows/reset.rst +++ b/nitrokeys/fido2/reset.rst @@ -3,14 +3,21 @@ Nitrokey Reset .. contents:: :local: -The Factory Reset operation deletes the FIDO secret keys stored on the Nitrokey and generates new ones. Afterwards the Nitrokey behaves like a new device. +Factory Reset operation regenerates the secret material stored on the Nitrokey FIDO U2F / Nitrokey FIDO2, which makes it a completely new key logic-side. New owner cannot use it to login to account of the previous one. In case of the FIDO2 Resident Keys the material is erased. To avoid accidental and malicious reset of the Nitrokey, the required touch confirmation time for the FIDO2 reset operation is longer and with a distinct LED behavior (red LED light) than normal operations. To reset -the Nitrokey, confirm by touching the touch button for at least 5 +the Nitrokey FIDO2, confirm by touching the touch button for at least 5 seconds until the green or blue LED lights up. +Nitrokey FIDO2 could be reset by: + +* pynitrokey tool: ``nitropy fido2 reset`` (requires Administrator rights to execute) +* Google Chrome: `Manage security keys` via the direct link: `chrome://settings/securityKeys` + +Or by using these instructions (Windows only): + Windows 10 ~~~~~~~~~~ @@ -30,11 +37,4 @@ Windows 10 on a Virtual Machine Please keep in mind Nitrokey has internal timeout for accepting the FIDO reset operation of 10 seconds since powering up. If the Nitrokey will connect to a virtual machine later than that, it will return error and -the operation will be aborted. - -Other Ways to Reset -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Nitrokey can also be reset by: - -* pynitrokey tool: ``nitropy fido2 reset`` (requires Administrator rights to execute) +the operation will be aborted. \ No newline at end of file diff --git a/hsm/faq.rst b/nitrokeys/hsm/faq.rst similarity index 97% rename from hsm/faq.rst rename to nitrokeys/hsm/faq.rst index 4ec1e1426b..dbc17c02f5 100644 --- a/hsm/faq.rst +++ b/nitrokeys/hsm/faq.rst @@ -2,7 +2,7 @@ Nitrokey HSM FAQ ================ -.. include:: ../shared-faqs/nitrokeys.rst.inc +.. include:: ../../shared-faqs/nitrokeys.rst.inc **Q:** What is the maximum length of the PIN? @@ -56,7 +56,7 @@ Nitrokey HSM FAQ Use ``opensc-tool --list-algorithms`` and compare with the table below. Please also see `this thread`_ for the factsheets and more details. -.. include:: ../shared-faqs/algos.rst.inc +.. include:: ../../shared-faqs/algos.rst.inc **Q:** How can I use the True Random Number Generator (TRNG) of the Nitrokey HSM for my applications? Nitrokey HSM can be used with `Botan`_ and `TokenTools`_ by using OpenSC as a PKCS#11 driver. @@ -110,4 +110,4 @@ Nitrokey HSM FAQ .. _TokenTools: https://github.com/infincia/TokenTools .. _AIS 31: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Interpretationen/AIS_31_pdf -.. include:: ../shared-faqs/hyperlinks.rst.inc +.. include:: ../../shared-faqs/hyperlinks.rst.inc diff --git a/nitrokeys/hsm/getting-started.rst b/nitrokeys/hsm/getting-started.rst new file mode 100644 index 0000000000..8c962725ad --- /dev/null +++ b/nitrokeys/hsm/getting-started.rst @@ -0,0 +1,40 @@ +Getting Started +=============== + +.. contents:: :local: + + +1. + .. tabs:: + .. tab:: Linux + Install `OpenSC `__. You need + at least version 0.19. You can find recent builds for debian-based + systems like Ubuntu + `here `__ if your system + does not have the newest version of OpenSC. Alternatively, install + `this `__ + driver (`source `__). + + .. tab:: MacOS + Install `OpenSC `__. + Alternatively, install + `this `__ + driver (`source `__). + + .. tab:: Windows + Install `OpenSC `__. + Alternatively, install + `this `__ + driver (`source `__). + +2. Define SO-PIN and PIN of your own choices. See `these + instructions `__. + Afterwards you can begin to `generate new + keys `__. + +Your Nitrokey is now ready to use. + +* There is `nitrotool `__ as a more comfortable frontend to OpenSC. (hsmwiz) +* Embedded Systems: For systems with minimal memory footprint a read/only PKCS#11 module is provided by the `sc-hsm-embedded `__ project. +* `This PKCS#11 module `__ is useful for deployments where key generation at the user's workplace is not required. The PKCS#11 module also supports major electronic signature cards available in the German market. +* OpenSCDP: The SmartCard-HSM is fully integrated with `OpenSCDP `__, the open smart card development platform. See the `public support scripts `__ for details. diff --git a/hsm/index.rst b/nitrokeys/hsm/index.rst similarity index 50% rename from hsm/index.rst rename to nitrokeys/hsm/index.rst index 9a6a47b6bd..865b3a7b6e 100644 --- a/hsm/index.rst +++ b/nitrokeys/hsm/index.rst @@ -9,15 +9,9 @@ First check the: :maxdepth: 1 :glob: + Getting Started Frequently Asked Questions -or choose your operating system: +or check out the features: -.. toctree:: - :maxdepth: 1 - :glob: - - Windows - macOS - Linux - +* `HSM <../features/hsm/index.html>`_ \ No newline at end of file diff --git a/nitrokeys/index.rst b/nitrokeys/index.rst new file mode 100644 index 0000000000..889f34963b --- /dev/null +++ b/nitrokeys/index.rst @@ -0,0 +1,16 @@ +Nitrokeys +========= + +.. toctree:: + :maxdepth: 1 + :glob: + + Features + Nitrokey 3 + Nitrokey Passkey + Nitrokey FIDO2 + Nitrokey U2F + Nitrokey HSM 2 + Nitrokey Pro 2 + Nitrokey Start + Nitrokey Storage 2 diff --git a/nitrokey3/adsk.rst.inc b/nitrokeys/nitrokey3/adsk.rst similarity index 97% rename from nitrokey3/adsk.rst.inc rename to nitrokeys/nitrokey3/adsk.rst index 7ec053c335..73e9131ec0 100644 --- a/nitrokey3/adsk.rst.inc +++ b/nitrokeys/nitrokey3/adsk.rst @@ -27,9 +27,9 @@ Preparing the Keys Follow one of these guides to generate the two keys: -- :doc:`openpgp-keygen-backup` -- :doc:`openpgp-keygen-on-device` -- :doc:`openpgp-keygen-gpa` +- :doc:`../features/openpgp-card/openpgp-keygen-backup` +- :doc:`../features/openpgp-card/openpgp-keygen-on-device` +- :doc:`../features/openpgp-card/openpgp-keygen-gpa` Make sure that you can list both keys with ``gpg --list-keys``, for example:: diff --git a/nitrokey3/faq.rst b/nitrokeys/nitrokey3/faq.rst similarity index 97% rename from nitrokey3/faq.rst rename to nitrokeys/nitrokey3/faq.rst index 50909a5f84..f81e28761d 100644 --- a/nitrokey3/faq.rst +++ b/nitrokeys/nitrokey3/faq.rst @@ -37,7 +37,7 @@ Nitrokey 3 FAQ **Q:** Why does the Nitrokey 3 not show up in Nitrokey App? Nitrokey 3 does only show up and can be managed in "nitropy" and "Nitrokey App 2, not in Nitrokey App 1". -.. include:: ../shared-faqs/algos.rst.inc +.. include:: ../../shared-faqs/algos.rst.inc **Q:** How can I set the PIN for my Nitrokey 3? The Nitrokey 3 has distinct PINs for each feature. @@ -61,5 +61,5 @@ Nitrokey 3 FAQ using the Nitrokey 3 with the SE050 in production environments. -.. include:: ../shared-faqs/hyperlinks.rst.inc +.. include:: ../../shared-faqs/hyperlinks.rst.inc .. _test: ../software/nitropy/all-platforms/test.html diff --git a/nitrokey3/linux/firmware-update-qubes.rst b/nitrokeys/nitrokey3/firmware-update-qubes.rst similarity index 100% rename from nitrokey3/linux/firmware-update-qubes.rst rename to nitrokeys/nitrokey3/firmware-update-qubes.rst diff --git a/nitrokey3/firmware-update.rst.inc b/nitrokeys/nitrokey3/firmware-update.rst similarity index 84% rename from nitrokey3/firmware-update.rst.inc rename to nitrokeys/nitrokey3/firmware-update.rst index 1ea0e3ed90..8a4f0442da 100644 --- a/nitrokey3/firmware-update.rst.inc +++ b/nitrokeys/nitrokey3/firmware-update.rst @@ -32,7 +32,6 @@ How to Update In case of any errors please take the logs from ``/tmp`` directory (``/tmp/nitropy.log.*``). -.. _Nitrokey 3 Firmware - GitHub Releases: https://github.com/Nitrokey/nitrokey-3-firmware/releases .. _installation instructions: ../../software/nitropy/all-platforms/installation.html @@ -88,3 +87,18 @@ Examples: This is mostly relevant for users that rely on a feature from the test releases. Users of the stable firmware can always update to the latest available firmware version. + +Troubleshooting (Linux): +------------------------ + +**Issue:** I get ``permission denied for /dev/hidrawX`` during update. + This likely means your user has not the needed permissions to + read/write the device. Please make sure you have set up the correct + `udev-rules`_. Download this `udev-rules`_ set and place it in your + udev rules directory (e.g., ``/etc/udev/rules.d``). Then remove + your Nitrokey 3 from the USB slot and run: + ``udevadm control --reload-rules && udevadm trigger`` or reboot + your machine. Afterwards the update should work without the + permission issue. + +.. _udev-rules: https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules diff --git a/nitrokey3/shared/main.rst b/nitrokeys/nitrokey3/getting-started.rst similarity index 97% rename from nitrokey3/shared/main.rst rename to nitrokeys/nitrokey3/getting-started.rst index 4d2e38cd43..fa8a485d9c 100644 --- a/nitrokey3/shared/main.rst +++ b/nitrokeys/nitrokey3/getting-started.rst @@ -1,3 +1,6 @@ +Getting Started +=============== + The Nitrokey 3 supports two-factor authentication (2FA) and passwordless authentication: diff --git a/nitrokeys/nitrokey3/index.rst b/nitrokeys/nitrokey3/index.rst new file mode 100644 index 0000000000..3011f84f17 --- /dev/null +++ b/nitrokeys/nitrokey3/index.rst @@ -0,0 +1,38 @@ +Nitrokey 3 +========== + +.. contents:: :local: + +First check the: + +.. toctree:: + :maxdepth: 1 + :glob: + + Getting Started + Frequently Asked Questions + Overview + +and the product guides: + +.. toctree:: + :maxdepth: 1 + + Firmware Update + Firmware Update Qubes + Set Pins + nitropy + Reset + Troubleshooting + Additional Decryption Subkeys (ADSK) with GnuPG + +or check out the features: + +* `FIDO2 <../features/fido2/index.html>`_ +* `U2F <../features/u2f/index.html>`_ +* `OpenPGP Card <../features/openpgp-card/index.html>`_ +* `Password Safe <../features/password-safe/index.html>`_ + +Additional features like `PIV (Windows only) <../features/piv/index.html>`_ are available in test firmware releases. See the `release notes`_ on GitHub for more information. + +.. _release notes: https://github.com/Nitrokey/nitrokey-3-firmware/releases diff --git a/nitrokey3/shared/nitropy.rst b/nitrokeys/nitrokey3/nitropy.rst similarity index 100% rename from nitrokey3/shared/nitropy.rst rename to nitrokeys/nitrokey3/nitropy.rst diff --git a/nitrokey3/features.rst b/nitrokeys/nitrokey3/overview.rst similarity index 78% rename from nitrokey3/features.rst rename to nitrokeys/nitrokey3/overview.rst index 57ac7d1798..7238fc4b8e 100644 --- a/nitrokey3/features.rst +++ b/nitrokeys/nitrokey3/overview.rst @@ -1,4 +1,4 @@ -Features +Overview ######## @@ -22,11 +22,21 @@ features are realized. - USB, NFC - no + * - `U2F`_ + - Predecessor of FIDO2 mainly used for Two-Factor Authentication + - USB, NFC + - no + * - `OpenPGP Card`_ - Asymmetric cryptography; keep your private key(s) secure; email encryption - USB - yes + * - `SMIME`_ + - Asymmetric cryptography; keep your private key(s) secure; email encryption + - USB + - yes + * - `Password Safe`_ - (One-Time-)Passwords securely stored on your Nitrokey 3 - USB @@ -70,15 +80,17 @@ data migrations from test to stable firmwares will not be implemented.** - no -.. _FIDO2: https://github.com/Nitrokey/fido-authenticator -.. _OpenPGP Card: https://github.com/Nitrokey/opcard-rs -.. _Password Safe: https://github.com/Nitrokey/trussed-secrets-app +.. _FIDO2: ../features/fido/index.html +.. _U2F: ../features/u2f/index.html +.. _OpenPGP Card: ../features/openpgp-card/index.html +.. _Password Safe: ../features/password-safe/index.html .. _Admin App: https://github.com/Nitrokey/admin-app -.. _PIV: https://github.com/Nitrokey/piv-authenticator +.. _PIV: ../features/piv/index .. _WebSmartCard: https://github.com/Nitrokey/nitrokey-websmartcard +.. _SMIME: ../features/smime/index.html -.. _pynitrokey: ../software/nitropy -.. _NitrokeyApp2: ../software/nk-app2 +.. _pynitrokey: ../software/nitropy/index.html +.. _NitrokeyApp2: ../software/nk-app2/index.html .. _Test Firmware: linux/firmware-update#firmware-release-types diff --git a/nitrokey3/shared/reset.rst.inc b/nitrokeys/nitrokey3/reset.rst similarity index 100% rename from nitrokey3/shared/reset.rst.inc rename to nitrokeys/nitrokey3/reset.rst diff --git a/nitrokey3/shared/set-pins.rst.inc b/nitrokeys/nitrokey3/set-pins.rst similarity index 98% rename from nitrokey3/shared/set-pins.rst.inc rename to nitrokeys/nitrokey3/set-pins.rst index 979574a514..dc79dccf61 100644 --- a/nitrokey3/shared/set-pins.rst.inc +++ b/nitrokeys/nitrokey3/set-pins.rst @@ -54,8 +54,8 @@ Setting PIN with the Chrom(e|ium) webbrowser .. start-fido2-windows-settings-application -Settings PIN with Windows Settings application -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Settings PIN with Windows Settings application (Windows only) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1. Open the Windows "Settings" application. 2. Open the "Accounts" menu. diff --git a/nitrokey3/troubleshooting.rst.inc b/nitrokeys/nitrokey3/troubleshooting.rst similarity index 100% rename from nitrokey3/troubleshooting.rst.inc rename to nitrokeys/nitrokey3/troubleshooting.rst diff --git a/nkpk/index.rst b/nitrokeys/passkey/index.rst similarity index 100% rename from nkpk/index.rst rename to nitrokeys/passkey/index.rst diff --git a/pro/factory-reset.rst.inc b/nitrokeys/pro/factory-reset.rst similarity index 100% rename from pro/factory-reset.rst.inc rename to nitrokeys/pro/factory-reset.rst diff --git a/pro/faq.rst b/nitrokeys/pro/faq.rst similarity index 94% rename from pro/faq.rst rename to nitrokeys/pro/faq.rst index 930d6a9647..5c348c4443 100644 --- a/pro/faq.rst +++ b/nitrokeys/pro/faq.rst @@ -2,7 +2,7 @@ Nitrokey Pro 2 FAQ ================== -.. include:: ../shared-faqs/nitrokeys.rst.inc +.. include:: ../../shared-faqs/nitrokeys.rst.inc **Q:** What are the default PINs? * **User PIN:** "123456" @@ -11,7 +11,7 @@ Nitrokey Pro 2 FAQ We strongly recommend to change these PINs/password to user-chosen values before using the Nitrokey. -.. include:: ../shared-faqs/pins.rst.inc +.. include:: ../../shared-faqs/pins.rst.inc **Q:** Why does my Nitrokey Pro hang when switching between nitrokey-app and GnuPG? GnuPG and nitrokey-app sometimes tend to hand each other. This is a known problem @@ -41,7 +41,7 @@ Nitrokey Pro 2 FAQ * 128 bit AES, 240 bytes per command -> 930 bytes per second -.. include:: ../shared-faqs/algos.rst.inc +.. include:: ../../shared-faqs/algos.rst.inc **Q:** Does the Nitrokey Pro contain a secure chip or just a normal microcontroller? @@ -68,4 +68,4 @@ Nitrokey Pro 2 FAQ The Nitrokey Pro doesn't contain storage capability for ordinary data (it can only store cryptographic keys and certificates). -.. include:: ../shared-faqs/hyperlinks.rst.inc +.. include:: ../../shared-faqs/hyperlinks.rst.inc diff --git a/pro/firmware-update.rst.inc b/nitrokeys/pro/firmware-update.rst similarity index 58% rename from pro/firmware-update.rst.inc rename to nitrokeys/pro/firmware-update.rst index 8555b7c07c..b43cb39fbe 100644 --- a/pro/firmware-update.rst.inc +++ b/nitrokeys/pro/firmware-update.rst @@ -21,8 +21,8 @@ How to Update 1. Make sure you have the latest `pynitrokey` version installed, please check the `installation instructions <../../software/nitropy/all-platforms/installation.html>`__ for your OS. 2. Download the latest stable `firmware image `__. -.. important:: - For production use you should choose the latest stable version (so only versions, that don’t contain i.e. “pre-release” or “RC”). + .. important:: + For production use you should choose the latest stable version (so only versions, that don’t contain i.e. “pre-release” or “RC”). 3. To apply the update run: @@ -39,25 +39,25 @@ Alternatively `dfu-util` can be used for the firmware update: 1. Install dfu-util -Binaries for Windows are available at: - * http://dfu-util.sourceforge.net/releases/ + Binaries for Windows are available at: + * http://dfu-util.sourceforge.net/releases/ -For macOS binaries are available via Homebrew: - * https://formulae.brew.sh/formula/dfu-util + For macOS binaries are available via Homebrew: + * https://formulae.brew.sh/formula/dfu-util -*macOS only:* Install `dfu-util` via Homebrew + *macOS only:* Install `dfu-util` via Homebrew -.. code-block:: bash + .. code-block:: bash - brew install dfu-util + brew install dfu-util 2. Use Nitrokey App v1.5-RC7 or higher to change the boot mode of the Nitrokey Pro to update mode. 3. Now the following command to apply the update -.. code-block:: bash + .. code-block:: bash - $ dfu-util -D update_binary.bin + $ dfu-util -D update_binary.bin 4. The boot mode can now be changed back again with the Nitrokey App. @@ -77,3 +77,17 @@ Troubleshooting $ locate libnitrokey.so +Linux Permission error +^^^^^^^^^^^^^^^^^^^^^^ + +**Issue:** I get ``permission denied for /dev/hidrawX`` during update. + This likely means your user has not the needed permissions to + read/write the device. Please make sure you have set up the correct + `udev-rules`_. Download this `udev-rules`_ set and place it in your + udev rules directory (e.g., ``/etc/udev/rules.d``). Then remove + your Nitrokey Pro from the USB slot and run: + ``udevadm control --reload-rules && udevadm trigger`` or reboot + your machine. Afterwards the update should work without the + permission issue. + +.. _udev-rules: https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules diff --git a/nitrokeys/pro/getting-started.rst b/nitrokeys/pro/getting-started.rst new file mode 100644 index 0000000000..d3cd78b115 --- /dev/null +++ b/nitrokeys/pro/getting-started.rst @@ -0,0 +1,73 @@ +Getting Started +=============== + +.. contents:: :local: + + +1. + + .. tabs:: + .. tab:: Linux + To access the OpenPGP smart card of the Nitrokey, install the package + libccid. On Debian/Ubuntu based Distributions type in terminal: *sudo + apt-get update && sudo apt-get install libccid* + + If your distribution has a rather old version of libccid (<1.4.21) + you have to add the device information by yourself (for example if + you are using Ubuntu 14.04 or older). In this case please follow + these + `instructions `__. + .. tab:: MacOS + Once you plug in the Nitrokey, your computer will start the Keyboard + Setup Assistant. **Don’t run through this assistant but exit it right + away.** + .. tab:: Windows + Connect your Nitrokey to your computer and confirm all dialogs so + that the USB smart card device driver gets installed almost + automatically. Windows may fail to install an additional device + driver for the smart card. Its safe to ignore this warning. + + +2. Download and start the `Nitrokey + App `__. Follow the + `instructions <../product-guides/change-pins/index.html>`_ + to change the default User PIN (default: 123456) and Admin PIN + (default: 12345678) to your own choices. + +.. figure:: ../features/openpgp-card/images/change-pins/App-change-pin.png + :alt: img + + +Your Nitrokey is now ready to use. + +.. note:: + + - For some Versions of MacOS it is necessary to install custom `ccid + driver `__ + (for information see + `here `__), + but in general MacOS should have the driver onboard. + + - For many use cases described, it is necessary to have either + OpenPGP or S/MIME keys installed on the device (see below). + + +.. tip:: + + Note: For many use cases described, it is necessary to have either + OpenPGP or S/MIME keys installed on the device (see below). + + +Key Creation with OpenPGP or S/MIME +----------------------------------- + +There are two widely used standards for email encryption. While +OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used +by enterprises. If you are in doubt which one to choose, you should use +OpenPGP. + +To learn more about how to use OpenPGP for email encryption with the Nitrokey, +please refer to chapter `OpenPGP Email Encryption <../features/openpgp/index.html>`_. + +To learn more about how to use S/MIME for email encryption with the Nitrokey, +please refer to chapter `S/MIME Email Encryption <../features/smime/index.html>`_. diff --git a/nitrokeys/pro/index.rst b/nitrokeys/pro/index.rst new file mode 100644 index 0000000000..2cec20a8ae --- /dev/null +++ b/nitrokeys/pro/index.rst @@ -0,0 +1,32 @@ +Nitrokey Pro 2 +============== + +.. contents:: :local: + + +First check the: + +.. toctree:: + :maxdepth: 1 + :glob: + + Getting Started + Frequently Asked Questions + +and the product guides: + +.. toctree:: + :maxdepth: 1 + + Update + Factory Reset + +or check out the features: + +* `U2F <../features/u2f/index.html>`_ +* `TOTP <../features/totp/index.html>`_ +* `OpenPGP Card <../features/openpgp-card/index.html>`_ +* `Automatic Screen Lock (Linux) <../features/misc/automatic-screen-lock/index.html>`_ +* `ECC <../features/misc/ecc/index.html>`_ + + diff --git a/start/factory-reset.rst b/nitrokeys/start/factory-reset.rst similarity index 97% rename from start/factory-reset.rst rename to nitrokeys/start/factory-reset.rst index 3bc5fe81db..dca659a0af 100644 --- a/start/factory-reset.rst +++ b/nitrokeys/start/factory-reset.rst @@ -14,7 +14,7 @@ Usage To change the identity it suffices to send a custom CCID command. This could be achieved with ``pynitrokey`` tool: -1. `Install pynitrokey `__. +1. `Install pynitrokey <../../software/nitropy/all-platforms/installation.html>`. 2. Connect your Nitrokey Start and verify that it got recognized. diff --git a/start/faq.rst b/nitrokeys/start/faq.rst similarity index 87% rename from start/faq.rst rename to nitrokeys/start/faq.rst index 728964c7e6..b701c170af 100644 --- a/start/faq.rst +++ b/nitrokeys/start/faq.rst @@ -1,7 +1,7 @@ Nitrokey Start FAQ ================== -.. include:: ../shared-faqs/nitrokeys.rst.inc +.. include:: ../../shared-faqs/nitrokeys.rst.inc **Q:** What are the default PINs? * **User PIN:** "123456" @@ -10,7 +10,7 @@ Nitrokey Start FAQ We strongly recommend to change these PINs/password to user-chosen values before using the Nitrokey. -.. include:: ../shared-faqs/pins.rst.inc +.. include:: ../../shared-faqs/pins.rst.inc **Q:** Which drivers/tools can be used? GnuPG is required for many use cases. It is a command line tool but usually @@ -26,7 +26,7 @@ Nitrokey Start FAQ instructions work Nitrokey as well. In general the official documentation is recommended. -.. include:: ../shared-faqs/algos.rst.inc +.. include:: ../../shared-faqs/algos.rst.inc **Q:** Does the Nitrokey Start contain a secure chip or just a normal microcontroller? @@ -37,6 +37,6 @@ Nitrokey Start FAQ only store cryptographic keys and certificates). -.. include:: ../shared-faqs/hyperlinks.rst.inc +.. include:: ../../shared-faqs/hyperlinks.rst.inc diff --git a/start/linux/firmware-update.rst b/nitrokeys/start/firmware-update.rst similarity index 83% rename from start/linux/firmware-update.rst rename to nitrokeys/start/firmware-update.rst index 6ba94be8c8..d319d3e169 100644 --- a/start/linux/firmware-update.rst +++ b/nitrokeys/start/firmware-update.rst @@ -14,19 +14,10 @@ Firmware Update To update the firmware of your Nitrokey Start, proceed as follows. -1. Install pip3. - .. code-block:: bash - - $ sudo apt install python3-pip - -2. Install pynitrokey. For this you need an Internet connection. - - .. code-block:: bash - - $ pip3 install --user pynitrokey +1. First `install pynitrokey <../../software/nitropy/all-platforms/installation.html>`_. For this you need an Internet connection. -3. Connect your Nitrokey Start and verify its recognition. +2. Connect your Nitrokey Start and verify its recognition. .. rstcheck: ignore-next-code-block .. code-block:: bash @@ -36,13 +27,13 @@ To update the firmware of your Nitrokey Start, proceed as follows. :: 'Nitrokey Start' keys: FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.8) -4. Start the update process. For this you need an Internet connection. +3. Start the update process. For this you need an Internet connection. .. code-block:: bash $ nitropy start update -5. You will then be asked to enter the Admin PIN of your Nitrokey Start. +4. You will then be asked to enter the Admin PIN of your Nitrokey Start. (Default PIN: 12345678) .. code-block:: bash @@ -55,7 +46,7 @@ To update the firmware of your Nitrokey Start, proceed as follows. Saving run log to: /tmp/nitropy.log.d4erqux4 Admin password: "your admin PIN" -6. Under “Device” you will find information about the current version of +5. Under “Device” you will find information about the current version of your Nitrokey Start. In the first item under “Please note” you can see the latest firmware version available. Now you have to confirm the update with “yes”. @@ -88,7 +79,7 @@ To update the firmware of your Nitrokey Start, proceed as follows. - Whole process should not take more than 1 minute Do you want to continue? [yes/no]: yes -7. You can check the firmware version after the upgrade process has +6. You can check the firmware version after the upgrade process has completed. .. rstcheck: ignore-next-code-block diff --git a/start/linux/index.rst b/nitrokeys/start/getting-started.rst similarity index 80% rename from start/linux/index.rst rename to nitrokeys/start/getting-started.rst index 7882065b82..7253b9beb7 100644 --- a/start/linux/index.rst +++ b/nitrokeys/start/getting-started.rst @@ -1,18 +1,24 @@ -Nitrokey Start, Linux -===================== +Getting Started +=============== -.. contents:: :local: -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: +1. + .. tabs:: + .. tab:: Linux + Install ``scdaemon`` and GnuPG 2.1 or higher by using your package + manager (e.g. ``apt update && apt install scdaemon gnupg2`` on Ubuntu). + Install ``scdaemon`` and GnuPG 2.1 or higher by using your package + manager (e.g. ``apt update && apt install scdaemon gnupg2`` on Ubuntu). - * + .. tab:: MacOS + Install `GnuPG 2.1 `__ or higher. -1. Install ``scdaemon`` and GnuPG 2.1 or higher by using your package - manager (e.g. ``apt update && apt install scdaemon gnupg2`` on Ubuntu). -2. Connect your Nitrokey to your computer. + .. tab:: Windows + Install `Gpg4win `__ on your Computer. + +2. Connect your Nitrokey to your computer and confirm all dialogs (if there are any) so + that the USB smart card device driver gets installed almost + automatically. 3. Use GnuPG to `generate new keys or import existing ones `_. diff --git a/nitrokeys/start/index.rst b/nitrokeys/start/index.rst new file mode 100644 index 0000000000..845222d319 --- /dev/null +++ b/nitrokeys/start/index.rst @@ -0,0 +1,27 @@ +Nitrokey Start +============== + +.. contents:: :local: + +First check the: + +.. toctree:: + :maxdepth: 1 + :glob: + + Getting Started + Frequently Asked Questions + +and the product guides: + +.. toctree:: + :maxdepth: 1 + + Multiple Identities + Setting KDF-DO + Factory Reset + Firmware Update + +or check out the features: + +* `OpenPGP Card <../features/openpgp-card/index.html>`_ \ No newline at end of file diff --git a/start/multiple-identities.rst.inc b/nitrokeys/start/multiple-identities.rst similarity index 79% rename from start/multiple-identities.rst.inc rename to nitrokeys/start/multiple-identities.rst index de88bce6b0..b8f916f19f 100644 --- a/start/multiple-identities.rst.inc +++ b/nitrokeys/start/multiple-identities.rst @@ -19,22 +19,22 @@ To change the identity it suffices to send a custom CCID command. This could be 2. Connect your Nitrokey Start and verify that it got recognized. -.. code-block:: bash + :: - $ nitropy start list - *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start - :: 'Nitrokey Start' keys: - FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.10) + $ nitropy start list + *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start + :: 'Nitrokey Start' keys: + FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.10) 3. Change the identity, by replacing ```` with ``0``, ``1``, or ``2``. -.. code-block:: bash + :: - $ nitropy start set-identity - *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start - Trying to set identity to - device has reset, and should now have the new identity + $ nitropy start set-identity + *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start + Trying to set identity to + device has reset, and should now have the new identity Limitations ----------- diff --git a/start/setting-kdf-do.rst.inc b/nitrokeys/start/setting-kdf-do.rst similarity index 100% rename from start/setting-kdf-do.rst.inc rename to nitrokeys/start/setting-kdf-do.rst diff --git a/storage/factory-reset.rst b/nitrokeys/storage/factory-reset.rst similarity index 95% rename from storage/factory-reset.rst rename to nitrokeys/storage/factory-reset.rst index 31ff5e779b..fb710c5987 100644 --- a/storage/factory-reset.rst +++ b/nitrokeys/storage/factory-reset.rst @@ -1,3 +1,6 @@ +Factory reset +============= + .. contents:: :local: There are two types of factory resets for Nitrokey Storage devices: @@ -17,7 +20,7 @@ Password Safe and the Encrypted Volume without performing a factory reset. The factory reset can be triggered in the Nitrokey App with the menu entry ``Configure->Special Configure->Factory reset``. -.. figure:: /storage/images/factory-reset-menu-item.png +.. figure:: images//factory-reset/factory-reset-menu-item.png :alt: factory-reset-menu-item .. note:: diff --git a/storage/faq.rst b/nitrokeys/storage/faq.rst similarity index 97% rename from storage/faq.rst rename to nitrokeys/storage/faq.rst index c06c86f269..6b1811ae3c 100644 --- a/storage/faq.rst +++ b/nitrokeys/storage/faq.rst @@ -4,7 +4,7 @@ Nitrokey Storage FAQ As the Nitrokey Storage 2 is essentially a Nitrokey Pro 2 including a non-volatile (encrypted) storage, the :doc:`Nitrokey Pro 2 FAQ <../pro/faq>` also partly applies. -.. include:: ../shared-faqs/nitrokeys.rst.inc +.. include:: ../../shared-faqs/nitrokeys.rst.inc **Q:** What are the default PINs? * **User PIN:** "123456" @@ -25,7 +25,7 @@ non-volatile (encrypted) storage, the :doc:`Nitrokey Pro 2 FAQ <../pro/faq>` als make sure you first "Destroy encrypted data" inside the Nitrokey App. -.. include:: ../shared-faqs/pins.rst.inc +.. include:: ../../shared-faqs/pins.rst.inc **Q:** Why does my Nitrokey Storage hang when switching between nitrokey-app and GnuPG? @@ -57,7 +57,7 @@ non-volatile (encrypted) storage, the :doc:`Nitrokey Pro 2 FAQ <../pro/faq>` als * 256 bit AES, 240 bytes per command -> 910 bytes per second * 128 bit AES, 240 bytes per command -> 930 bytes per second -.. include:: ../shared-faqs/algos.rst.inc +.. include:: ../../shared-faqs/algos.rst.inc **Q:** Does the Nitrokey Storage contain a secure chip or just a normal microcontroller? Nitrokey Storage contains a tamper resistant smart card. @@ -115,4 +115,4 @@ non-volatile (encrypted) storage, the :doc:`Nitrokey Pro 2 FAQ <../pro/faq>` als Hidden volumes are like containers inside of a container, the encrypted volume. -.. include:: ../shared-faqs/hyperlinks.rst.inc +.. include:: ../../shared-faqs/hyperlinks.rst.inc diff --git a/storage/firmware-update-manually.rst b/nitrokeys/storage/firmware-update-manually.rst similarity index 82% rename from storage/firmware-update-manually.rst rename to nitrokeys/storage/firmware-update-manually.rst index 10cfd13c81..6146f335a4 100644 --- a/storage/firmware-update-manually.rst +++ b/nitrokeys/storage/firmware-update-manually.rst @@ -1,3 +1,7 @@ +Manual Firmware Update +====================== + + .. contents:: :local: .. note:: @@ -24,12 +28,12 @@ Install Balena Etcher Balena Etcher helps us to install the USB image on the USB stick. Please double click on the `previously downloaded installation file `__ and follow the instructions. -.. figure:: /storage/images/firmware-update-manually/1.png +.. figure:: images/firmware-update-manually/1.png :alt: img1 -.. figure:: /storage/images/firmware-update-manually/2.png +.. figure:: images/firmware-update-manually/2.png :alt: img2 @@ -39,29 +43,29 @@ Installing the USB image with Balena Etcher The program usually opens immediately after installation. If not, you will find a shortcut on the desktop. Using the application, select the `previously downloaded image file `__, which ends with “.img.zip”. Now insert the USB stick. It should be recognized automatically. Press “Flash!” to proceed. -.. figure:: /storage/images/firmware-update-manually/3.png +.. figure:: images/firmware-update-manually/3.png :alt: img3 -.. figure:: /storage/images/firmware-update-manually/4.png +.. figure:: images/firmware-update-manually/4.png :alt: img4 You must allow the application to make changes. -.. figure:: /storage/images/firmware-update-manually/5.png +.. figure:: images/firmware-update-manually/5.png :alt: img5 -.. figure:: /storage/images/firmware-update-manually/7.png +.. figure:: images/firmware-update-manually/7.png :alt: img7 -.. figure:: /storage/images/firmware-update-manually/8.png +.. figure:: images/firmware-update-manually/8.png :alt: img8 After the image has been successfully transferred, Windows may ask if the device should be formatted. It is important that you click “Cancel”, otherwise the USB stick will be overwritten by Windows. -.. figure:: /storage/images/firmware-update-manually/9.png +.. figure:: images/firmware-update-manually/9.png :alt: img9 @@ -73,14 +77,14 @@ Now the system must be restarted. The USB stick must remain in the USB port so t After the system has started, please choose the language by typing 1 (English) and hit Enter. -.. figure:: /storage/images/firmware-update-manually/10.png +.. figure:: images/firmware-update-manually/10.png :alt: img10 Please insert the Nitrokey Storage when asked to. -.. figure:: /storage/images/firmware-update-manually/11.png +.. figure:: images/firmware-update-manually/11.png :alt: img11 @@ -88,7 +92,7 @@ Please insert the Nitrokey Storage when asked to. The Firmware Update Mode will be started automatically if the standard password is set. Otherwise you need to input your password and hit enter. -.. figure:: /storage/images/firmware-update-manually/12.png +.. figure:: images/firmware-update-manually/12.png :alt: img12 @@ -99,6 +103,6 @@ Restoring the USB Stick Windows should automatically ask to format your USB Stick as soon as you insert the USB Stick the first time again in Windows. Just accept the request for being able to use the USB Stick as previously. -.. figure:: /storage/images/firmware-update-manually/13.png +.. figure:: images/firmware-update-manually/13.png :alt: img13 diff --git a/nitrokeys/storage/firmware-update.rst b/nitrokeys/storage/firmware-update.rst new file mode 100644 index 0000000000..e90b40eb64 --- /dev/null +++ b/nitrokeys/storage/firmware-update.rst @@ -0,0 +1,104 @@ +Firmware Update +=============== + +.. contents:: :local: + +.. warning:: + + You should backup all data from the device before upgrading, as + firmware upgrades may destroy all data on the device (especially + coming from firmware version <0.45)! + +.. important:: + Never disconnect the Nitrokey Start or abort the process while updating, + this will likely render your device useless + + +.. tabs:: + .. tab:: Linux + 1. Download the `Nitrokey App `__ and the program “dfu-programmer” which should be available through your package-manager, e.g. ``apt-get update && apt-get install dfu-programmer`` on Debian-based systems. + + 2. Download the latest firmware ".hex" file from `here `__ and store it as "firmware.hex" in your home folder. Older releases are `here `__. + + 3. Right click on the icon of the Nitrokey App and go to “Configure” -> “Enable Firmware Update”. The default firmware password is ‘12345678’. + + .. figure:: images/firmware-update/enable-firmware-update.png + :alt: Enable firmware update + + .. note:: + + The Nitrokey Storage is not detected by Nitrokey App anymore once update mode got + activated. You have to proceed with the instructions described below + to make it work again. + + + 4. Open a terminal and execute: + + .. code-block:: bash + + sudo dfu-programmer at32uc3a3256s erase + sudo dfu-programmer at32uc3a3256s flash --suppress-bootloader-mem firmware.hex + sudo dfu-programmer at32uc3a3256s launch + # versions <0.7 of dfu-programmer use "start" instead of "launch" + + whereas “firmware.hex” needs to be the path and file name of the firmware which you downloaded in step 2. + + .. tab:: MacOS + 1. Download the `Nitrokey App `__ and the `Nitrokey Update Tool `__. The Nitrokey Update Tool is currently available for macOS and Windows only. + + 2. Download the latest firmware ".hex" file from `here `__. Older releases are `here `__. + + 3. Right click on the icon of the Nitrokey App and go to “Configure” -> “Enable Firmware Update”. The default firmware password is ‘12345678’. + + .. figure:: images/firmware-update/enable-firmware-update.png + :alt: Enable firmware update + + .. note:: + + The Nitrokey Storage is not detected by Nitrokey App anymore once update mode got + activated. You have to proceed with the instructions described below + to make it work again. + + .. note:: + + If you are using Microsoft Windows Build 1809 and Nitrokey Storage + Firmware 0.52 or lower, you need to use another system or if this is not + feasible use `these + instructions `_ to + enable the Firmware Update mode. + + 4. Start the Nitrokey Update Tool and click “Select firmware file”. Select the previously downloaded firmware ".hex" file. Click on “Update firmware” to start the update process. Your device should get detected by the Nitrokey App again as soon as the update is finished. + + .. figure:: images/firmware-update/nitrokey-update-tool.png + :alt: Nitrokey Update Tool + + .. tab:: Windows + + 1. Download the `Nitrokey App `__ and the `Nitrokey Update Tool `__. The Nitrokey Update Tool is currently available for macOS and Windows only. + + 2. Download the latest firmware ".hex" file from `here `__. Older releases are `here `__. + + 3. Right click on the icon of the Nitrokey App and go to “Configure” -> “Enable Firmware Update”. The default firmware password is ‘12345678’. + + .. figure:: images/firmware-update/enable-firmware-update.png + :alt: Enable firmware update + + .. note:: + + The Nitrokey Storage is not detected by Nitrokey App anymore once update mode got + activated. You have to proceed with the instructions described below + to make it work again. + + .. note:: + + If you are using Microsoft Windows Build 1809 and Nitrokey Storage + Firmware 0.52 or lower, you need to use another system or if this is not + feasible use `these + instructions `_ to + enable the Firmware Update mode. + + 4. Start the Nitrokey Update Tool and click “Select firmware file”. Select the previously downloaded firmware ".hex" file. Click on “Update firmware” to start the update process. Your device should get detected by the Nitrokey App again as soon as the update is finished. + + .. figure:: images/firmware-update/nitrokey-update-tool.png + :alt: Nitrokey Update Tool + diff --git a/nitrokeys/storage/getting-started.rst b/nitrokeys/storage/getting-started.rst new file mode 100644 index 0000000000..d89c16028d --- /dev/null +++ b/nitrokeys/storage/getting-started.rst @@ -0,0 +1,78 @@ +Getting Started +=============== + +.. contents:: :local: + + +1. + .. tabs:: + .. group-tab:: Linux + To access the OpenPGP smart card of the Nitrokey, install the package + libccid. On Debian/Ubuntu based Distributions type in terminal: + .. code-block:: bash + + $ sudo apt-get update && sudo apt-get install libccid + + .. group-tab:: MacOS + Important: Once you plug in the Nitrokey, your computer will start + the Keyboard Setup Assistant. **Don’t run through this assistant but + exit it right away.** + + .. group-tab:: Windows + Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically. + + .. note:: + + Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning. + +2. + .. tabs:: + .. group-tab:: Linux + Download and start the `Nitrokey App `__. + + .. group-tab:: MacOS + Download and start the `Nitrokey App `__. Perhaps you want to store + it on the unencrypted partition of your Nitrokey Storage + + .. group-tab:: Windows + Download and start the `Nitrokey App `__. Perhaps you want to store it on the unencrypted partition of your Nitrokey Storage. There won’t open a window, but an icon appears in the system tray (see screenshot below). Please right-click on this icon to use all the options of the App. + + .. figure:: images/getting-started/Windows10-Systemtray.png + :alt: img1 + +3. Open the About window from Nitrokey App’s menu and check if you have + the `latest + firmware `__ + installed. If it’s not the latest, please + `update `_. + +4. Use the Nitrokey App to change the default User PIN (default: 123456) + and Admin PIN (default: 12345678) to your own choices. + +Your Nitrokey is now ready to use. + +.. note:: + + - For some Versions of MacOS it is necessary to install custom `ccid + driver `__ + (for information see + `here `__), + but in general MacOS should have the driver onboard. + + - For many use cases described, it is necessary to have either + OpenPGP or S/MIME keys installed on the device (see below). + +Key Creation with OpenPGP or S/MIME +----------------------------------- + +There are two widely used standards for email encryption. While +OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used +by enterprises. If you are in doubt which one to choose, you should use +OpenPGP. + +To learn more about how to use OpenPGP for email encryption with the Nitrokey, +please refer to chapter `OpenPGP Email Encryption <../features/openpgp/index.html>`_. + +To learn more about how to use S/MIME for email encryption with the Nitrokey, +please refer to chapter `S/MIME Email Encryption <../features/smime/index.html>`_. + diff --git a/storage/images/factory-reset-menu-item.png b/nitrokeys/storage/images/factory-reset/factory-reset-menu-item.png similarity index 100% rename from storage/images/factory-reset-menu-item.png rename to nitrokeys/storage/images/factory-reset/factory-reset-menu-item.png diff --git a/storage/images/firmware-update-manually/1.png b/nitrokeys/storage/images/firmware-update-manually/1.png similarity index 100% rename from storage/images/firmware-update-manually/1.png rename to nitrokeys/storage/images/firmware-update-manually/1.png diff --git a/storage/images/firmware-update-manually/10.png b/nitrokeys/storage/images/firmware-update-manually/10.png similarity index 100% rename from storage/images/firmware-update-manually/10.png rename to nitrokeys/storage/images/firmware-update-manually/10.png diff --git a/storage/images/firmware-update-manually/11.png b/nitrokeys/storage/images/firmware-update-manually/11.png similarity index 100% rename from storage/images/firmware-update-manually/11.png rename to nitrokeys/storage/images/firmware-update-manually/11.png diff --git a/storage/images/firmware-update-manually/12.png b/nitrokeys/storage/images/firmware-update-manually/12.png similarity index 100% rename from storage/images/firmware-update-manually/12.png rename to nitrokeys/storage/images/firmware-update-manually/12.png diff --git a/storage/images/firmware-update-manually/13.png b/nitrokeys/storage/images/firmware-update-manually/13.png similarity index 100% rename from storage/images/firmware-update-manually/13.png rename to nitrokeys/storage/images/firmware-update-manually/13.png diff --git a/storage/images/firmware-update-manually/2.png b/nitrokeys/storage/images/firmware-update-manually/2.png similarity index 100% rename from storage/images/firmware-update-manually/2.png rename to nitrokeys/storage/images/firmware-update-manually/2.png diff --git a/storage/images/firmware-update-manually/3.png b/nitrokeys/storage/images/firmware-update-manually/3.png similarity index 100% rename from storage/images/firmware-update-manually/3.png rename to nitrokeys/storage/images/firmware-update-manually/3.png diff --git a/storage/images/firmware-update-manually/4.png b/nitrokeys/storage/images/firmware-update-manually/4.png similarity index 100% rename from storage/images/firmware-update-manually/4.png rename to nitrokeys/storage/images/firmware-update-manually/4.png diff --git a/storage/images/firmware-update-manually/5.png b/nitrokeys/storage/images/firmware-update-manually/5.png similarity index 100% rename from storage/images/firmware-update-manually/5.png rename to nitrokeys/storage/images/firmware-update-manually/5.png diff --git a/storage/images/firmware-update-manually/6.png b/nitrokeys/storage/images/firmware-update-manually/6.png similarity index 100% rename from storage/images/firmware-update-manually/6.png rename to nitrokeys/storage/images/firmware-update-manually/6.png diff --git a/storage/images/firmware-update-manually/7.png b/nitrokeys/storage/images/firmware-update-manually/7.png similarity index 100% rename from storage/images/firmware-update-manually/7.png rename to nitrokeys/storage/images/firmware-update-manually/7.png diff --git a/storage/images/firmware-update-manually/8.png b/nitrokeys/storage/images/firmware-update-manually/8.png similarity index 100% rename from storage/images/firmware-update-manually/8.png rename to nitrokeys/storage/images/firmware-update-manually/8.png diff --git a/storage/images/firmware-update-manually/9.png b/nitrokeys/storage/images/firmware-update-manually/9.png similarity index 100% rename from storage/images/firmware-update-manually/9.png rename to nitrokeys/storage/images/firmware-update-manually/9.png diff --git a/storage/images/enable-firmware-update.png b/nitrokeys/storage/images/firmware-update/enable-firmware-update.png similarity index 100% rename from storage/images/enable-firmware-update.png rename to nitrokeys/storage/images/firmware-update/enable-firmware-update.png diff --git a/storage/windows/images/nitrokey-update-tool.png b/nitrokeys/storage/images/firmware-update/nitrokey-update-tool.png similarity index 100% rename from storage/windows/images/nitrokey-update-tool.png rename to nitrokeys/storage/images/firmware-update/nitrokey-update-tool.png diff --git a/storage/windows/images/Windows10-Systemtray.png b/nitrokeys/storage/images/getting-started/Windows10-Systemtray.png similarity index 100% rename from storage/windows/images/Windows10-Systemtray.png rename to nitrokeys/storage/images/getting-started/Windows10-Systemtray.png diff --git a/nitrokeys/storage/index.rst b/nitrokeys/storage/index.rst new file mode 100644 index 0000000000..dd2c5e6be9 --- /dev/null +++ b/nitrokeys/storage/index.rst @@ -0,0 +1,32 @@ +Nitrokey Storage 2 +================== + +.. contents:: :local: + +First check the: + +.. toctree:: + :maxdepth: 1 + :glob: + + Getting Started + Frequently Asked Questions + +and the product guides: + +.. toctree:: + :maxdepth: 2 + + Firmware-Update + Manual Firmware-Update + Factory Reset + +or check out the features: + +* `U2F <../features/u2f/index.html>`_ +* `TOTP <../features/totp/index.html>`_ +* `OpenPGP Card <../features/openpgp-card/index.html>`_ +* `Encrypted Mobile Storage <../features/encrypted-storage/index.html>`_ +* `Hidden Storage <../features/hidden-storage/index.html>`_ +* `Automatic Screen Lock (Linux) <../features/misc/automatic-screen-lock/index.html>`_ +* `ECC <../features/misc/ecc/index.html>`_ \ No newline at end of file diff --git a/nitrokeys/u2f/index.rst b/nitrokeys/u2f/index.rst new file mode 100644 index 0000000000..cce321a267 --- /dev/null +++ b/nitrokeys/u2f/index.rst @@ -0,0 +1,8 @@ +Nitrokey U2F +============ + +.. contents:: :local: + +Check out the features: + +* `U2F <../features/u2f/index.html>`_ diff --git a/nitropad/qubes/change-pins.rst b/nitropad/qubes/change-pins.rst index c14cd241e1..177ab7edae 100644 --- a/nitropad/qubes/change-pins.rst +++ b/nitropad/qubes/change-pins.rst @@ -1 +1 @@ -.. include:: ../../pro/change-pins.rst.inc +.. include:: ../../nitrokeys/features/openpgp-card/change-pins.rst diff --git a/nitropad/ubuntu/change-pins.rst b/nitropad/ubuntu/change-pins.rst index 5e1a030d4a..177ab7edae 100644 --- a/nitropad/ubuntu/change-pins.rst +++ b/nitropad/ubuntu/change-pins.rst @@ -1 +1 @@ -.. include:: ../../pro/change-pins.rst.inc +.. include:: ../../nitrokeys/features/openpgp-card/change-pins.rst diff --git a/pro/2fa-odoo.rst.inc b/pro/2fa-odoo.rst.inc deleted file mode 100644 index cdf8ede5d4..0000000000 --- a/pro/2fa-odoo.rst.inc +++ /dev/null @@ -1,29 +0,0 @@ -Two-Factor Authentication For ERP Software Odoo -=============================================== - -.. only:: comment - - .. contents:: :local: - -`Odoo `__ is a powerful ERP (Enterprise Resource Planning) software for companies of all sizes. Odoo is available as open source and contains modules for CRM, website, e-commerce, accounting, financial accounting, production, warehouse management, project management, document management, among others. - -The secure access to such a central software is especially important and can now be realized with the Nitrokey. For this purpose access is protected by two-factor authentication (2FA) and critical users are given a Nitrokey. From now on during login the Nitrokey will be checked in addition to the user's password. Phishing attacks are thus foiled and your critical company data is protected. - -The two-factor authentication can be carried out using one-time passwords (TOTP, RFC 6238) and FIDO U2F, thus enabling Nitrokey Pro, Nitrokey Storage and Nitrokey FIDO U2F to be used. It is also possible to configure authentication centrally and to activate it only for selected users. - -The FIDO solution was developed together with our partner `initOS `__, who are specialized in the development and customization of Odoo. If you are interested, `contact us `__. - -.. only::: comment - - `Contact `__ - -Video: Two-Factor Authentication With The Nitrokey Pro in Odoo --------------------------------------------------------------- - -.. raw:: html - - diff --git a/pro/hard-disk-encryption.rst.inc b/pro/hard-disk-encryption.rst.inc deleted file mode 100644 index d9b8a1887e..0000000000 --- a/pro/hard-disk-encryption.rst.inc +++ /dev/null @@ -1,36 +0,0 @@ -.. only:: comment - - .. contents:: :local: - -VeraCrypt (formerly TrueCrypt) ------------------------------- - -`VeraCrypt `__ is a free and Open Source disk encryption software for Windows, macOS, and GNU+Linux. It is the successor of TrueCrypt and thus recommended, although the following instructions should apply to TrueCrypt as well. - -Follow these steps to use the program with `Nitrokey `__: - -1. Install the latest release of - `OpenSC `__, or download the - `PKCS#11 library `__. -2. Choose the library in VeraCrypt under Settings>Preferences>Security - Token (location depends on system, e.g. ``/usr/lib/opensc``). -3. Generate a 64 Byte key file via Tools>Keyfile Generator. -4. Now you should be able to import the generated key file via - Tools>Manage Security Token Keyfiles. You should choose the first - Slot (``[0] User PIN``). The keyfile is then stored on the Nitrokey - as ‘Private Data Object 1’ (``PrivDO1``). -5. After this you should wipe the original keyfile on your Computer - securely! -6. Now you can use VeraCrypt with the Nitrokey: Create a container, - choose the keyfile on the device as an alternative to a password. - -.. warning:: - - Security Consideration - - Please note that VeraCrypt doesn’t make use of the full security - which Nitrokey (and smart cards in general) offer. Instead it stores - a keyfile on the Nitrokey which theoretically could be stolen by a - computer virus after the user enters the PIN. - -Note: `Aloaha Crypt `__ is based on TrueCrypt/VeraCrypt but without the described security limitation. diff --git a/pro/index.rst b/pro/index.rst deleted file mode 100644 index 8cde11bc4d..0000000000 --- a/pro/index.rst +++ /dev/null @@ -1,24 +0,0 @@ -Nitrokey Pro 2 -============== - -.. contents:: :local: - - -First check the: - -.. toctree:: - :maxdepth: 1 - :glob: - - Frequently Asked Questions - -or choose your operating system: - -.. toctree:: - :maxdepth: 1 - :glob: - - Windows - macOS - Linux - diff --git a/pro/linux/2fa-google.rst b/pro/linux/2fa-google.rst deleted file mode 100644 index 86dba65c75..0000000000 --- a/pro/linux/2fa-google.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../2fa-google.rst.inc diff --git a/pro/linux/2fa-nextcloud.rst b/pro/linux/2fa-nextcloud.rst deleted file mode 100644 index 386b9c5756..0000000000 --- a/pro/linux/2fa-nextcloud.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../windows/2fa-nextcloud.rst diff --git a/pro/linux/2fa-odoo.rst b/pro/linux/2fa-odoo.rst deleted file mode 100644 index afac57530c..0000000000 --- a/pro/linux/2fa-odoo.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../2fa-odoo.rst.inc \ No newline at end of file diff --git a/pro/linux/certificate-authority.rst b/pro/linux/certificate-authority.rst deleted file mode 100644 index a0e4791b50..0000000000 --- a/pro/linux/certificate-authority.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../hsm/certificate-authority.rst.inc diff --git a/pro/linux/change-pins.rst b/pro/linux/change-pins.rst deleted file mode 100644 index 253d97d4bb..0000000000 --- a/pro/linux/change-pins.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../change-pins.rst.inc diff --git a/pro/linux/ecc.rst b/pro/linux/ecc.rst deleted file mode 100644 index ff7150cad4..0000000000 --- a/pro/linux/ecc.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../ecc.rst.inc diff --git a/pro/linux/factory-reset.rst b/pro/linux/factory-reset.rst deleted file mode 100644 index 41182c6c07..0000000000 --- a/pro/linux/factory-reset.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../factory-reset.rst.inc diff --git a/pro/linux/firmware-update.rst b/pro/linux/firmware-update.rst deleted file mode 100644 index edcb6af54c..0000000000 --- a/pro/linux/firmware-update.rst +++ /dev/null @@ -1,13 +0,0 @@ -.. include:: ../firmware-update.rst.inc - -**Issue:** I get ``permission denied for /dev/hidrawX`` during update. - This likely means your user has not the needed permissions to - read/write the device. Please make sure you have set up the correct - `udev-rules`_. Download this `udev-rules`_ set and place it in your - udev rules directory (e.g., ``/etc/udev/rules.d``). Then remove - your Nitrokey Pro from the USB slot and run: - ``udevadm control --reload-rules && udevadm trigger`` or reboot - your machine. Afterwards the update should work without the - permission issue. - -.. _udev-rules: https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules diff --git a/pro/linux/gpa.rst b/pro/linux/gpa.rst deleted file mode 100644 index c2bb5534e0..0000000000 --- a/pro/linux/gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../gpa.rst diff --git a/pro/linux/index.rst b/pro/linux/index.rst deleted file mode 100644 index e9c7c61de3..0000000000 --- a/pro/linux/index.rst +++ /dev/null @@ -1,52 +0,0 @@ -Nitrokey Pro, Linux -=================== - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -1. To access the OpenPGP smart card of the Nitrokey, install the package - libccid. On Debian/Ubuntu based Distributions type in terminal: *sudo - apt-get update && sudo apt-get install libccid* - - If your distribution has a rather old version of libccid (<1.4.21) - you have to add the device information by yourself (for example if - you are using Ubuntu 14.04 or older). In this case please follow - these - `instructions `__. - -2. Download and start the `Nitrokey - App `__. Follow the - `instructions `_ - to change the default User PIN (default: 123456) and Admin PIN - (default: 12345678) to your own choices. - -.. figure:: ./images/App-change-pin.png - :alt: img - - -Your Nitrokey is now ready to use. - -.. tip:: - - Note: For many use cases described, it is necessary to have either - OpenPGP or S/MIME keys installed on the device (see below). - -Key Creation with OpenPGP or S/MIME ------------------------------------ - -There are two widely used standards for email encryption. While -OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used -by enterprises. If you are in doubt which one to choose, you should use -OpenPGP. - -To learn more about how to use OpenPGP for email encryption with the Nitrokey, -please refer to chapter `OpenPGP Email Encryption `_. - -To learn more about how to use S/MIME for email encryption with the Nitrokey, -please refer to chapter `S/MIME Email Encryption `_. diff --git a/pro/linux/ipsec.rst b/pro/linux/ipsec.rst deleted file mode 100644 index cfc9264144..0000000000 --- a/pro/linux/ipsec.rst +++ /dev/null @@ -1,4 +0,0 @@ -IPsec -===== - -.. include:: ../../hsm/ipsec.rst.inc diff --git a/pro/linux/login-with-pam.rst b/pro/linux/login-with-pam.rst deleted file mode 100644 index d31038785b..0000000000 --- a/pro/linux/login-with-pam.rst +++ /dev/null @@ -1,4 +0,0 @@ -Login With PAM -=========================== - -.. include:: ../login-with-pam.rst.inc diff --git a/pro/linux/openpgp-keygen-backup.rst b/pro/linux/openpgp-keygen-backup.rst deleted file mode 100644 index 7d3886ecef..0000000000 --- a/pro/linux/openpgp-keygen-backup.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-keygen-backup.rst.inc diff --git a/pro/linux/openpgp-keygen-gpa.rst b/pro/linux/openpgp-keygen-gpa.rst deleted file mode 100644 index 797b8412fc..0000000000 --- a/pro/linux/openpgp-keygen-gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-keygen-gpa.rst.inc diff --git a/pro/linux/openpgp-keygen-on-device.rst b/pro/linux/openpgp-keygen-on-device.rst deleted file mode 100644 index 9d0b148be6..0000000000 --- a/pro/linux/openpgp-keygen-on-device.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-keygen-on-device.rst.inc diff --git a/pro/linux/openpgp-outlook.rst b/pro/linux/openpgp-outlook.rst deleted file mode 100644 index 53ef3da2da..0000000000 --- a/pro/linux/openpgp-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-outlook.rst.inc diff --git a/pro/linux/openpgp-thunderbird.rst b/pro/linux/openpgp-thunderbird.rst deleted file mode 100644 index 2a21baf43f..0000000000 --- a/pro/linux/openpgp-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-thunderbird.rst.inc diff --git a/pro/linux/openpgp.rst b/pro/linux/openpgp.rst deleted file mode 100644 index dd1a2cdd44..0000000000 --- a/pro/linux/openpgp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp.rst.inc diff --git a/pro/linux/otp.rst b/pro/linux/otp.rst deleted file mode 100644 index 9c050e58fa..0000000000 --- a/pro/linux/otp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../otp.rst.inc diff --git a/pro/linux/smime-outlook.rst b/pro/linux/smime-outlook.rst deleted file mode 100644 index ce4ca6f530..0000000000 --- a/pro/linux/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../smime-outlook.rst.inc diff --git a/pro/linux/smime-thunderbird.rst b/pro/linux/smime-thunderbird.rst deleted file mode 100644 index fb35c7a207..0000000000 --- a/pro/linux/smime-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../smime-thunderbird.rst.inc diff --git a/pro/linux/smime.rst b/pro/linux/smime.rst deleted file mode 100644 index 9a7ca24e7c..0000000000 --- a/pro/linux/smime.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../smime.rst.inc diff --git a/pro/linux/ssh.rst b/pro/linux/ssh.rst deleted file mode 100644 index fa067a4ab1..0000000000 --- a/pro/linux/ssh.rst +++ /dev/null @@ -1,4 +0,0 @@ -SSH For Server Administration -============================= - -.. include:: ../ssh.rst diff --git a/pro/linux/stunnel.rst b/pro/linux/stunnel.rst deleted file mode 100644 index 94a9982dac..0000000000 --- a/pro/linux/stunnel.rst +++ /dev/null @@ -1,4 +0,0 @@ -Stunnel -======= - -.. include:: ../../hsm/stunnel.rst.inc diff --git a/pro/mac/2fa-google.rst b/pro/mac/2fa-google.rst deleted file mode 100644 index 86dba65c75..0000000000 --- a/pro/mac/2fa-google.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../2fa-google.rst.inc diff --git a/pro/mac/2fa-nextcloud.rst b/pro/mac/2fa-nextcloud.rst deleted file mode 100644 index 0d3141141f..0000000000 --- a/pro/mac/2fa-nextcloud.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../2fa-nextcloud.rst.inc diff --git a/pro/mac/2fa-odoo.rst b/pro/mac/2fa-odoo.rst deleted file mode 100644 index afac57530c..0000000000 --- a/pro/mac/2fa-odoo.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../2fa-odoo.rst.inc \ No newline at end of file diff --git a/pro/mac/change-pins.rst b/pro/mac/change-pins.rst deleted file mode 100644 index 253d97d4bb..0000000000 --- a/pro/mac/change-pins.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../change-pins.rst.inc diff --git a/pro/mac/ecc.rst b/pro/mac/ecc.rst deleted file mode 100644 index ff7150cad4..0000000000 --- a/pro/mac/ecc.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../ecc.rst.inc diff --git a/pro/mac/factory-reset.rst b/pro/mac/factory-reset.rst deleted file mode 100644 index 41182c6c07..0000000000 --- a/pro/mac/factory-reset.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../factory-reset.rst.inc diff --git a/pro/mac/firmware-update.rst b/pro/mac/firmware-update.rst deleted file mode 100644 index 97c722b20c..0000000000 --- a/pro/mac/firmware-update.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../firmware-update.rst.inc diff --git a/pro/mac/gpa.rst b/pro/mac/gpa.rst deleted file mode 100644 index c2bb5534e0..0000000000 --- a/pro/mac/gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../gpa.rst diff --git a/pro/mac/hard-disk-encryption.rst b/pro/mac/hard-disk-encryption.rst deleted file mode 100644 index 8091011fe8..0000000000 --- a/pro/mac/hard-disk-encryption.rst +++ /dev/null @@ -1,4 +0,0 @@ -Hard Disk Encryption -=========================== - -.. include:: ../hard-disk-encryption.rst.inc diff --git a/pro/mac/images/App-change-pin.png b/pro/mac/images/App-change-pin.png deleted file mode 100644 index 17ffc072d2..0000000000 Binary files a/pro/mac/images/App-change-pin.png and /dev/null differ diff --git a/pro/mac/index.rst b/pro/mac/index.rst deleted file mode 100644 index 91aee577ae..0000000000 --- a/pro/mac/index.rst +++ /dev/null @@ -1,51 +0,0 @@ -Nitrokey Pro, Mac -================= - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -1. Once you plug in the Nitrokey, your computer will start the Keyboard - Setup Assistant. **Don’t run through this assistant but exit it right - away.** -2. Download and start the `Nitrokey - App `__. Follow the - `instructions `_ - to change the default User PIN (default: 123456) and Admin PIN - (default: 12345678) to your own choices. - -.. figure:: ./images/App-change-pin.png - :alt: img - - -Your Nitrokey is now ready to use. - -.. note:: - - - For some Versions of MacOS it is necessary to install custom `ccid - driver `__ - (for information see - `here `__), - but in general MacOS should have the driver onboard. - - - For many use cases described, it is necessary to have either - OpenPGP or S/MIME keys installed on the device (see below). - -Key Creation with OpenPGP or S/MIME ------------------------------------ - -There are two widely used standards for email encryption. While -OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used -by enterprises. If you are in doubt which one to choose, you should use -OpenPGP. - -To learn more about how to use OpenPGP for email encryption with the Nitrokey, -please refer to chapter `OpenPGP Email Encryption `_. - -To learn more about how to use S/MIME for email encryption with the Nitrokey, -please refer to chapter `S/MIME Email Encryption `_. diff --git a/pro/mac/openpgp-keygen-backup.rst b/pro/mac/openpgp-keygen-backup.rst deleted file mode 100644 index 7d3886ecef..0000000000 --- a/pro/mac/openpgp-keygen-backup.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-keygen-backup.rst.inc diff --git a/pro/mac/openpgp-keygen-gpa.rst b/pro/mac/openpgp-keygen-gpa.rst deleted file mode 100644 index 797b8412fc..0000000000 --- a/pro/mac/openpgp-keygen-gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-keygen-gpa.rst.inc diff --git a/pro/mac/openpgp-keygen-on-device.rst b/pro/mac/openpgp-keygen-on-device.rst deleted file mode 100644 index 9d0b148be6..0000000000 --- a/pro/mac/openpgp-keygen-on-device.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-keygen-on-device.rst.inc diff --git a/pro/mac/openpgp-outlook.rst b/pro/mac/openpgp-outlook.rst deleted file mode 100644 index 53ef3da2da..0000000000 --- a/pro/mac/openpgp-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-outlook.rst.inc diff --git a/pro/mac/openpgp-thunderbird.rst b/pro/mac/openpgp-thunderbird.rst deleted file mode 100644 index 2a21baf43f..0000000000 --- a/pro/mac/openpgp-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-thunderbird.rst.inc diff --git a/pro/mac/openpgp.rst b/pro/mac/openpgp.rst deleted file mode 100644 index 56599a3f36..0000000000 --- a/pro/mac/openpgp.rst +++ /dev/null @@ -1,2 +0,0 @@ -.. include:: ../openpgp.rst.inc - diff --git a/pro/mac/otp.rst b/pro/mac/otp.rst deleted file mode 100644 index 9c050e58fa..0000000000 --- a/pro/mac/otp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../otp.rst.inc diff --git a/pro/mac/smime-outlook.rst b/pro/mac/smime-outlook.rst deleted file mode 100644 index ce4ca6f530..0000000000 --- a/pro/mac/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../smime-outlook.rst.inc diff --git a/pro/mac/smime-thunderbird.rst b/pro/mac/smime-thunderbird.rst deleted file mode 100644 index fb35c7a207..0000000000 --- a/pro/mac/smime-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../smime-thunderbird.rst.inc diff --git a/pro/mac/smime.rst b/pro/mac/smime.rst deleted file mode 100644 index 9a7ca24e7c..0000000000 --- a/pro/mac/smime.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../smime.rst.inc diff --git a/pro/openpgp.rst.inc b/pro/openpgp.rst.inc deleted file mode 100644 index e3ff07503e..0000000000 --- a/pro/openpgp.rst.inc +++ /dev/null @@ -1,6 +0,0 @@ -OpenPGP Email Encryption -======================== - -.. contents:: :local: - -.. include:: ../../shared/openpgp.rst.inc diff --git a/pro/smart-policy.rst.inc b/pro/smart-policy.rst.inc deleted file mode 100644 index 4dfe76da02..0000000000 --- a/pro/smart-policy.rst.inc +++ /dev/null @@ -1,97 +0,0 @@ -Login to Windows Domain Computers With MS Active Directory -========================================================== - -.. contents:: :local: - -1. Download and install the latest - `OpenSC `__. -2. Use a text editor to add the following settings to - ``C:\Program Files:\OpenSC Project\OpenSC\opensc.conf``. - -.. code-block:: bash - - # Nitrokey Pro 2, OpenPGP Card, Nitrokey Storage 2 - card_atr 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:f5:73:c0:01:60:00:90:00:1c { - type = 9002; - driver = "openpgp"; - # name = "Nitrokey Pro 2"; - md_read_only = false; - md_supports_X509_enrollment = true; - } - # Nitrokey Pro, OpenPGP Card - card_atr 3B:DA:18:FF:81:B1:FE:75:1F:03:00:31:C5:73:C0:01:40:00:90:00:0C { - type = 9002; - driver = "openpgp"; - # name = "Nitrokey Pro"; - md_read_only = false; - md_supports_X509_enrollment = true; - } - # Nitrokey HSM 2, SmartCard-HSM - card_atr 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c { - type = 26000; - driver = "sc-hsm"; - # name = "Nitrokey HSM 2"; - md_read_only = false; - md_supports_X509_enrollment = true; - } - # Nitrokey HSM, SmartCard-HSM - card_atr 3B:FE:18:00:00:81:31:FE:45:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:FA { - type = 26000; - driver = "sc-hsm"; - # name = "Nitrokey HSM"; - md_read_only = false; - md_supports_X509_enrollment = true; - } - - -3. Open a command terminal and enter “regedit”. Use regedit to import - `this - file `__. -4. Now you can enroll Nitrokeys for your users managed in Microsoft - Active Directory. You may either use Microsoft PKI, - `gpgsm `__, - or `Smart - Policy `__. - The following steps describe the usage of Smart Policy. -5. `Download `__ - and install Smart Policy. -6. Select “Read a smart card” - -.. figure:: /pro/images/smart-policy/1.png - :alt: img1 - - - -7. Select the certificate, mapping, and user. - -.. figure:: /pro/images/smart-policy/2.png - :alt: img2 - - - -8. Verify the device status via CRL. - -.. figure:: /pro/images/smart-policy/3.png - :alt: img3 - - - -9. Choose a Group Policy Object (GPO). - -.. figure:: /pro/images/smart-policy/4.png - :alt: img4 - - - -10. Confirm applying the mapping. - -.. figure:: /pro/images/smart-policy/5.png - :alt: img5 - - - -From now on, when logging on to your Windows computer you need to connect the Nitrokey and enter your PIN. - -.. figure:: /pro/images/smart-policy/6.png - :alt: img6 - diff --git a/pro/windows/2fa-google.rst b/pro/windows/2fa-google.rst deleted file mode 100644 index 86dba65c75..0000000000 --- a/pro/windows/2fa-google.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../2fa-google.rst.inc diff --git a/pro/windows/2fa-nextcloud.rst b/pro/windows/2fa-nextcloud.rst deleted file mode 100644 index 0d3141141f..0000000000 --- a/pro/windows/2fa-nextcloud.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../2fa-nextcloud.rst.inc diff --git a/pro/windows/2fa-odoo.rst b/pro/windows/2fa-odoo.rst deleted file mode 100644 index afac57530c..0000000000 --- a/pro/windows/2fa-odoo.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../2fa-odoo.rst.inc \ No newline at end of file diff --git a/pro/windows/certificate-authority.rst b/pro/windows/certificate-authority.rst deleted file mode 100644 index a0e4791b50..0000000000 --- a/pro/windows/certificate-authority.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../hsm/certificate-authority.rst.inc diff --git a/pro/windows/change-pins.rst b/pro/windows/change-pins.rst deleted file mode 100644 index 253d97d4bb..0000000000 --- a/pro/windows/change-pins.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../change-pins.rst.inc diff --git a/pro/windows/ecc.rst b/pro/windows/ecc.rst deleted file mode 100644 index ff7150cad4..0000000000 --- a/pro/windows/ecc.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../ecc.rst.inc diff --git a/pro/windows/eidauthenticate.rst b/pro/windows/eidauthenticate.rst deleted file mode 100644 index 36d4268852..0000000000 --- a/pro/windows/eidauthenticate.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../eidauthenticate.rst.inc diff --git a/pro/windows/factory-reset.rst b/pro/windows/factory-reset.rst deleted file mode 100644 index 41182c6c07..0000000000 --- a/pro/windows/factory-reset.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../factory-reset.rst.inc diff --git a/pro/windows/firmware-update.rst b/pro/windows/firmware-update.rst deleted file mode 100644 index 97c722b20c..0000000000 --- a/pro/windows/firmware-update.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../firmware-update.rst.inc diff --git a/pro/windows/gpa.rst b/pro/windows/gpa.rst deleted file mode 100644 index c2bb5534e0..0000000000 --- a/pro/windows/gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../gpa.rst diff --git a/pro/windows/hard-disk-encryption.rst b/pro/windows/hard-disk-encryption.rst deleted file mode 100644 index 8091011fe8..0000000000 --- a/pro/windows/hard-disk-encryption.rst +++ /dev/null @@ -1,4 +0,0 @@ -Hard Disk Encryption -=========================== - -.. include:: ../hard-disk-encryption.rst.inc diff --git a/pro/windows/images/App-change-pin.png b/pro/windows/images/App-change-pin.png deleted file mode 100644 index 17ffc072d2..0000000000 Binary files a/pro/windows/images/App-change-pin.png and /dev/null differ diff --git a/pro/windows/index.rst b/pro/windows/index.rst deleted file mode 100644 index 1e0d8956df..0000000000 --- a/pro/windows/index.rst +++ /dev/null @@ -1,46 +0,0 @@ -Nitrokey Pro, Windows -===================== - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -Getting Started ---------------- - -1. Connect your Nitrokey to your computer and confirm all dialogs so - that the USB smart card device driver gets installed almost - automatically. Windows may fail to install an additional device - driver for the smart card. Its safe to ignore this warning. -2. Download and start the `Nitrokey - App `__. -3. Go to “Menu” -> “Configure” to change the User PIN (default: 123456) - and Admin PIN (default: 12345678) to your own choices. - -.. figure:: ./images/App-change-pin.png - :alt: img - - -Your Nitrokey is now ready to use. - -.. note:: - For many use cases described, it is necessary to have either OpenPGP or S/MIME keys installed on the device (see below). - -Key Creation with OpenPGP or S/MIME -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -There are two widely used standards for email encryption. While -OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used -by enterprises. If you are in doubt which one to choose, you should use -OpenPGP. - -To learn more about how to use OpenPGP for email encryption with the Nitrokey, -please refer to chapter `OpenPGP Email Encryption `_. - -To learn more about how to use S/MIME for email encryption with the Nitrokey, -please refer to chapter `S/MIME Email Encryption `_. diff --git a/pro/windows/openpgp-keygen-backup.rst b/pro/windows/openpgp-keygen-backup.rst deleted file mode 100644 index 7d3886ecef..0000000000 --- a/pro/windows/openpgp-keygen-backup.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-keygen-backup.rst.inc diff --git a/pro/windows/openpgp-keygen-gpa.rst b/pro/windows/openpgp-keygen-gpa.rst deleted file mode 100644 index 797b8412fc..0000000000 --- a/pro/windows/openpgp-keygen-gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-keygen-gpa.rst.inc diff --git a/pro/windows/openpgp-keygen-on-device.rst b/pro/windows/openpgp-keygen-on-device.rst deleted file mode 100644 index 9d0b148be6..0000000000 --- a/pro/windows/openpgp-keygen-on-device.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-keygen-on-device.rst.inc diff --git a/pro/windows/openpgp-outlook.rst b/pro/windows/openpgp-outlook.rst deleted file mode 100644 index 53ef3da2da..0000000000 --- a/pro/windows/openpgp-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-outlook.rst.inc diff --git a/pro/windows/openpgp-thunderbird.rst b/pro/windows/openpgp-thunderbird.rst deleted file mode 100644 index 2a21baf43f..0000000000 --- a/pro/windows/openpgp-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp-thunderbird.rst.inc diff --git a/pro/windows/openpgp.rst b/pro/windows/openpgp.rst deleted file mode 100644 index dd1a2cdd44..0000000000 --- a/pro/windows/openpgp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../openpgp.rst.inc diff --git a/pro/windows/openvpn-easyrsa.rst b/pro/windows/openvpn-easyrsa.rst deleted file mode 100644 index 5131a6e41c..0000000000 --- a/pro/windows/openvpn-easyrsa.rst +++ /dev/null @@ -1,674 +0,0 @@ -OpenVPN Configuration with Easy-RSA -=================================== - -.. contents:: :local: - :depth: 2 - -.. note:: - - This guide is work-in-progress, and will be updated accordinlgy. Please take this status into consideration. - -This guide shows how to configure OpenVPN clients to login using a `Nitrokey Pro -2 `__ or a `Nitrokey Storage -2 `__. For software key management we will be using `Easy-RSA `__, a utility that has been evolving alongside OpenVPN. - -To sign the certificates, we will use a `Nitrokey HSM -2 `__ set up as `Certificate Authority <../../hsm/windows/certificate-authority.html#creating-the-intermediate-certificate-authority>`_, however this guide does not cover the set up of the CA itself (it is clear and `well documented here <../../hsm/windows/certificate-authority.html#sign-a-server-certificate>`_). - -We will use Easy-RSA, because it seems to provide some flexibility, and allows key management via external PKIs. We will use it on the server to issue the signing request, and repeat the same process on the client. The Certificate Signing Requests will be signed by the CA on the Nitorkey HSM, and re-transmitted to the server and the client. - - -Prerequisites -------------- - -In the following documentation we will require 3 different machines as following: - -- OpenVPN server (v. 2.5) on Debian 10 (EC2 virtual machine - AWS) - -- OpenVPN client (v. 2.4.9) on Fedora 30 (local machine) - -- The Certificate Authority will be accessible from a standalone - machine with Fedora 30 (local machine) - -To interact with the devices we will require `OpenSC -0.20 `__ installed on the client and CA machine (the local machines). You can follow the instructions to set it up in `this link (*Unix) `__. - -To download the dependencies on Fedora machines we can this instruction: - -.. code-block:: bash - - su -c 'dnf install readline-devel openssl-devel libxslt docbook-style-xsl pcsc-lite-devel automake autoconf libtool gcc zlib-devel' - -For Debian Linux, more recent OpenSC packages are available `here `__. - -We will use the following Nitrokeys for physical key management: - -- An authentication key using the `Nitrokey Pro 2 - (pdf) `__ - -- A Certificate Authority (CA) using the `Nitrokey HSM 2 - (pdf) `__ - -As a reminder, to build a Certificate Authority on Nitrokey HSM 2, you may follow the instructions available `in the documentation `_. - -Alternatively you may set up your own CA on a `on a separate machine `__, or use the OpenVPN tutorial which also relies on `Easy-RSA `__. The last 2 options rely on software solutions for key management. - --------------- - -Server side ------------ - -1. Install OpenVPN -^^^^^^^^^^^^^^^^^^ - - 1. First we need to enable IP Forwarding by editing ``/etc/sysctl.conf`` file - - .. code-block:: bash - - $ editor /etc/sysctl.conf - - 2. Uncomment or edit accordingly the following line - - .. code-block:: bash - - net.ipv4.ip_forward=1 - - 3. Close after saving it, and enter this command - - .. code-block:: bash - - $ sysctl -p - - Once IP forwarding is done, we will need to download the latest release of OpenvPN for our Debian 10 server, according to `these instructions `__: - - 4. Change to root and download the GPG key that signed the package - - .. code-block:: bash - - $ sudo -s - # wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - - - 5. Add the URL of the adequate OpenVPN packages to the ``sources.list`` file - - .. code-block:: bash - - # echo "deb http://build.openvpn.net/debian/openvpn/release/2.5 buster main" > /etc/apt/sources.list.d/openvpn-aptrepo.list - # exit - - We downloaded OpenVPN 2.5 as “password prompt” requires at least OpenVPN `version - 2.4.8 `__ to login. - - 6. Next we download OpenVPN - - .. code-block:: bash - - $ sudo apt install openvpn - - If you want to check the version, it possible by calling ``--version`` - and print the following: - - :: - - $ sudo openvpn --version - OpenVPN 2.5_beta3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 1 2020 - library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 - Originally developed by James Yonan - Copyright (C) 2002-2018 OpenVPN Inc - Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no \ enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes \ enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no \ enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no \ enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no \ enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes \ with_mem_check=no with_sysroot=no - -2. Install Easy-RSA -^^^^^^^^^^^^^^^^^^^ - - To build the PKI, we will download the latest version of Easy-RSA on the server and client machines. To get the latest release, go to the `Releases page on the official EasyRSA GitHub project `__, copy the download link for the file ending in ``.tgz``, and then paste it into the following command: - - 1. Download the latest release - - .. code-block:: bash - - $ cd ~ - $ wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz - - 2. Extract the tarball - - .. code-block:: bash - - $ cd ~ - $ tar xvf EasyRSA-3.0.7.tgz - $ mv EasyRSA-3.0.7/ easyrsa/ # rename folder - -3. Create a PKI for OpenVPN server -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - Before you can create your OpenVPN server’s private key and certificate, you need to create a local Public Key Infrastructure directory on your OpenVPN server. You will use this directory to manage the server and clients’ certificate requests, instead of making them directly on your CA server. - - To build a PKI directory on your OpenVPN server, you’ll need to populate a file called ``vars`` with some default values. - - 1. Create a ``vars`` file - - .. code-block:: bash - - $ touch ~/easyrsa/vars - $ cd easyrsa/ - $ editor vars - - 2. Once the file is opened, paste in the following two lines - - .. code-block:: bash - - set_var EASYRSA_ALGO "ec" - set_var EASYRSA_DIGEST "sha512" - - These are the only two lines that you need in this ``vars`` file on your OpenVPN server since it will not be used as a Certificate Authority. They will ensure that your private keys and certificate requests are configured to use Elliptic Curve Cryptography (ECC) to generate keys, and secure signatures for your clients and OpenVPN server. - - In regards to the choice of the cryptographic algorithms, I follow the model in `this tutorial `__, and you can customize these according to your specific needs. - - 3. Initialize the PKI - - Once you have populated the ``vars`` file you can proceed with creating the PKI directory. To do so, run the easyrsa script with the init-pki option: - - .. code-block:: bash - - $ ./easyrsa init-pki - - After you’ve initialized your PKI on the OpenVPN server, you are ready to move on to the next step, which is creating an OpenVPN server certificate request and private key. - -4. Create ``server.req`` and ``server.key`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - Now that your OpenVPN server has all the prerequisites installed, the next step is to generate a key pair composed of a private key (to keep secret), and a Certificate Signing Request (``.csr``) on your OpenVPN server. - - In general terms, on systems where we generate a key and request, these files are left unencrypted by using the ``nopass`` argument, since servers usually need to start up without any password input. This generates an *unencrypted key*, so mind *protect its access and file permissions* carefully. - - .. tip:: - - Configuration notes from OpenVPN: - - 1. The server, and each client, must have their own cert and key - file. The server and all clients will use the same CA file. - 2. Server certificate should have the following: - - - ``keyUsage: digitalSignature, keyEncipherment`` - - - ``extendedKeyUsage: serverAuth`` - - 1. Create the signing request for the server - - Navigate to the ``~/easyrsa`` directory on your OpenVPN Server as your non-root user, and enter the following commands: - - .. code-block:: bash - - $ cd easyrsa/ - $ ./easyrsa gen-req server nopass - - This will create a private key for the server and a certificate request file called ``server.req``. - - Once you have a signed certificate, you’ll transfer it back to the OpenVPN server. - - 2. Copy the key to the OpenVPN server directory - - .. code-block:: bash - - $ sudo cp /home/admin/EasyRSA/pki/private/server.key /etc/openvpn/server/ - - After completing these steps, you have successfully created a private key for your OpenVPN server. You have also generated a Certificate Signing Request for the OpenVPN server. - - .. tip:: - - File extensions for certificate signing requests - - The file extension that is adopted by the CA and HSM tutorial - indicates the creation of a ``.csr`` file, however Easy-RSA creates - certificate signing requests with a ``.req`` extension. - - We will use interchangeably both extensions, while making sure that - we transfer the right files to the Certificate Authority, and - generate a final certificate with a ``.crt`` extension. - - In the next section of this guide, we will sign a ``.req`` file with our CA on deployed on the HSM 2 device. For this purpose, I will use a dedicated machine to sign the requests. - -5. Sign and retrieve ``server.crt`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - The following instructions require the transfer of the ``server.req`` - (or ``server.csr``) file to the CA system. - - The transfer itself is not security sensitive, though it is wise to verify if the received file matches the sender’s copy, if the transport is untrusted. - - In order to go through these steps, I will extensively rely on `these instructions `_, to sign the certificate signing requests, once we generated them with Easy-RSA. - - 1. Sign the ``server.req`` file - - On the local machine dedicated to access the HSM, we will use the tools provided by Opensc 0.20 in order to sign the ``.req`` file, and send it back to the OpenVPN server. We assume we have transferred the file from the server machine to the CA machine. - - First we start by plugging the HSM Nitrokey, and enter this instruction for listing the keys available. - - 1. Query the list of available devices - - :: - - $ p11tool --list-all - - **(Required step)** If this is the first time you sign a certificate with the CA, you might want to retrieve the URI of the CA’s private key from the HSM, and include it in the config file. - - - The key’s URI should be in this format: - - :: - - pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private - - 2. Create ``openvpn/`` directory under ``certificate-authority/`` - - .. code-block:: bash - - $ mkdir/opt/certificate-authority/ - $ cd /opt/certificate-authority/ - - 3. Sign the ``server.req`` - - .. code-block:: bash - - $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in server.req -out /home/user/pki/issued/server.crt - - 2. Retrieve the ``server.crt`` file to the server machine - - 1. Transfer the signed certificates to the server - - From the CA machine, copy the files ``server.crt`` and ``chain.crt`` to the OpenVPN server. In this example we will use the ``scp`` command as following: - - .. code-block:: bash - - $ scp openvpn/{server.crt,chain.crt} admin@your_openvpnserver_ip:/tmp - - 2. Place the certificates on the server’s directory - - .. code-block:: bash - - $ mv /tmp/{server.crt,chain.crt} /etc/openvpn/server - - .. warning:: - - CA Certificate and ``chain.crt`` - - In the above, the CA returns the signed sever certificate, and - includes the CA certificate ``CA.crt`` which is the ``chain.crt`` - file. This can be done over an insecure channel, though the client is - encouraged to confirm if the received ``chain.crt`` is valid, if the - transport is untrusted. - - It is possible to rename the file ``chain.crt`` file to ``CA.crt`` on - the target machine, however we will use ``chain.crt`` in the next - instructions. - -6. Configure the OpenVPN server -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - A connection that uses TLS requires multiple `certificates and keys for authentication `__. Now that we issued and signed those, we can place them in the right directories. The breakdown of the certificates and keys that must be located at the root directory are the following: - - :: - - OpenVPN server - - - The root certificate file (CA.crt or chain.crt in our setup) - - Server certificate - - Server key - - Diffie Hellman Parameters (optional) - - On your OpenVPN server, now you can create the configuration file ``server.conf`` with your favorite text editor. The file can be configured according to your needs, while we make sure to change the server certificate and key sections according the names you chose for the your the files we signed: - - .. code-block:: bash - - # OpenVPN Server Certificate - CA, server key and certificate - ca chain.crt - cert server.crt - key server.key - - Here is the configuration file we can use for testing these instructions: - - .. code-block:: bash - - port 1194 - proto udp - dev tun - ca ca.crt - cert server.crt - key server.key # This file should be kept secret - dh dh.pem - server 10.8.0.0 255.255.255.0 - push "redirect-gateway def1 bypass-dhcp" - push "dhcp-option DNS 208.67.222.222" - push "dhcp-option DNS 208.67.220.220" - keepalive 10 120 - tls-auth ta.key 0 # This file is secret - cipher AES-256-CBC - user nobody - group nogroup - persist-key - persist-tun - status /var/log/openvpn/openvpn-status.log - log /var/log/openvpn/openvpn.log - log-append /var/log/openvpn/openvpn.log - verb 3 - explicit-exit-notify 1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - - To test if the configuration functions properly, we can use this command: - - .. code-block:: bash - - $ sudo openvpn --server --config server.conf - -7. Start the OpenVPN service on the server -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - Enable the OpenVPN service by adding it to systemctl, and start it using these commands: - - .. code-block:: bash - - $ sudo systemctl -f enable openvpn@server - $ sudo systemctl start openvpn@server - - To Double check if the OpenVPN service is active use this command: - - .. code-block:: bash - - $ sudo systemctl status openvpn@server - - The OpenVPN should be running at this point. - --------------- - -Client side configuration -------------------------- - -1. Install OpenVPN and Easy-RSA -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - 1. Install the software - - We can use directly ``dnf install`` to install OpenVPN 2.4.9 and Easy-RSA 3.0.7 - - .. code-block:: bash - - $ sudo dnf install openvpn easy-rsa - - 2. Then we create as non-root a directory for Easy RSA called ``Easy-RSA`` - - .. code-block:: bash - - $ mkdir ~/easyrsa - - 3. And link it to the Easy RSA package we just installed - - .. code-block:: bash - - $ ln -s /usr/share/easy-rsa/3/* ~/easyrsa/ - -2. Create a PKI for the OpenVPN client -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - In the same manner we created a PKI on the OpenVPN server, we will create a PKI using Easy-RSA on the client side. - -3. Create a ``client.req`` and ``client.key`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - In the same manner we issued the key pair on the sever, we generate a key pair for the client which will be composed of the ``client.req`` - file and the ``client.key`` file. The latter must be kept secret on the client machine. - -4. Sign ``client.req`` and issue the ``client.crt`` file -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - To transfer the ``client.req`` file to the CA machine, we will use the same method as we did for the ``server.req`` file. - - Once transferred, on the CA machine we sign the certificate signing request file with this command - - .. code-block:: bash - - $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in client.req -out /home/user/pki/issued/client.crt - -5. Import ``client.crt`` on the Nitrokey from the CA machine -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - After creating the ``client.crt`` file, we plug the Nitrokey Pro 2 device in the CA machine, and import the ``.crt`` to the Pro 2 device using this command: - - .. code-block:: bash - - $ pkcs15-init --store-certificate client.crt --id 3 - - You can see if the key is effectively stored on the Nitrokey using this command: - - .. code-block:: bash - - $ pkcs15-tool -c - - Or alternatively - - .. code-block:: bash - - $ pkcs11-tool --list-objects - - Fore more commands you can refer to the `OpenSC wiki `__. - -6. Retrieve the ``chain.crt`` file from the CA machine -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - While we keep the ``client.crt``\ stored on the nitrokey Pro 2 device, we must retrieve the ``chain.crt`` file on the client machine, and store it in the adequate directory. We may use ``scp`` as in the method explained in the server section of this guide. - -7. Configure the client to interact with the Nitrokey -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - Now back on the client machine, we will plug the Nitrokey Pro and use it to establish the VPN connection with the server. In general terms, a connection that uses TLS requires multiple certificates and keys for authentication: - - :: - - OpenVPN client - - The root certificate file (`chain.crt`) - - Client certificate - - Client key - - For this guide we can the following ``client.conf`` file, and add the required options to it accordingly: - - .. code-block:: bash - - client - dev tun - proto udp - remote 1194 - resolv-retry infinite - nobind - user nobody - group nobody - persist-key - persist-tun - ca ca.crt - remote-cert-tls server - cipher AES-256-CBC - verb 3 - redirect-gateway def1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - - 1. Determine the correct object - - Each PKCS#11 provider can support multiple devices. In order to view the available object list you can use the following command: - - .. code-block:: bash - - $ openvpn --show-pkcs11-ids /usr/lib64/pkcs11/opensc-pkcs11.so - - The following objects are available for use. - Each object shown below may be used as parameter to - - --pkcs11-id option please remember to use single quote mark. - - Certificate - DN: CN=client - Serial: E53DA75C5B8F1518F520BCEF0128C09F - Serialized id: pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03 - - Each certificate/private key pair have unique ``Serialized id`` string. The serialized id string of the requested certificate should be specified, in the configuration file. We can do this by adding the ``pkcs11-id`` option using single quote marks. - - .. code-block:: bash - - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - - 2. Add retrieved Serialized ID to the configuration file - - Using your favorite text editor, open the server.conf file, and add the following lines, while taking care to insert your own ``Serialized id``: - - .. code-block:: bash - - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - - For additional `settings related to OpenVPN `__ authentication, you may also add few lines to handle key maganagement, although it is optional. - - .. note:: - - Click to view the code - - .. code-block:: bash - - # nitrokey config - - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - # pkcs11-pin-cache 300 - # daemon - # auth-retry nointeract - # management-hold - # management-signal - # management 127.0.0.1 8888 - # management-query-passwords - pkcs11-cert-private 1 # Prompt for PIN - - Optional step - - - If you need to test the configuration, with and without the token on the Nitrokey, you may add lines to the same ``client.conf`` and comment/uncomment the relevant lines according to your needs: - - .. note:: - - Click to view the code - - .. code-block:: bash - - # non_nitrokey login - - # cert client.crt - # key client.key - # tls-auth ta.key 1 - - 3. Configure the OpenVPN client - - The final configuration file ``client.conf`` should look like this one: - - .. code-block:: bash - - client - dev tun - proto udp - remote 1194 - resolv-retry infinite - nobind - user nobody - group nobody - persist-key - persist-tun - ca ca.crt - remote-cert-tls server - cipher AES-256-CBC - verb 3 - redirect-gateway def1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - - # nitrokey login - - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - # pkcs11-pin-cache 300 - # daemon - # auth-retry nointeract - # management-hold - # management-signal - # management 127.0.0.1 8888 - # management-query-passwords - pkcs11-cert-private 1 # Prompt for PIN - - # OR - - # non_nitrokey login - - # cert client.crt - # key client.key - # tls-auth ta.key 1 - - 4. Configure OpenVPN - - In order to establish a handshake, you must configure OpenSSL included in OpenVPN. - - Create the directory ``ssl`` in ``C:\Program Files\OpenVPN`` and create file ``openssl.cnf`` with the following content : - - openssl_conf = default_conf - - [ default_conf ] - ssl_conf = ssl_sect - - [ ssl_sect ] - system_default = ssl_default_sect - - [ ssl_default_sect ] - SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512:RSA+SHA384:ECDSA+SHA384:RSA+SHA256:ECDSA+SHA256 - MaxProtocol = TLSv1.2 - MinProtocol = TLSv1.2 - - - With this modification, you will not have error as reported `here `__, `here `__ and `here `__ - - - - 5. Known issues - - There are some known issues related to OpenVPN login with OpenSC. Please consult these issues `here `__. - -8. Start the OpenVPN client -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - 1. Start the OpenVPN service on the client - - Enable the OpenVPN service, and start it using these commands: - - .. code-block:: bash - - $ sudo systemctl -f enable openvpn-server@server.service - $ sudo systemctl start openvpn-server@server.service - - To double check if the OpenVPN service is active use this command: - - .. code-block:: bash - - $ sudo systemctl status openvpn-server@server.service - - 2. Enter your User PIN - - When executing OpenVPN client, Nitrokey’s PIN needs to be entered: - - :: - - $ sudo openvpn --client --config client.conf - Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 - Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 - Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' - Enter User PIN (OpenPGP card) token Password: ****** - - - In some reported cases it does not prompt for a PIN on the terminal. One workaround would be to use to use this command to login with the PIN: - - :: - - $ telnet 8888 password 'User PIN (OpenPGP card) token' - - Alternatively, you could `recompile OpenVPN `__ client with systemd support disabled, and it will prompt you for the PIN as expected. - - Another option, would be to login to your OpenVPN instance with the Viscosity client which provides a better user experience especially for entering the PIN. diff --git a/pro/windows/otp.rst b/pro/windows/otp.rst deleted file mode 100644 index 9c050e58fa..0000000000 --- a/pro/windows/otp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../otp.rst.inc diff --git a/pro/windows/putty.rst b/pro/windows/putty.rst deleted file mode 100644 index 186e1d37a7..0000000000 --- a/pro/windows/putty.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../putty.rst.inc diff --git a/pro/windows/smart-policy.rst b/pro/windows/smart-policy.rst deleted file mode 100644 index 1b921eef8e..0000000000 --- a/pro/windows/smart-policy.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../smart-policy.rst.inc diff --git a/pro/windows/smime-outlook.rst b/pro/windows/smime-outlook.rst deleted file mode 100644 index ce4ca6f530..0000000000 --- a/pro/windows/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../smime-outlook.rst.inc diff --git a/pro/windows/smime-thunderbird.rst b/pro/windows/smime-thunderbird.rst deleted file mode 100644 index fb35c7a207..0000000000 --- a/pro/windows/smime-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../smime-thunderbird.rst.inc diff --git a/pro/windows/smime.rst b/pro/windows/smime.rst deleted file mode 100644 index c2fe514a64..0000000000 --- a/pro/windows/smime.rst +++ /dev/null @@ -1,9 +0,0 @@ -.. include:: ../smime.rst.inc - :end-line: 20 - -.. note:: - Windows users with 64-bit system (standard) need to install both, the 32-bit and the 64-bit version of OpenSC! - -.. include:: ../smime.rst.inc - :start-line: 20 - diff --git a/software/nitropy/all-platforms/installation.rst b/software/nitropy/all-platforms/installation.rst index 7a60638186..607aecac76 100644 --- a/software/nitropy/all-platforms/installation.rst +++ b/software/nitropy/all-platforms/installation.rst @@ -133,8 +133,5 @@ See :doc:`../linux/udev` for more information. Next Steps ---------- -You can find more information on using nitropy in these guides: +You can find more information on using nitropy in this `guide <../../nitrokeys/nitrokey3/firmware-update>`_. -- For Linux: :doc:`../../../nitrokey3/linux/firmware-update` -- For Mac: :doc:`../../../nitrokey3/mac/firmware-update` -- For Windows: :doc:`../../../nitrokey3/windows/firmware-update` diff --git a/start/index.rst b/start/index.rst deleted file mode 100644 index 05f3ccd653..0000000000 --- a/start/index.rst +++ /dev/null @@ -1,23 +0,0 @@ -Nitrokey Start -============== - -.. contents:: :local: - -First check the: - -.. toctree:: - :maxdepth: 1 - :glob: - - Frequently Asked Questions - -or choose your operating system: - -.. toctree:: - :maxdepth: 1 - :glob: - - Windows - macOS - Linux - diff --git a/start/linux/factory-reset.rst b/start/linux/factory-reset.rst deleted file mode 100644 index c1fcf5041f..0000000000 --- a/start/linux/factory-reset.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../factory-reset.rst diff --git a/start/linux/gpa.rst b/start/linux/gpa.rst deleted file mode 100644 index 398ae468bc..0000000000 --- a/start/linux/gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/gpa.rst diff --git a/start/linux/ipsec.rst b/start/linux/ipsec.rst deleted file mode 100644 index cfc9264144..0000000000 --- a/start/linux/ipsec.rst +++ /dev/null @@ -1,4 +0,0 @@ -IPsec -===== - -.. include:: ../../hsm/ipsec.rst.inc diff --git a/start/linux/login-with-pam.rst b/start/linux/login-with-pam.rst deleted file mode 100644 index 4eee0f04a2..0000000000 --- a/start/linux/login-with-pam.rst +++ /dev/null @@ -1,4 +0,0 @@ -Login With PAM -=========================== - -.. include:: ../../pro/login-with-pam.rst.inc diff --git a/start/linux/multiple-identities.rst b/start/linux/multiple-identities.rst deleted file mode 100644 index 46ed8387d4..0000000000 --- a/start/linux/multiple-identities.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../multiple-identities.rst.inc diff --git a/start/linux/openpgp-keygen-backup.rst b/start/linux/openpgp-keygen-backup.rst deleted file mode 100644 index b4528e0139..0000000000 --- a/start/linux/openpgp-keygen-backup.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-backup.rst.inc diff --git a/start/linux/openpgp-keygen-gpa.rst b/start/linux/openpgp-keygen-gpa.rst deleted file mode 100644 index 472d298006..0000000000 --- a/start/linux/openpgp-keygen-gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-gpa.rst.inc diff --git a/start/linux/openpgp-keygen-on-device.rst b/start/linux/openpgp-keygen-on-device.rst deleted file mode 100644 index fc90850b8e..0000000000 --- a/start/linux/openpgp-keygen-on-device.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-on-device.rst.inc diff --git a/start/linux/openpgp-outlook.rst b/start/linux/openpgp-outlook.rst deleted file mode 100644 index fa4e7dd855..0000000000 --- a/start/linux/openpgp-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-outlook.rst.inc diff --git a/start/linux/openpgp-thunderbird.rst b/start/linux/openpgp-thunderbird.rst deleted file mode 100644 index 59e0956c63..0000000000 --- a/start/linux/openpgp-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-thunderbird.rst.inc diff --git a/start/linux/openpgp.rst b/start/linux/openpgp.rst deleted file mode 100644 index fb8b25042e..0000000000 --- a/start/linux/openpgp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp.rst.inc diff --git a/start/linux/setting-kdf-do.rst b/start/linux/setting-kdf-do.rst deleted file mode 100644 index f9ff6236c0..0000000000 --- a/start/linux/setting-kdf-do.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../setting-kdf-do.rst.inc diff --git a/start/linux/smime-outlook.rst b/start/linux/smime-outlook.rst deleted file mode 100644 index acd45a24a9..0000000000 --- a/start/linux/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-outlook.rst.inc diff --git a/start/linux/smime-thunderbird.rst b/start/linux/smime-thunderbird.rst deleted file mode 100644 index 4ae43d43ba..0000000000 --- a/start/linux/smime-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-thunderbird.rst.inc diff --git a/start/linux/smime.rst b/start/linux/smime.rst deleted file mode 100644 index 5029a3135c..0000000000 --- a/start/linux/smime.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime.rst.inc diff --git a/start/linux/ssh.rst b/start/linux/ssh.rst deleted file mode 100644 index 792071f9a1..0000000000 --- a/start/linux/ssh.rst +++ /dev/null @@ -1,4 +0,0 @@ -SSH For Server Administration -============================= - -.. include:: ../../pro/ssh.rst diff --git a/start/linux/stunnel.rst b/start/linux/stunnel.rst deleted file mode 100644 index 94a9982dac..0000000000 --- a/start/linux/stunnel.rst +++ /dev/null @@ -1,4 +0,0 @@ -Stunnel -======= - -.. include:: ../../hsm/stunnel.rst.inc diff --git a/start/mac/factory-reset.rst b/start/mac/factory-reset.rst deleted file mode 100644 index c1fcf5041f..0000000000 --- a/start/mac/factory-reset.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../factory-reset.rst diff --git a/start/mac/gpa.rst b/start/mac/gpa.rst deleted file mode 100644 index 398ae468bc..0000000000 --- a/start/mac/gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/gpa.rst diff --git a/start/mac/index.rst b/start/mac/index.rst deleted file mode 100644 index 04e1917cea..0000000000 --- a/start/mac/index.rst +++ /dev/null @@ -1,58 +0,0 @@ -Nitrokey Start, Mac -=================== - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -1. Install `GnuPG 2.1 `__ or higher. -2. Connect your Nitrokey to your computer and confirm all dialogs so - that the USB smart card device driver gets installed almost - automatically. -3. Use GnuPG to `generate new keys or import existing - ones `_. - - .. note:: - It is indeed necessary to first import or create new keys and - change the PINs afterwards. Otherwise changing User PIN will fail! - Furthermore overriding keys results in PIN reset (default values), - please keep this in mind! - -4. Change the Admin PIN (default: ``12345678``) and then the User PIN (default: ``123456``) to your own choices. - - * The PIN must consist of at least 14 characters (starting from RTM.8), can contain any character (not only numbers). Do not select only numbers. If your environment allows that, use emoticons or national characters. - * The longer the PIN the better. It is possible to use 6 randomly selected words instead as well for the same or better security than random character string. - * Use ‘gpg –card-edit’ -> ‘admin’ -> ‘passwd’ to achieve this (for Admin PIN case). - * Please be careful to change Admin PIN first and User PIN second! Otherwise the admin-less mode got activated, see `this instructions `__ for further information. - * Optionally Reset code can be set up (`guide `__). The minimum length accepted is 8 characters, however it should be as long as User PIN. - * KDF-DO allows for a shorter PIN of 8 characters minimum, by executing part of the calculations on the PC. - -**Firmware version 1.2.5 or below: In case you forget a PIN or enter it -wrongly three times you need the reset code to unblock the PIN. -Otherwise the device wouldn’t be usable anymore! Therefore -please** `set the reset -code `__ **as -well when initialising the key!** - -Your Nitrokey is now ready to use. - -Key Creation with OpenPGP or S/MIME -################################### - -There are two widely used standards for email -encryption. While OpenPGP/GnuPG is popular among individuals, -S/MIME/x.509 is mostly used by enterprises. If you are in doubt which -one to choose, you should use OpenPGP. - -To learn more about how to use OpenPGP for email encryption with the Nitrokey, -please refer to chapter `OpenPGP Email Encryption `_. - -To learn more about how to use S/MIME for email encryption with the Nitrokey, -please refer to chapter `S/MIME Email Encryption `_. - -Please note that the Nitrokey App can not be used for this device! diff --git a/start/mac/multiple-identities.rst b/start/mac/multiple-identities.rst deleted file mode 100644 index 46ed8387d4..0000000000 --- a/start/mac/multiple-identities.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../multiple-identities.rst.inc diff --git a/start/mac/openpgp-keygen-backup.rst b/start/mac/openpgp-keygen-backup.rst deleted file mode 100644 index b4528e0139..0000000000 --- a/start/mac/openpgp-keygen-backup.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-backup.rst.inc diff --git a/start/mac/openpgp-keygen-gpa.rst b/start/mac/openpgp-keygen-gpa.rst deleted file mode 100644 index 472d298006..0000000000 --- a/start/mac/openpgp-keygen-gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-gpa.rst.inc diff --git a/start/mac/openpgp-keygen-on-device.rst b/start/mac/openpgp-keygen-on-device.rst deleted file mode 100644 index fc90850b8e..0000000000 --- a/start/mac/openpgp-keygen-on-device.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-on-device.rst.inc diff --git a/start/mac/openpgp-outlook.rst b/start/mac/openpgp-outlook.rst deleted file mode 100644 index fa4e7dd855..0000000000 --- a/start/mac/openpgp-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-outlook.rst.inc diff --git a/start/mac/openpgp-thunderbird.rst b/start/mac/openpgp-thunderbird.rst deleted file mode 100644 index 59e0956c63..0000000000 --- a/start/mac/openpgp-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-thunderbird.rst.inc diff --git a/start/mac/openpgp.rst b/start/mac/openpgp.rst deleted file mode 100644 index fb8b25042e..0000000000 --- a/start/mac/openpgp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp.rst.inc diff --git a/start/mac/setting-kdf-do.rst b/start/mac/setting-kdf-do.rst deleted file mode 100644 index f9ff6236c0..0000000000 --- a/start/mac/setting-kdf-do.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../setting-kdf-do.rst.inc diff --git a/start/mac/smime-outlook.rst b/start/mac/smime-outlook.rst deleted file mode 100644 index acd45a24a9..0000000000 --- a/start/mac/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-outlook.rst.inc diff --git a/start/mac/smime-thunderbird.rst b/start/mac/smime-thunderbird.rst deleted file mode 100644 index 4ae43d43ba..0000000000 --- a/start/mac/smime-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-thunderbird.rst.inc diff --git a/start/mac/smime.rst b/start/mac/smime.rst deleted file mode 100644 index 5029a3135c..0000000000 --- a/start/mac/smime.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime.rst.inc diff --git a/start/windows/factory-reset.rst b/start/windows/factory-reset.rst deleted file mode 100644 index c1fcf5041f..0000000000 --- a/start/windows/factory-reset.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../factory-reset.rst diff --git a/start/windows/gpa.rst b/start/windows/gpa.rst deleted file mode 100644 index 398ae468bc..0000000000 --- a/start/windows/gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/gpa.rst diff --git a/start/windows/index.rst b/start/windows/index.rst deleted file mode 100644 index 9333e86a0d..0000000000 --- a/start/windows/index.rst +++ /dev/null @@ -1,57 +0,0 @@ -Nitrokey Start, Windows -======================= - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -1. Install `Gpg4win `__ on your Computer. -2. Connect your Nitrokey to your computer and confirm all dialogs so - that the USB smart card device driver gets installed almost - automatically. - - .. note:: - Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning. - -3. Use GnuPG to `generate new keys or import existing ones `_. - - .. note:: - It is indeed necessary to first import or create new keys and change the PINs afterwards. Otherwise changing User PIN will fail! Furthermore overriding keys results in PIN reset (default values), please keep this in mind! - -4. Change the Admin PIN (default: ``12345678``) and then the User PIN (default: ``123456``) to your own choices. - - * The PIN must consist of at least 14 characters (starting from RTM.8), can contain any character (not only numbers). Do not select only numbers. If your environment allows that, use emoticons or national characters. - * The longer the PIN the better. It is possible to use 6 randomly selected words instead as well for the same or better security than random character string. - * Use ‘gpg –card-edit’ -> ‘admin’ -> ‘passwd’ to achieve this (for Admin PIN case). - Please be careful to change Admin PIN first and User PIN second! Otherwise the admin-less mode got activated, see `this instructions `__ for further information. - * Optionally Reset code can be set up (`guide `__). The minimum length accepted is 8 characters, however it should be as long as User PIN. - * KDF-DO allows for a shorter PIN of 8 characters minimum, by executing part of the calculations on the PC. - -**Firmware version 1.2.5 or below: In case you forget a PIN or enter it -wrongly three times you need the reset code to unblock the PIN. -Otherwise the device wouldn’t be usable anymore! Therefore -please** `set the reset -code `__ **as -well when initialising the key!** - -Your Nitrokey is now ready to use. - -Key Creation with OpenPGP or S/MIME -################################### - -There are two widely used standards for email -encryption. While OpenPGP/GnuPG is popular among individuals, -S/MIME/x.509 is mostly used by enterprises. If you are in doubt which -one to choose, you should use OpenPGP. - -To learn more about how to use OpenPGP for email encryption with the Nitrokey, -please refer to chapter `OpenPGP Email Encryption `_. - -To learn more about how to use S/MIME for email encryption with the Nitrokey, -please refer to chapter `S/MIME Email Encryption `_. - -Please note that the Nitrokey App can not be used for this device! diff --git a/start/windows/multiple-identities.rst b/start/windows/multiple-identities.rst deleted file mode 100644 index 46ed8387d4..0000000000 --- a/start/windows/multiple-identities.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../multiple-identities.rst.inc diff --git a/start/windows/openpgp-keygen-backup.rst b/start/windows/openpgp-keygen-backup.rst deleted file mode 100644 index b4528e0139..0000000000 --- a/start/windows/openpgp-keygen-backup.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-backup.rst.inc diff --git a/start/windows/openpgp-keygen-gpa.rst b/start/windows/openpgp-keygen-gpa.rst deleted file mode 100644 index 472d298006..0000000000 --- a/start/windows/openpgp-keygen-gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-gpa.rst.inc diff --git a/start/windows/openpgp-keygen-on-device.rst b/start/windows/openpgp-keygen-on-device.rst deleted file mode 100644 index fc90850b8e..0000000000 --- a/start/windows/openpgp-keygen-on-device.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-on-device.rst.inc diff --git a/start/windows/openpgp-outlook.rst b/start/windows/openpgp-outlook.rst deleted file mode 100644 index fa4e7dd855..0000000000 --- a/start/windows/openpgp-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-outlook.rst.inc diff --git a/start/windows/openpgp-thunderbird.rst b/start/windows/openpgp-thunderbird.rst deleted file mode 100644 index 59e0956c63..0000000000 --- a/start/windows/openpgp-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-thunderbird.rst.inc diff --git a/start/windows/openpgp.rst b/start/windows/openpgp.rst deleted file mode 100644 index fb8b25042e..0000000000 --- a/start/windows/openpgp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp.rst.inc diff --git a/start/windows/putty.rst b/start/windows/putty.rst deleted file mode 100644 index 6f0427a82f..0000000000 --- a/start/windows/putty.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/putty.rst.inc diff --git a/start/windows/setting-kdf-do.rst b/start/windows/setting-kdf-do.rst deleted file mode 100644 index f9ff6236c0..0000000000 --- a/start/windows/setting-kdf-do.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../setting-kdf-do.rst.inc diff --git a/start/windows/smime-outlook.rst b/start/windows/smime-outlook.rst deleted file mode 100644 index acd45a24a9..0000000000 --- a/start/windows/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-outlook.rst.inc diff --git a/start/windows/smime-thunderbird.rst b/start/windows/smime-thunderbird.rst deleted file mode 100644 index 4ae43d43ba..0000000000 --- a/start/windows/smime-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-thunderbird.rst.inc diff --git a/start/windows/smime.rst b/start/windows/smime.rst deleted file mode 100644 index 5029a3135c..0000000000 --- a/start/windows/smime.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime.rst.inc diff --git a/storage/hidden.rst b/storage/hidden.rst deleted file mode 100644 index 11d2b103aa..0000000000 --- a/storage/hidden.rst +++ /dev/null @@ -1,42 +0,0 @@ -Hidden Volumes -============== - -Hidden volumes allow hiding data inside of the encrypted volume. This data is protected by an additional passphrase. Without the passphrase, it is impossible to know whether hidden volumes are present. -They are not configured with a default password so that their existence can be `denied plausibly `__. -The concept is similar to `VeraCrypt's/TrueCrypt's hidden volume `__ but with Nitrokey Storage the entire functionality of hidden volumes is implemented in hardware. - -You can configure up to four hidden volumes. Once unlocked, hidden volumes behave like ordinary storage where you can create various partitions, filesystems and store files as you like. - -.. warning:: - If you chose to use hidden volumes, you must not write any data to the encrypted volume, or you risk loosing data in the hidden volume. - -.. note:: - Hidden volumes are hidden within the free space of the encrypted volume, which will be overwritten when writing data to the encrypted volume. - There are no mechanisms to prevent accidental overwritting of hidden data, as they would reveal the existence of hidden volumes. - Data written to the encrypted volume before the creation of the hidden volume can still be read. - -.. figure:: /storage/images/hidden-schema.svg - :alt: Hidden volume description. The hidden volumes are within the free space of the encrypted volume. - - -Configuring hidden volumes --------------------------- - -.. tip:: - Copy some files to the encrypted volume prior to creating the hidden volume. - -.. note:: - Using a journaling filesystem may risk overwriting the hidden data. The encrypted filesystem is formated to FAT32 by default, and it is recommended to leave it that way when using hidden volumes. - - -1. Unlock the encrypted volume using the Nitrokey App. -2. In the menu, select "setup hidden volume". - - .. figure:: /storage/images/setup_hidden_volume.png - :alt: menu containing the hidden volume setup utility. - -3. Enter a strong passphrase twice. Unlike the encrypted volume PIN, there are no limit to the number of attempts at opening hidden volumes, so the strength of the passphrase is extremely important. -4. Define the storage area to be used. Hidden volumes are stored in the free areas of the encrypted volume. When creating multiple hidden volume, you need to allocate a part of the free area for each volume, making sure they do not overlap. - - .. figure:: /storage/images/hidden-storage-passphrase.png - :alt: Hidden volume dialog box diff --git a/storage/index.rst b/storage/index.rst deleted file mode 100644 index 3713f0eeb8..0000000000 --- a/storage/index.rst +++ /dev/null @@ -1,23 +0,0 @@ -Nitrokey Storage 2 -================== - -.. contents:: :local: - -First check the: - -.. toctree:: - :maxdepth: 1 - :glob: - - Frequently Asked Questions - -or choose your operating system: - -.. toctree:: - :maxdepth: 1 - :glob: - - Windows - macOS - Linux - diff --git a/storage/linux/2fa-google.rst b/storage/linux/2fa-google.rst deleted file mode 100644 index 3a1e74fcc1..0000000000 --- a/storage/linux/2fa-google.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/2fa-google.rst.inc diff --git a/storage/linux/2fa-nextcloud.rst b/storage/linux/2fa-nextcloud.rst deleted file mode 100644 index fe77d2b27e..0000000000 --- a/storage/linux/2fa-nextcloud.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/2fa-nextcloud.rst.inc diff --git a/storage/linux/2fa-odoo.rst b/storage/linux/2fa-odoo.rst deleted file mode 100644 index dc5f45a3f0..0000000000 --- a/storage/linux/2fa-odoo.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/2fa-odoo.rst.inc diff --git a/storage/linux/automatic-screen-lock.rst b/storage/linux/automatic-screen-lock.rst deleted file mode 100644 index d8f8332ad1..0000000000 --- a/storage/linux/automatic-screen-lock.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/linux/automatic-screen-lock.rst diff --git a/storage/linux/certificate-authority.rst b/storage/linux/certificate-authority.rst deleted file mode 100644 index a0e4791b50..0000000000 --- a/storage/linux/certificate-authority.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../hsm/certificate-authority.rst.inc diff --git a/storage/linux/change-pins.rst b/storage/linux/change-pins.rst deleted file mode 100644 index c14cd241e1..0000000000 --- a/storage/linux/change-pins.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/change-pins.rst.inc diff --git a/storage/linux/disk-encryption-luks.rst b/storage/linux/disk-encryption-luks.rst deleted file mode 100644 index ae24b6874d..0000000000 --- a/storage/linux/disk-encryption-luks.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/linux/disk-encryption-luks.rst diff --git a/storage/linux/ecc.rst b/storage/linux/ecc.rst deleted file mode 100644 index f9d9992dca..0000000000 --- a/storage/linux/ecc.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/ecc.rst.inc diff --git a/storage/linux/encrypted-mobile-storage.rst b/storage/linux/encrypted-mobile-storage.rst deleted file mode 100644 index cc9287dae7..0000000000 --- a/storage/linux/encrypted-mobile-storage.rst +++ /dev/null @@ -1,4 +0,0 @@ -Encrypted Mobile Storage -======================== - -.. include:: ../encrypted-mobile-storage.rst diff --git a/storage/linux/factory-reset.rst b/storage/linux/factory-reset.rst deleted file mode 100644 index 1fadfcfeee..0000000000 --- a/storage/linux/factory-reset.rst +++ /dev/null @@ -1,4 +0,0 @@ -Factory Reset -============= - -.. include:: ../factory-reset.rst diff --git a/storage/linux/firmware-update-manually.rst b/storage/linux/firmware-update-manually.rst deleted file mode 100644 index 1f0848f0f0..0000000000 --- a/storage/linux/firmware-update-manually.rst +++ /dev/null @@ -1,4 +0,0 @@ -Activate Update Mode Manually -============================= - -.. include:: ../firmware-update-manually.rst diff --git a/storage/linux/firmware-update.rst b/storage/linux/firmware-update.rst deleted file mode 100644 index 138d94ede7..0000000000 --- a/storage/linux/firmware-update.rst +++ /dev/null @@ -1,42 +0,0 @@ -Firmware Update -=============== - -.. contents:: :local: - -.. warning:: - - You should backup all data from the device before upgrading, as - firmware upgrades may destroy all data on the device (especially - coming from firmware version <0.45)! - -.. important:: - Never disconnect the Nitrokey Start or abort the process while updating, - this will likely render your device useless - - -1. Download the `Nitrokey App `__ and the program “dfu-programmer” which should be available through your package-manager, e.g. ``apt-get update && apt-get install dfu-programmer`` on Debian-based systems. - -2. Download the latest firmware ".hex" file from `here `__ and store it as "firmware.hex" in your home folder. Older releases are `here `__. - -3. Right click on the icon of the Nitrokey App and go to “Configure” -> “Enable Firmware Update”. The default firmware password is ‘12345678’. - - .. figure:: /storage/images/enable-firmware-update.png - :alt: Enable firmware update - - .. note:: - - The Nitrokey Storage is not detected by Nitrokey App anymore once update mode got - activated. You have to proceed with the instructions described below - to make it work again. - - -4. Open a terminal and execute: - - .. code-block:: bash - - sudo dfu-programmer at32uc3a3256s erase - sudo dfu-programmer at32uc3a3256s flash --suppress-bootloader-mem firmware.hex - sudo dfu-programmer at32uc3a3256s launch - # versions <0.7 of dfu-programmer use "start" instead of "launch" - - whereas “firmware.hex” needs to be the path and file name of the firmware which you downloaded in step 2. diff --git a/storage/linux/gpa.rst b/storage/linux/gpa.rst deleted file mode 100644 index 398ae468bc..0000000000 --- a/storage/linux/gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/gpa.rst diff --git a/storage/linux/hard-disk-encryption.rst b/storage/linux/hard-disk-encryption.rst deleted file mode 100644 index 95e1694368..0000000000 --- a/storage/linux/hard-disk-encryption.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/linux/hard-disk-encryption.rst diff --git a/storage/linux/hidden.rst b/storage/linux/hidden.rst deleted file mode 100644 index 67076af055..0000000000 --- a/storage/linux/hidden.rst +++ /dev/null @@ -1,15 +0,0 @@ -.. include:: ../hidden.rst - -Using hidden volumes --------------------- - -1. Unlock the encrypted volume. - -2. Select "unlock hidden volume" and enter any of the hidden volume's passwords. - -3. If this is the first time you unlock the hidden volume, you may need to create a partition on the hidden volume. You will need to open a partition manager such as `GParted `__ and create one or more partitions manually. Make sure to create the partitions on the device that appeared when unlocking the hidden volume. - -.. figure:: ./images/hidden-storage-partition.png - :alt: Hidden volume partitioning - -4. Make sure to unmount/eject all partitions on the hidden volumes before locking or disconnecting the Nitrokey. diff --git a/storage/linux/index.rst b/storage/linux/index.rst deleted file mode 100644 index 3b93b376a3..0000000000 --- a/storage/linux/index.rst +++ /dev/null @@ -1,49 +0,0 @@ -Nitrokey Storage, Linux -======================= - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -1. To access the OpenPGP smart card of the Nitrokey, install the package - libccid. On Debian/Ubuntu based Distributions type in terminal: *sudo - apt-get update && sudo apt-get install libccid* - -2. Download and start the `Nitrokey - App `__. - -3. Open the About window from Nitrokey App’s menu and check if you have - the `latest - firmware `__ - installed. If it’s not the latest, please - `update `_. - -4. Use the Nitrokey App to change the default User PIN (default: 123456) - and Admin PIN (default: 12345678) to your own choices. - -Your Nitrokey is now ready to use. - -.. note:: - - For many use cases described, it is necessary to have either OpenPGP - or S/MIME keys installed on the device (see below). - -Key Creation with OpenPGP or S/MIME ------------------------------------ - -There are two widely used standards for email encryption. While -OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used -by enterprises. If you are in doubt which one to choose, you should use -OpenPGP. - -To learn more about how to use OpenPGP for email encryption with the Nitrokey, -please refer to chapter `OpenPGP Email Encryption `_. - -To learn more about how to use S/MIME for email encryption with the Nitrokey, -please refer to chapter `S/MIME Email Encryption `_. - diff --git a/storage/linux/ipsec.rst b/storage/linux/ipsec.rst deleted file mode 100644 index cfc9264144..0000000000 --- a/storage/linux/ipsec.rst +++ /dev/null @@ -1,4 +0,0 @@ -IPsec -===== - -.. include:: ../../hsm/ipsec.rst.inc diff --git a/storage/linux/login-with-pam.rst b/storage/linux/login-with-pam.rst deleted file mode 100644 index 1975c28e82..0000000000 --- a/storage/linux/login-with-pam.rst +++ /dev/null @@ -1,4 +0,0 @@ -Login With PAM -=========================== - -.. include:: ../../pro/login-with-pam.rst.inc diff --git a/storage/linux/openpgp-keygen-backup.rst b/storage/linux/openpgp-keygen-backup.rst deleted file mode 100644 index b4528e0139..0000000000 --- a/storage/linux/openpgp-keygen-backup.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-backup.rst.inc diff --git a/storage/linux/openpgp-keygen-gpa.rst b/storage/linux/openpgp-keygen-gpa.rst deleted file mode 100644 index 472d298006..0000000000 --- a/storage/linux/openpgp-keygen-gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-gpa.rst.inc diff --git a/storage/linux/openpgp-keygen-on-device.rst b/storage/linux/openpgp-keygen-on-device.rst deleted file mode 100644 index fc90850b8e..0000000000 --- a/storage/linux/openpgp-keygen-on-device.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-on-device.rst.inc diff --git a/storage/linux/openpgp-outlook.rst b/storage/linux/openpgp-outlook.rst deleted file mode 100644 index fa4e7dd855..0000000000 --- a/storage/linux/openpgp-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-outlook.rst.inc diff --git a/storage/linux/openpgp-thunderbird.rst b/storage/linux/openpgp-thunderbird.rst deleted file mode 100644 index 59e0956c63..0000000000 --- a/storage/linux/openpgp-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-thunderbird.rst.inc diff --git a/storage/linux/openpgp.rst b/storage/linux/openpgp.rst deleted file mode 100644 index fb8b25042e..0000000000 --- a/storage/linux/openpgp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp.rst.inc diff --git a/storage/linux/openvpn-easyrsa.rst b/storage/linux/openvpn-easyrsa.rst deleted file mode 100644 index f8412c4186..0000000000 --- a/storage/linux/openvpn-easyrsa.rst +++ /dev/null @@ -1,678 +0,0 @@ -OpenVPN Configuration with Easy-RSA -=================================== - -.. contents:: :local: - :depth: 2 - -.. note:: - - This guide is work-in-progress, and will be updated accordinlgy. Please take this status into consideration. - -This guide shows how to configure OpenVPN clients to login using a `Nitrokey Pro -2 `__ or a `Nitrokey Storage -2 `__. For software key management we will be using `Easy-RSA `__, a utility that has been evolving alongside OpenVPN. - -To sign the certificates, we will use a `Nitrokey HSM -2 `__ set up as `Certificate Authority <../../hsm/linux/certificate-authority.html#creating-the-intermediate-certificate-authority>`_, however this guide does not cover the set up of the CA itself (it is clear and `well documented here <../../hsm/linux/certificate-authority.html#sign-a-server-certificate>`_). - -We will use Easy-RSA, because it seems to provide some flexibility, and allows key management via external PKIs. We will use it on the server to issue the signing request, and repeat the same process on the client. The Certificate Signing Requests will be signed by the CA on the Nitorkey HSM, and re-transmitted to the server and the client. - - -Prerequisites -------------- - -In the following documentation we will require 3 different machines as following: - -- OpenVPN server (v. 2.5) on Debian 10 (EC2 virtual machine - AWS) - -- OpenVPN client (v. 2.4.9) on Fedora 30 (local machine) - -- The Certificate Authority will be accessible from a standalone - machine with Fedora 30 (local machine) - -To interact with the devices we will require `OpenSC -0.20 `__ installed on the client and CA machine (the local machines). You can follow the instructions to set it up in `this link (*Unix) `__. - -To download the dependencies on Fedora machines we can this instruction: - -.. code-block:: bash - - su -c 'dnf install readline-devel openssl-devel libxslt docbook-style-xsl pcsc-lite-devel automake autoconf libtool gcc zlib-devel' - -For Debian Linux, more recent OpenSC packages are available `here `__. - -We will use the following Nitrokeys for physical key management: - -- An authentication key using the `Nitrokey Pro 2 - (pdf) `__ - -- A Certificate Authority (CA) using the `Nitrokey HSM 2 - (pdf) `__ - -As a reminder, to build a Certificate Authority on Nitrokey HSM 2, you may follow the instructions available `in the documentation `_. - -Alternatively you may set up your own CA on a `on a separate machine `__, or use the OpenVPN tutorial which also relies on `Easy-RSA `__. The last 2 options rely on software solutions for key management. - -Server side ------------ - -Install OpenVPN -^^^^^^^^^^^^^^^ - -1. First we need to enable IP Forwarding by editing ``/etc/sysctl.conf`` file - - .. code-block:: bash - - $ editor /etc/sysctl.conf - -2. Uncomment or edit accordingly the following line - - .. code-block:: bash - - net.ipv4.ip_forward=1 - -3. Close after saving it, and enter this command - - .. code-block:: bash - - $ sysctl -p - - Once IP forwarding is done, we will need to download the latest release of OpenvPN for our Debian 10 server, according to `these instructions `__: - -4. Change to root and download the GPG key that signed the package - - .. code-block:: bash - - $ sudo -s - # wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add - - -5. Add the URL of the adequate OpenVPN packages to the ``sources.list`` file - - .. code-block:: bash - - # echo "deb http://build.openvpn.net/debian/openvpn/release/2.5 buster main" > /etc/apt/sources.list.d/openvpn-aptrepo.list - # exit - - We downloaded OpenVPN 2.5 as “password prompt” requires at least OpenVPN `version - 2.4.8 `__ to login. - -6. Next we download OpenVPN - - .. code-block:: bash - - $ sudo apt install openvpn - - If you want to check the version, it possible by calling ``--version`` - and print the following: - - .. rstcheck: ignore-next-code-block - .. code-block:: bash - - $ sudo openvpn --version - OpenVPN 2.5_beta3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 1 2020 - library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 - Originally developed by James Yonan - Copyright (C) 2002-2018 OpenVPN Inc - Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no \ enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes \ enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no \ enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no \ enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no \ enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes \ with_mem_check=no with_sysroot=no - -Install Easy-RSA -^^^^^^^^^^^^^^^^ - -To build the PKI, we will download the latest version of Easy-RSA on the server and client machines. To get the latest release, go to the `Releases page on the official EasyRSA GitHub project `__, copy the download link for the file ending in ``.tgz``, and then paste it into the following command: - -1. Download the latest release - - .. code-block:: bash - - $ cd ~ - wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz - -2. Extract the tarball - - .. code-block:: bash - - $ cd ~ - $ tar xvf EasyRSA-3.0.7.tgz - $ mv EasyRSA-3.0.7/ easyrsa/ # rename folder - -Create a PKI for OpenVPN server -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Before you can create your OpenVPN server’s private key and certificate, you need to create a local Public Key Infrastructure directory on your OpenVPN server. You will use this directory to manage the server and clients’ certificate requests, instead of making them directly on your CA server. - -To build a PKI directory on your OpenVPN server, you’ll need to populate a file called ``vars`` with some default values. - -1. Create a ``vars`` file - - .. code-block:: bash - - $ touch ~/easyrsa/vars - $ cd easyrsa/ - $ editor vars - -2. Once the file is opened, paste in the following two lines - - .. code-block:: bash - - set_var EASYRSA_ALGO "ec" - set_var EASYRSA_DIGEST "sha512" - - These are the only two lines that you need in this ``vars`` file on your OpenVPN server since it will not be used as a Certificate Authority. - They will ensure that your private keys and certificate requests are configured to use Elliptic Curve Cryptography (ECC) to generate keys, and secure signatures for your clients and OpenVPN server. - - In regards to the choice of the cryptographic algorithms, I follow the model in `this tutorial `__, and you can customize these according to your specific needs. - -3. Initialize the PKI - - Once you have populated the ``vars`` file you can proceed with creating the PKI directory. - To do so, run the easyrsa script with the init-pki option: - - .. code-block:: bash - - $ ./easyrsa init-pki - -After you’ve initialized your PKI on the OpenVPN server, you are ready to move on to the next step, which is creating an OpenVPN server certificate request and private key. - -Create ``server.req`` and ``server.key`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Now that your OpenVPN server has all the prerequisites installed, the next step is to generate a key pair composed of a private key (to keep secret), and a Certificate Signing Request (``.csr``) on your OpenVPN server. - -In general terms, on systems where we generate a key and request, these files are left unencrypted by using the ``nopass`` argument, since servers usually need to start up without any password input. This generates an *unencrypted key*, so mind *protect its access and file permissions* carefully. - -.. tip:: - - Configuration notes from OpenVPN: - - 1. The server, and each client, must have their own cert and key - file. The server and all clients will use the same CA file. - 2. Server certificate should have the following: - - - ``keyUsage: digitalSignature, keyEncipherment`` - - - ``extendedKeyUsage: serverAuth`` - -1. Create the signing request for the server - - Navigate to the ``~/easyrsa`` directory on your OpenVPN Server as your non-root user, and enter the following commands: - - .. code-block:: bash - - $ cd easyrsa/ - $ ./easyrsa gen-req server nopass - - This will create a private key for the server and a certificate request file called ``server.req``. - - Once you have a signed certificate, you’ll transfer it back to the OpenVPN server. - -2. Copy the key to the OpenVPN server directory - - .. code-block:: bash - - $ sudo cp /home/admin/EasyRSA/pki/private/server.key /etc/openvpn/server/ - - After completing these steps, you have successfully created a private key for your OpenVPN server. You have also generated a Certificate Signing Request for the OpenVPN server. - - .. tip:: - - File extensions for certificate signing requests - - The file extension that is adopted by the CA and HSM tutorial - indicates the creation of a ``.csr`` file, however Easy-RSA creates - certificate signing requests with a ``.req`` extension. - - We will use interchangeably both extensions, while making sure that - we transfer the right files to the Certificate Authority, and - generate a final certificate with a ``.crt`` extension. - -In the next section of this guide, we will sign a ``.req`` file with our CA on deployed on the HSM 2 device. For this purpose, I will use a dedicated machine to sign the requests. - -Sign and retrieve ``server.crt`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The following instructions require the transfer of the ``server.req`` -(or ``server.csr``) file to the CA system. - -The transfer itself is not security sensitive, though it is wise to verify if the received file matches the sender’s copy, if the transport is untrusted. - -In order to go through these steps, I will extensively rely on `these instructions `_, to sign the certificate signing requests, once we generated them with Easy-RSA. - -Sign the ``server.req`` file -'''''''''''''''''''''''''''' - -On the local machine dedicated to access the HSM, we will use the tools provided by Opensc 0.20 in order to sign the ``.req`` file, and send it back to the OpenVPN server. We assume we have transferred the file from the server machine to the CA machine. - -First we start by plugging the HSM Nitrokey, and enter this instruction for listing the keys available. - -1. Query the list of available devices - - .. code-block:: bash - - $ p11tool --list-all - - **(Required step)** If this is the first time you sign a certificate with the CA, you might want to retrieve the URI of the CA’s private key from the HSM, and include it in the config file. - - - The key’s URI should be in this format: - - .. code-block:: bash - - pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private - -2. Create ``openvpn/`` directory under ``certificate-authority/`` - - .. code-block:: bash - - $ mkdir/opt/certificate-authority/ - $ cd /opt/certificate-authority/ - -3. Sign the ``server.req`` - - .. code-block:: bash - - $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in server.req -out /home/user/pki/issued/server.crt - -Retrieve the ``server.crt`` file to the server machine -'''''''''''''''''''''''''''''''''''''''''''''''''''''' - -1. Transfer the signed certificates to the server - - From the CA machine, copy the files ``server.crt`` and ``chain.crt`` to the OpenVPN server. In this example we will use the ``scp`` command as following: - - .. code-block:: bash - - $ scp openvpn/{server.crt,chain.crt} admin@your_openvpnserver_ip:/tmp - -2. Place the certificates on the server’s directory - - .. code-block:: bash - - $ mv /tmp/{server.crt,chain.crt} /etc/openvpn/server - - .. warning:: - - CA Certificate and ``chain.crt`` - - In the above, the CA returns the signed sever certificate, and - includes the CA certificate ``CA.crt`` which is the ``chain.crt`` - file. This can be done over an insecure channel, though the client is - encouraged to confirm if the received ``chain.crt`` is valid, if the - transport is untrusted. - - It is possible to rename the file ``chain.crt`` file to ``CA.crt`` on - the target machine, however we will use ``chain.crt`` in the next - instructions. - -Configure the OpenVPN server -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -A connection that uses TLS requires multiple `certificates and keys for authentication `__. Now that we issued and signed those, we can place them in the right directories. The breakdown of the certificates and keys that must be located at the root directory are the following: - -- The root certificate file (CA.crt or chain.crt in our setup) -- Server certificate -- Server key -- Diffie Hellman Parameters (optional) - -On your OpenVPN server, now you can create the configuration file ``server.conf`` with your favorite text editor. The file can be configured according to your needs, while we make sure to change the server certificate and key sections according the names you chose for the your the files we signed: - -.. code-block:: bash - - # OpenVPN Server Certificate - CA, server key and certificate - ca chain.crt - cert server.crt - key server.key - -Here is the configuration file we can use for testing these instructions: - -.. code-block:: bash - - port 1194 - proto udp - dev tun - ca ca.crt - cert server.crt - key server.key # This file should be kept secret - dh dh.pem - server 10.8.0.0 255.255.255.0 - push "redirect-gateway def1 bypass-dhcp" - push "dhcp-option DNS 208.67.222.222" - push "dhcp-option DNS 208.67.220.220" - keepalive 10 120 - tls-auth ta.key 0 # This file is secret - cipher AES-256-CBC - user nobody - group nogroup - persist-key - persist-tun - status /var/log/openvpn/openvpn-status.log - log /var/log/openvpn/openvpn.log - log-append /var/log/openvpn/openvpn.log - verb 3 - explicit-exit-notify 1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - -To test if the configuration functions properly, we can use this command: - -.. code-block:: bash - - $ sudo openvpn --server --config server.conf - -Start the OpenVPN service on the server -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Enable the OpenVPN service by adding it to systemctl, and start it using these commands: - -.. code-block:: bash - - $ sudo systemctl -f enable openvpn@server - $ sudo systemctl start openvpn@server - -To Double check if the OpenVPN service is active use this command: - -.. code-block:: bash - - $ sudo systemctl status openvpn@server - -The OpenVPN should be running at this point. - -Client side configuration -------------------------- - -Install OpenVPN and Easy-RSA -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -1. Install the software - - We can use directly ``dnf install`` to install OpenVPN 2.4.9 and Easy-RSA 3.0.7 - - .. code-block:: bash - - $ sudo dnf install openvpn easy-rsa - -2. Then we create as non-root a directory for Easy RSA called ``Easy-RSA`` - - .. code-block:: bash - - $ mkdir ~/easyrsa - -3. And link it to the Easy RSA package we just installed - - .. code-block:: bash - - $ ln -s /usr/share/easy-rsa/3/* ~/easyrsa/ - -Create a PKI for the OpenVPN client -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -In the same manner we created a PKI on the OpenVPN server, we will create a PKI using Easy-RSA on the client side. - -Create a ``client.req`` and ``client.key`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -In the same manner we issued the key pair on the sever, we generate a key pair for the client which will be composed of the ``client.req`` -file and the ``client.key`` file. The latter must be kept secret on the client machine. - -Sign ``client.req`` and issue the ``client.crt`` file -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -To transfer the ``client.req`` file to the CA machine, we will use the same method as we did for the ``server.req`` file. - -Once transferred, on the CA machine we sign the certificate signing request file with this command - -.. code-block:: bash - - $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in client.req -out /home/user/pki/issued/client.crt - -Import ``client.crt`` on the Nitrokey from the CA machine -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -After creating the ``client.crt`` file, we plug the Nitrokey Pro 2 device in the CA machine, and import the ``.crt`` to the Pro 2 device using this command: - -.. code-block:: bash - - $ pkcs15-init --store-certificate client.crt --id 3 - -You can see if the key is effectively stored on the Nitrokey using this command: - -.. code-block:: bash - - $ pkcs15-tool -c - -Or alternatively - -.. code-block:: bash - - $ pkcs11-tool --list-objects - -Fore more commands you can refer to the `OpenSC wiki `__. - -Retrieve the ``chain.crt`` file from the CA machine -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -While we keep the ``client.crt``\ stored on the nitrokey Pro 2 device, we must retrieve the ``chain.crt`` file on the client machine, and store it in the adequate directory. We may use ``scp`` as in the method explained in the server section of this guide. - -Configure the client to interact with the Nitrokey -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Now back on the client machine, we will plug the Nitrokey Pro and use it to establish the VPN connection with the server. In general terms, a connection that uses TLS requires multiple certificates and keys for authentication: - -- The root certificate file (`chain.crt`) -- Client certificate -- Client key - -For this guide we can the following ``client.conf`` file, and add the required options to it accordingly: - -.. code-block:: bash - - client - dev tun - proto udp - remote 1194 - resolv-retry infinite - nobind - user nobody - group nobody - persist-key - persist-tun - ca ca.crt - remote-cert-tls server - cipher AES-256-CBC - verb 3 - redirect-gateway def1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - -1. Determine the correct object - - Each PKCS#11 provider can support multiple devices. In order to view the available object list you can use the following command: - - .. code-block:: bash - - $ openvpn --show-pkcs11-ids /usr/lib64/pkcs11/opensc-pkcs11.so - - The following objects are available for use. - Each object shown below may be used as parameter to - - --pkcs11-id option please remember to use single quote mark. - - Certificate - DN: CN=client - Serial: E53DA75C5B8F1518F520BCEF0128C09F - Serialized id: pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03 - - Each certificate/private key pair have unique ``Serialized id`` string. The serialized id string of the requested certificate should be specified, in the configuration file. We can do this by adding the ``pkcs11-id`` option using single quote marks. - - .. code-block:: bash - - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - -2. Add retrieved Serialized ID to the configuration file - - Using your favorite text editor, open the server.conf file, and add the following lines, while taking care to insert your own ``Serialized id``: - - .. code-block:: bash - - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - - For additional `settings related to OpenVPN `__ authentication, you may also add few lines to handle key maganagement, although it is optional. - - .. note:: - - Click to view the code - - .. code-block:: bash - - # nitrokey config - - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - # pkcs11-pin-cache 300 - # daemon - # auth-retry nointeract - # management-hold - # management-signal - # management 127.0.0.1 8888 - # management-query-passwords - pkcs11-cert-private 1 # Prompt for PIN - - Optional step - - - If you need to test the configuration, with and without the token on the Nitrokey, you may add lines to the same ``client.conf`` and comment/uncomment the relevant lines according to your needs: - - .. note:: - - Click to view the code - - .. code-block:: bash - - # non_nitrokey login - - # cert client.crt - # key client.key - # tls-auth ta.key 1 - -3. Configure the OpenVPN client - - The final configuration file ``client.conf`` should look like this one: - - .. code-block:: bash - - client - dev tun - proto udp - remote 1194 - resolv-retry infinite - nobind - user nobody - group nobody - persist-key - persist-tun - ca ca.crt - remote-cert-tls server - cipher AES-256-CBC - verb 3 - redirect-gateway def1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - - # nitrokey login - - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - # pkcs11-pin-cache 300 - # daemon - # auth-retry nointeract - # management-hold - # management-signal - # management 127.0.0.1 8888 - # management-query-passwords - pkcs11-cert-private 1 # Prompt for PIN - - # OR - - # non_nitrokey login - - # cert client.crt - # key client.key - # tls-auth ta.key 1 - -4. Known issues - - There are some known issues related to OpenVPN login with OpenSC. Please consult these issues `here `__. - -Start the OpenVPN client -^^^^^^^^^^^^^^^^^^^^^^^^ - -1. Start the OpenVPN service on the client - - Enable the OpenVPN service, and start it using these commands: - - .. code-block:: bash - - $ sudo systemctl -f enable openvpn-server@server.service - $ sudo systemctl start openvpn-server@server.service - - To double check if the OpenVPN service is active use this command: - - .. code-block:: bash - - $ sudo systemctl status openvpn-server@server.service - -2. Enter your User PIN - - When executing OpenVPN client, Nitrokey’s PIN needs to be entered: - - .. rstcheck: ignore-next-code-block - .. code-block:: bash - - $ sudo openvpn --client --config client.conf - Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 - Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 - Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' - Enter User PIN (OpenPGP card) token Password: ****** - - .. warning:: - - Unfortunately OpenVPN doesn’t seem to be able to establish a handshake and stops at an error as reported `here `__, `here `__ and `here `__ - - .. rstcheck: ignore-next-code-block - .. code-block:: bash - - This is what the error output looks like: - - $ sudo openvpn --client --config client.conf - Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 - Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 - Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' - Enter User PIN (OpenPGP card) token Password: ******`` - Fri Sep 11 17:42:12 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]18.157.180.240:1194`` - Fri Sep 11 17:42:12 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]`` - Fri Sep 11 17:42:12 2020 UDP link local: (not bound) - Fri Sep 11 17:42:12 2020 UDP link remote: [AF_INET]18.157.180.240:1194 - Fri Sep 11 17:42:12 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay - Fri Sep 11 17:42:12 2020 TLS: Initial packet from [AF_INET]18.157.180.240:1194, sid=d79690cf 9e38ce89 - Fri Sep 11 17:42:12 2020 VERIFY OK: depth=1, CN=server_CA - Fri Sep 11 17:42:12 2020 VERIFY KU OK - Fri Sep 11 17:42:12 2020 Validating certificate extended key usage - Fri Sep 11 17:42:12 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication - Fri Sep 11 17:42:12 2020 VERIFY EKU OK - Fri Sep 11 17:42:12 2020 VERIFY OK: depth=0, CN=server - Fri Sep 11 17:42:12 2020 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib - Fri Sep 11 17:42:12 2020 TLS_ERROR: BIO read tls_read_plaintext error - Fri Sep 11 17:42:12 2020 TLS Error: TLS object -> incoming plaintext read error - Fri Sep 11 17:42:12 2020 TLS Error: TLS handshake failed - Fri Sep 11 17:42:12 2020 SIGUSR1[soft,tls-error] received, process restarting - Fri Sep 11 17:42:12 2020 Restart pause, 5 second(s) - - In some reported cases it does not prompt for a PIN on the terminal. One workaround would be to use to use this command to login with the PIN: - - .. rstcheck: ignore-next-code-block - .. code-block:: bash - - $ telnet 8888 password 'User PIN (OpenPGP card) token' - - Alternatively, you could `recompile OpenVPN `__ client with systemd support disabled, and it will prompt you for the PIN as expected. - - Another option, would be to login to your OpenVPN instance with the Viscosity client which provides a better user experience especially for entering the PIN. diff --git a/storage/linux/otp.rst b/storage/linux/otp.rst deleted file mode 100644 index 3954bcb99d..0000000000 --- a/storage/linux/otp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/otp.rst.inc diff --git a/storage/linux/smime-outlook.rst b/storage/linux/smime-outlook.rst deleted file mode 100644 index acd45a24a9..0000000000 --- a/storage/linux/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-outlook.rst.inc diff --git a/storage/linux/smime-thunderbird.rst b/storage/linux/smime-thunderbird.rst deleted file mode 100644 index 4ae43d43ba..0000000000 --- a/storage/linux/smime-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-thunderbird.rst.inc diff --git a/storage/linux/smime.rst b/storage/linux/smime.rst deleted file mode 100644 index 5029a3135c..0000000000 --- a/storage/linux/smime.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime.rst.inc diff --git a/storage/linux/ssh.rst b/storage/linux/ssh.rst deleted file mode 100644 index 792071f9a1..0000000000 --- a/storage/linux/ssh.rst +++ /dev/null @@ -1,4 +0,0 @@ -SSH For Server Administration -============================= - -.. include:: ../../pro/ssh.rst diff --git a/storage/linux/stunnel.rst b/storage/linux/stunnel.rst deleted file mode 100644 index 94a9982dac..0000000000 --- a/storage/linux/stunnel.rst +++ /dev/null @@ -1,4 +0,0 @@ -Stunnel -======= - -.. include:: ../../hsm/stunnel.rst.inc diff --git a/storage/mac/2fa-google.rst b/storage/mac/2fa-google.rst deleted file mode 100644 index 3a1e74fcc1..0000000000 --- a/storage/mac/2fa-google.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/2fa-google.rst.inc diff --git a/storage/mac/2fa-nextcloud.rst b/storage/mac/2fa-nextcloud.rst deleted file mode 100644 index fe77d2b27e..0000000000 --- a/storage/mac/2fa-nextcloud.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/2fa-nextcloud.rst.inc diff --git a/storage/mac/2fa-odoo.rst b/storage/mac/2fa-odoo.rst deleted file mode 100644 index dc5f45a3f0..0000000000 --- a/storage/mac/2fa-odoo.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/2fa-odoo.rst.inc diff --git a/storage/mac/change-pins.rst b/storage/mac/change-pins.rst deleted file mode 100644 index c14cd241e1..0000000000 --- a/storage/mac/change-pins.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/change-pins.rst.inc diff --git a/storage/mac/ecc.rst b/storage/mac/ecc.rst deleted file mode 100644 index f9d9992dca..0000000000 --- a/storage/mac/ecc.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/ecc.rst.inc diff --git a/storage/mac/eidauthenticate.rst b/storage/mac/eidauthenticate.rst deleted file mode 100644 index 62f3a2a39f..0000000000 --- a/storage/mac/eidauthenticate.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/eidauthenticate.rst.inc diff --git a/storage/mac/encrypted-mobile-storage.rst b/storage/mac/encrypted-mobile-storage.rst deleted file mode 100644 index cc9287dae7..0000000000 --- a/storage/mac/encrypted-mobile-storage.rst +++ /dev/null @@ -1,4 +0,0 @@ -Encrypted Mobile Storage -======================== - -.. include:: ../encrypted-mobile-storage.rst diff --git a/storage/mac/factory-reset.rst b/storage/mac/factory-reset.rst deleted file mode 100644 index 1fadfcfeee..0000000000 --- a/storage/mac/factory-reset.rst +++ /dev/null @@ -1,4 +0,0 @@ -Factory Reset -============= - -.. include:: ../factory-reset.rst diff --git a/storage/mac/firmware-update-manually.rst b/storage/mac/firmware-update-manually.rst deleted file mode 100644 index 1f0848f0f0..0000000000 --- a/storage/mac/firmware-update-manually.rst +++ /dev/null @@ -1,4 +0,0 @@ -Activate Update Mode Manually -============================= - -.. include:: ../firmware-update-manually.rst diff --git a/storage/mac/firmware-update.rst b/storage/mac/firmware-update.rst deleted file mode 100644 index 8b81a9fdee..0000000000 --- a/storage/mac/firmware-update.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../..//storage/windows/firmware-update.rst diff --git a/storage/mac/gpa.rst b/storage/mac/gpa.rst deleted file mode 100644 index 398ae468bc..0000000000 --- a/storage/mac/gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/gpa.rst diff --git a/storage/mac/hard-disk-encryption.rst b/storage/mac/hard-disk-encryption.rst deleted file mode 100644 index e095906781..0000000000 --- a/storage/mac/hard-disk-encryption.rst +++ /dev/null @@ -1,4 +0,0 @@ -Hard Disk Encryption -=========================== - -.. include:: ../../pro/hard-disk-encryption.rst.inc diff --git a/storage/mac/hidden.rst b/storage/mac/hidden.rst deleted file mode 100644 index f1403d6f8d..0000000000 --- a/storage/mac/hidden.rst +++ /dev/null @@ -1,12 +0,0 @@ -.. include:: ../hidden.rst - -Using hidden volumes --------------------- - -1. Unlock the encrypted volume. - -2. Select "unlock hidden volume" and enter any of the hidden volume's passwords. - -3. If this is the first time you unlock the hidden volume, you may need to create a partition on the hidden volume. You will need to use `Disk Utility `__. Make sure to create the partitions on the device that appeared when unlocking the hidden volume. - -4. Make sure to unmount/eject all partitions on the hidden volumes before locking or disconnecting the Nitrokey. diff --git a/storage/mac/index.rst b/storage/mac/index.rst deleted file mode 100644 index 28c1764d1c..0000000000 --- a/storage/mac/index.rst +++ /dev/null @@ -1,52 +0,0 @@ -Nitrokey Storage, Mac -===================== - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -1. Important: Once you plug in the Nitrokey, your computer will start - the Keyboard Setup Assistant. **Don’t run through this assistant but - exit it right away.** -2. Download and start the `Nitrokey - App `__. Perhaps you want to store - it on the unencrypted partition of your Nitrokey Storage -3. Open the About window from Nitrokey App’s menu and check if you have - the `latest - firmware `__ - installed. If it’s not the latest, please - `update `_. -4. Use the Nitrokey App to change the default User PIN (default: 123456) - and Admin PIN (default: 12345678) to your own choices. - -Your Nitrokey is now ready to use. - -.. note:: - - - For some Versions of MacOS it is necessary to install custom `ccid - driver `__ - (for information see - `here `__), - but in general MacOS should have the driver onboard. - - - For many use cases described, it is necessary to have either - OpenPGP or S/MIME keys installed on the device (see below). - -Key Creation with OpenPGP or S/MIME ------------------------------------ - -There are two widely used standards for email encryption. While -OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used -by enterprises. If you are in doubt which one to choose, you should use -OpenPGP. - -To learn more about how to use OpenPGP for email encryption with the Nitrokey, -please refer to chapter `OpenPGP Email Encryption `_. - -To learn more about how to use S/MIME for email encryption with the Nitrokey, -please refer to chapter `S/MIME Email Encryption `_. diff --git a/storage/mac/openpgp-keygen-backup.rst b/storage/mac/openpgp-keygen-backup.rst deleted file mode 100644 index b4528e0139..0000000000 --- a/storage/mac/openpgp-keygen-backup.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-backup.rst.inc diff --git a/storage/mac/openpgp-keygen-gpa.rst b/storage/mac/openpgp-keygen-gpa.rst deleted file mode 100644 index 472d298006..0000000000 --- a/storage/mac/openpgp-keygen-gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-gpa.rst.inc diff --git a/storage/mac/openpgp-keygen-on-device.rst b/storage/mac/openpgp-keygen-on-device.rst deleted file mode 100644 index fc90850b8e..0000000000 --- a/storage/mac/openpgp-keygen-on-device.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-on-device.rst.inc diff --git a/storage/mac/openpgp-outlook.rst b/storage/mac/openpgp-outlook.rst deleted file mode 100644 index fa4e7dd855..0000000000 --- a/storage/mac/openpgp-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-outlook.rst.inc diff --git a/storage/mac/openpgp-thunderbird.rst b/storage/mac/openpgp-thunderbird.rst deleted file mode 100644 index 59e0956c63..0000000000 --- a/storage/mac/openpgp-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-thunderbird.rst.inc diff --git a/storage/mac/openpgp.rst b/storage/mac/openpgp.rst deleted file mode 100644 index fb8b25042e..0000000000 --- a/storage/mac/openpgp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp.rst.inc diff --git a/storage/mac/otp.rst b/storage/mac/otp.rst deleted file mode 100644 index 3954bcb99d..0000000000 --- a/storage/mac/otp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/otp.rst.inc diff --git a/storage/mac/smime-outlook.rst b/storage/mac/smime-outlook.rst deleted file mode 100644 index acd45a24a9..0000000000 --- a/storage/mac/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-outlook.rst.inc diff --git a/storage/mac/smime-thunderbird.rst b/storage/mac/smime-thunderbird.rst deleted file mode 100644 index 4ae43d43ba..0000000000 --- a/storage/mac/smime-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-thunderbird.rst.inc diff --git a/storage/mac/smime.rst b/storage/mac/smime.rst deleted file mode 100644 index 5029a3135c..0000000000 --- a/storage/mac/smime.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime.rst.inc diff --git a/storage/windows/2fa-google.rst b/storage/windows/2fa-google.rst deleted file mode 100644 index 7f4cefa9cc..0000000000 --- a/storage/windows/2fa-google.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../..//pro/2fa-google.rst.inc diff --git a/storage/windows/2fa-microsoft.rst b/storage/windows/2fa-microsoft.rst deleted file mode 100644 index 1cab11d8b8..0000000000 --- a/storage/windows/2fa-microsoft.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: /pro/windows/2fa-microsoft.rst diff --git a/storage/windows/2fa-nextcloud.rst b/storage/windows/2fa-nextcloud.rst deleted file mode 100644 index fe77d2b27e..0000000000 --- a/storage/windows/2fa-nextcloud.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/2fa-nextcloud.rst.inc diff --git a/storage/windows/2fa-odoo.rst b/storage/windows/2fa-odoo.rst deleted file mode 100644 index dc5f45a3f0..0000000000 --- a/storage/windows/2fa-odoo.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/2fa-odoo.rst.inc diff --git a/storage/windows/change-pins.rst b/storage/windows/change-pins.rst deleted file mode 100644 index c14cd241e1..0000000000 --- a/storage/windows/change-pins.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/change-pins.rst.inc diff --git a/storage/windows/ecc.rst b/storage/windows/ecc.rst deleted file mode 100644 index f9d9992dca..0000000000 --- a/storage/windows/ecc.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/ecc.rst.inc diff --git a/storage/windows/eidauthenticate.rst b/storage/windows/eidauthenticate.rst deleted file mode 100644 index 62f3a2a39f..0000000000 --- a/storage/windows/eidauthenticate.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/eidauthenticate.rst.inc diff --git a/storage/windows/encrypted-mobile-storage.rst b/storage/windows/encrypted-mobile-storage.rst deleted file mode 100644 index cc9287dae7..0000000000 --- a/storage/windows/encrypted-mobile-storage.rst +++ /dev/null @@ -1,4 +0,0 @@ -Encrypted Mobile Storage -======================== - -.. include:: ../encrypted-mobile-storage.rst diff --git a/storage/windows/factory-reset.rst b/storage/windows/factory-reset.rst deleted file mode 100644 index 1fadfcfeee..0000000000 --- a/storage/windows/factory-reset.rst +++ /dev/null @@ -1,4 +0,0 @@ -Factory Reset -============= - -.. include:: ../factory-reset.rst diff --git a/storage/windows/firmware-update-manually.rst b/storage/windows/firmware-update-manually.rst deleted file mode 100644 index 1f0848f0f0..0000000000 --- a/storage/windows/firmware-update-manually.rst +++ /dev/null @@ -1,4 +0,0 @@ -Activate Update Mode Manually -============================= - -.. include:: ../firmware-update-manually.rst diff --git a/storage/windows/firmware-update.rst b/storage/windows/firmware-update.rst deleted file mode 100644 index 825826699d..0000000000 --- a/storage/windows/firmware-update.rst +++ /dev/null @@ -1,44 +0,0 @@ -Firmware Update -=============== - -.. contents:: :local: - -.. warning:: - - You should backup all data from the device before upgrading, as - firmware upgrades may destroy all data on the device (especially - coming from firmware version <0.45)! - -.. important:: - Never disconnect the Nitrokey Start or abort the process while updating, - this will likely render your device useless - - -1. Download the `Nitrokey App `__ and the `Nitrokey Update Tool `__. The Nitrokey Update Tool is currently available for macOS and Windows only. - -2. Download the latest firmware ".hex" file from `here `__. Older releases are `here `__. - -3. Right click on the icon of the Nitrokey App and go to “Configure” -> “Enable Firmware Update”. The default firmware password is ‘12345678’. - - .. figure:: /storage/images/enable-firmware-update.png - :alt: Enable firmware update - - .. note:: - - The Nitrokey Storage is not detected by Nitrokey App anymore once update mode got - activated. You have to proceed with the instructions described below - to make it work again. - - .. note:: - - If you are using Microsoft Windows Build 1809 and Nitrokey Storage - Firmware 0.52 or lower, you need to use another system or if this is not - feasible use `these - instructions `_ to - enable the Firmware Update mode. - -4. Start the Nitrokey Update Tool and click “Select firmware file”. Select the previously downloaded firmware ".hex" file. Click on “Update firmware” to start the update process. Your device should get detected by the Nitrokey App again as soon as the update is finished. - - .. figure:: /storage/windows/images/nitrokey-update-tool.png - :alt: Nitrokey Update Tool - diff --git a/storage/windows/gpa.rst b/storage/windows/gpa.rst deleted file mode 100644 index 398ae468bc..0000000000 --- a/storage/windows/gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/gpa.rst diff --git a/storage/windows/hard-disk-encryption.rst b/storage/windows/hard-disk-encryption.rst deleted file mode 100644 index 7a15e069ec..0000000000 --- a/storage/windows/hard-disk-encryption.rst +++ /dev/null @@ -1,4 +0,0 @@ -Hard Disk Encryption -=========================== - -.. include:: ../../pro/hard-disk-encryption.rst.inc diff --git a/storage/windows/hidden.rst b/storage/windows/hidden.rst deleted file mode 100644 index 8dad5732e6..0000000000 --- a/storage/windows/hidden.rst +++ /dev/null @@ -1,19 +0,0 @@ -.. include:: ../hidden.rst - -Using hidden volumes --------------------- - -1. Unlock the encrypted volume. - -2. Select "unlock hidden volume" and enter any of the hidden volume's passwords. - -3. If this is the first time you unlock the hidden volume, you may need to create a partition on the hidden volume. In this case, Windows will prompt you to do so. You can then format the hidden volume using FAT32, for compatibility with most operating systems. - - -.. figure:: ./images/format-dialog.png - :alt: Windows formating prompt - -.. figure:: ./images/format-tool.png - :alt: Windows formating tool - -4. Make sure to unmount/eject all partitions on the hidden volumes before locking or disconnecting the Nitrokey. diff --git a/storage/windows/index.rst b/storage/windows/index.rst deleted file mode 100644 index 4e973c3959..0000000000 --- a/storage/windows/index.rst +++ /dev/null @@ -1,46 +0,0 @@ -Nitrokey Storage, Windows -========================= - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -1. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically. - - .. note:: - - Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning. - -2. Download and start the `Nitrokey App `__. Perhaps you want to store it on the unencrypted partition of your Nitrokey Storage. There won’t open a window, but an icon appears in the system tray (see screenshot below). Please right-click on this icon to use all the options of the App. - - .. figure:: ./images/Windows10-Systemtray.png - :alt: img1 - - -3. Open the About window from Nitrokey App’s menu and check if you have the `latest firmware `__ installed. If it’s not the latest, please - `update `_. - -4. Use the Nitrokey App to change the default User PIN (default: 123456) - and Admin PIN (default: 12345678) to your own choices. - -Your Nitrokey is now ready to use. - -.. note:: - - For many use cases described, it is necessary to have either OpenPGP or S/MIME keys installed on the device (see below). - -Key Creation with OpenPGP or S/MIME ------------------------------------ - -There are two widely used standards for email encryption. While OpenPGP/GnuPG is popular among individuals, S/MIME/x.509 is mostly used by enterprises. If you are in doubt which one to choose, you should use OpenPGP. - -To learn more about how to use OpenPGP for email encryption with the Nitrokey, -please refer to chapter `OpenPGP Email Encryption `_. - -To learn more about how to use S/MIME for email encryption with the Nitrokey, -please refer to chapter `S/MIME Email Encryption `_. diff --git a/storage/windows/openpgp-csp.rst b/storage/windows/openpgp-csp.rst deleted file mode 100644 index 947e69d379..0000000000 --- a/storage/windows/openpgp-csp.rst +++ /dev/null @@ -1,2 +0,0 @@ -.. include:: ../../pro/windows/openpgp-csp.rst - diff --git a/storage/windows/openpgp-keygen-backup.rst b/storage/windows/openpgp-keygen-backup.rst deleted file mode 100644 index b4528e0139..0000000000 --- a/storage/windows/openpgp-keygen-backup.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-backup.rst.inc diff --git a/storage/windows/openpgp-keygen-gpa.rst b/storage/windows/openpgp-keygen-gpa.rst deleted file mode 100644 index 472d298006..0000000000 --- a/storage/windows/openpgp-keygen-gpa.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-gpa.rst.inc diff --git a/storage/windows/openpgp-keygen-on-device.rst b/storage/windows/openpgp-keygen-on-device.rst deleted file mode 100644 index fc90850b8e..0000000000 --- a/storage/windows/openpgp-keygen-on-device.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-keygen-on-device.rst.inc diff --git a/storage/windows/openpgp-outlook.rst b/storage/windows/openpgp-outlook.rst deleted file mode 100644 index fa4e7dd855..0000000000 --- a/storage/windows/openpgp-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-outlook.rst.inc diff --git a/storage/windows/openpgp-thunderbird.rst b/storage/windows/openpgp-thunderbird.rst deleted file mode 100644 index 59e0956c63..0000000000 --- a/storage/windows/openpgp-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp-thunderbird.rst.inc diff --git a/storage/windows/openpgp.rst b/storage/windows/openpgp.rst deleted file mode 100644 index fb8b25042e..0000000000 --- a/storage/windows/openpgp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/openpgp.rst.inc diff --git a/storage/windows/otp.rst b/storage/windows/otp.rst deleted file mode 100644 index 3954bcb99d..0000000000 --- a/storage/windows/otp.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/otp.rst.inc diff --git a/storage/windows/putty.rst b/storage/windows/putty.rst deleted file mode 100644 index 6f0427a82f..0000000000 --- a/storage/windows/putty.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/putty.rst.inc diff --git a/storage/windows/smart-policy.rst b/storage/windows/smart-policy.rst deleted file mode 100644 index 7f85805135..0000000000 --- a/storage/windows/smart-policy.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smart-policy.rst.inc diff --git a/storage/windows/smime-outlook.rst b/storage/windows/smime-outlook.rst deleted file mode 100644 index acd45a24a9..0000000000 --- a/storage/windows/smime-outlook.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-outlook.rst.inc diff --git a/storage/windows/smime-thunderbird.rst b/storage/windows/smime-thunderbird.rst deleted file mode 100644 index 4ae43d43ba..0000000000 --- a/storage/windows/smime-thunderbird.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../pro/smime-thunderbird.rst.inc diff --git a/storage/windows/smime.rst b/storage/windows/smime.rst deleted file mode 100644 index cd746658c8..0000000000 --- a/storage/windows/smime.rst +++ /dev/null @@ -1,9 +0,0 @@ -.. include:: ../../pro/smime.rst.inc - :end-line: 20 - -.. note:: - Windows users with 64-bit system (standard) need to install both, the 32-bit and the 64-bit version of OpenSC! - -.. include:: ../../pro/smime.rst.inc - :start-line: 20 - diff --git a/u2f/index.rst b/u2f/index.rst deleted file mode 100644 index 6e856a75bf..0000000000 --- a/u2f/index.rst +++ /dev/null @@ -1,15 +0,0 @@ -Nitrokey FIDO U2F -================= - -.. contents:: :local: - -Choose your operating system: - -.. toctree:: - :maxdepth: 1 - :glob: - - Windows - macOS - Linux - diff --git a/u2f/linux/2fa-nextcloud.rst b/u2f/linux/2fa-nextcloud.rst deleted file mode 100644 index eed3ad9899..0000000000 --- a/u2f/linux/2fa-nextcloud.rst +++ /dev/null @@ -1,4 +0,0 @@ -Two-Factor Authentication And Passwordless Login For Nextcloud Accounts -======================================================================= - -.. include:: ../../fido2/2fa-nextcloud.rst diff --git a/u2f/linux/2fa-odoo.rst b/u2f/linux/2fa-odoo.rst deleted file mode 100644 index 5bf7237e31..0000000000 --- a/u2f/linux/2fa-odoo.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../fido2/2fa-odoo.rst.inc diff --git a/u2f/linux/desktop-login.rst b/u2f/linux/desktop-login.rst deleted file mode 100644 index 3cf97f3894..0000000000 --- a/u2f/linux/desktop-login.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../fido2/linux/desktop-login.rst \ No newline at end of file diff --git a/u2f/linux/index.rst b/u2f/linux/index.rst deleted file mode 100644 index f89717d489..0000000000 --- a/u2f/linux/index.rst +++ /dev/null @@ -1,27 +0,0 @@ -Nitrokey FIDO U2F With Linux -============================ - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -.. include:: ../shared/index-content1.rst - -Troubleshooting ---------------- - -- If the Nitrokey is not accepted immediately, you may need to copy - this file - `41-nitrokey.rules `__ - to ``etc/udev/rules.d/``. In very rare cases, the system will need - the `older - version `__ - of this file. - -- After copying the file, restart udev via - ``sudo service udev restart``. diff --git a/u2f/mac/2fa-nextcloud.rst b/u2f/mac/2fa-nextcloud.rst deleted file mode 100644 index eed3ad9899..0000000000 --- a/u2f/mac/2fa-nextcloud.rst +++ /dev/null @@ -1,4 +0,0 @@ -Two-Factor Authentication And Passwordless Login For Nextcloud Accounts -======================================================================= - -.. include:: ../../fido2/2fa-nextcloud.rst diff --git a/u2f/mac/2fa-odoo.rst b/u2f/mac/2fa-odoo.rst deleted file mode 100644 index 5bf7237e31..0000000000 --- a/u2f/mac/2fa-odoo.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../fido2/2fa-odoo.rst.inc diff --git a/u2f/mac/index.rst b/u2f/mac/index.rst deleted file mode 100644 index 826477b989..0000000000 --- a/u2f/mac/index.rst +++ /dev/null @@ -1,13 +0,0 @@ -Nitrokey FIDO U2F With macOS -============================ - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -.. include:: ../shared/index-content1.rst diff --git a/u2f/shared/index-content1.rst b/u2f/shared/index-content1.rst deleted file mode 100644 index 5e9088f110..0000000000 --- a/u2f/shared/index-content1.rst +++ /dev/null @@ -1,25 +0,0 @@ -The Nitrokey FIDO U2F supports **two-factor authentication (2FA)**. With -two-factor authentication (2FA), the Nitrokey FIDO U2F is checked in -addition to the password. - -The Nitrokey FIDO U2F can be used with any current browser. - -Two-Factor Authentication (2FA) -------------------------------- - -1. Open one of the `websites that support FIDO - U2F `__. -2. Log in to the website and enable two-factor authentication in your - account settings. (In most cases you will find a link to the - documentation of the supported web service at - `dongleauth.com `__.) -3. Register your Nitrokey FIDO U2F in the account settings by touching - the button to activate the Nitrokey FIDO U2F. After you have - successfully configured the device, you must activate the Nitrokey - FIDO U2F this way each time you log in. - -You are now ready to go. - -.. important:: - - The Nitrokey App can not be used for the Nitrokey FIDO U2F. diff --git a/u2f/windows/2fa-nextcloud.rst b/u2f/windows/2fa-nextcloud.rst deleted file mode 100644 index eed3ad9899..0000000000 --- a/u2f/windows/2fa-nextcloud.rst +++ /dev/null @@ -1,4 +0,0 @@ -Two-Factor Authentication And Passwordless Login For Nextcloud Accounts -======================================================================= - -.. include:: ../../fido2/2fa-nextcloud.rst diff --git a/u2f/windows/2fa-odoo.rst b/u2f/windows/2fa-odoo.rst deleted file mode 100644 index 5bf7237e31..0000000000 --- a/u2f/windows/2fa-odoo.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../fido2/2fa-odoo.rst.inc diff --git a/u2f/windows/index.rst b/u2f/windows/index.rst deleted file mode 100644 index 534a0c8720..0000000000 --- a/u2f/windows/index.rst +++ /dev/null @@ -1,16 +0,0 @@ -Nitrokey FIDO U2F With Windows -============================== - -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - -The first time you plug in the Nitrokey FIDO U2F Windows may need some -time to configure the device. - -.. include:: ../shared/index-content1.rst