General
nitrocli list [-n|--no-connect]
List all attached Nitrokey devices. This command prints a
list of the USB path, the model and the serial number of
all attached Nitrokey devices. To access the serial
number of a Nitrokey Storage device, nitrocli has to
connect to it. To omit the serial number of Nitrokey
Storage devices instead of connecting to them, set the
--no-connect option.
nitrocli status
Print the status of the connected Nitrokey device,
including the stick serial number, the firmware version,
and the PIN retry count. If the device is a Nitrokey
Storage, also print storage related information including
the SD card serial number, the SD card usage during this
power cycle, the encryption status, and the status of the
volumes.
nitrocli lock
Lock the Nitrokey. This command locks the password safe
(see the Password safe section). On the Nitrokey Storage,
it will also close any active encrypted or hidden volumes
(see the Storage section).
nitrocli reset [--only-aes-key]
Perform a factory reset on the Nitrokey. This command
performs a factory reset on the OpenPGP smart card, clears
the flash storage and builds a new AES key. The user PIN
is reset to 123456, the admin PIN to 12345678.
If the --only-aes-key option is set, the command does not
perform a full factory reset but only creates a new AES
key. The AES key is for example used to encrypt the
password safe.
This command requires the admin PIN. To avoid accidental
calls of this command, the user has to enter the PIN even
if it has been cached.
Storage
The Nitrokey Storage comes with a storage area. This area is
comprised of an unencrypted region and an encrypted one of fixed
sizes, each made available to the user in the form of block
devices. The encrypted region can optionally further be overlayed
with up to four hidden volumes. Because of this overlay (which is
required to achieve plausible deniability of the existence of
hidden volumes), the burden of ensuring that data on the
encrypted volume does not overlap with data on one of the hidden
volumes is on the user.
nitrocli unencrypted set mode
Change the read-write mode of the volume. mode is the
type of the mode to change to: read-write to make the
volume readable and writable or read-only to make it only
readable. This command requires the admin PIN.
Note that this command requires firmware version 0.51 or
higher. Earlier versions are not supported.
nitrocli encrypted open
Open the encrypted volume on the Nitrokey Storage. The
user PIN that is required to open the volume is queried
using pinentry(1) and cached by gpg-agent(1).
nitrocli encrypted close
Close the encrypted volume on the Nitrokey Storage.
nitrocli hidden create slot start end
Create a new hidden volume inside the encrypted volume.
slot must indicate one of the four available slots. start
and end represent, respectively, the start and end
position of the hidden volume inside the encrypted volume,
as a percentage of the encrypted volume's size. This
command requires a password which is later used to look up
the hidden volume to open. Unlike a PIN, this password is
not cached by gpg-agent(1).
As a guide line for creating new hidden volumes, the
status command provides a range of the SD card that has
not been written to during this power cycle.
nitrocli hidden open
Open a hidden volume. The volume to open is determined
based on the password entered, which must have a minimum
of six characters. Only one hidden volume can be active at
any point in time and previously opened volumes will be
automatically closed. Similarly, the encrypted volume will
be closed if it was open.
nitrocli hidden close
Close a hidden volume.
nitrocli fill [-a|--attach
Fills the SD card with random data, overwriting all
existing data. This operation takes about one hour to
finish for a 16 GiB SD card. It cannot be canceled, even
if the nitrocli process is terminated before it finishes.
This command requires the admin PIN. To avoid accidental
calls of this command, the user has to enter the PIN even
if it has been cached.
If the --attach option is set, this command will not start
a new fill operation. Instead it checks whether a fill
operation is currently running on the device and shows its
progress.
One-time passwords
The Nitrokey Pro, the Nitrokey Storage, and the Librem Key
support the generation of one-time passwords using the HOTP
algorithm according to RFC 4226 or the TOTP algorithm according
to RFC 6238. The required data – a name and the secret – is
stored in slots. Currently, the Nitrokey devices provide three
HOTP slots and 15 TOTP slots. The slots are numbered per
algorithm starting at zero.
The TOTP algorithm is a modified version of the HOTP algorithm
that also uses the current time. Therefore, the Nitrokey clock
must be synchronized with the clock of the application that
requests the one-time password.
nitrocli otp get slot [-a|--algorithm algorithm] [-t|--time time]
Generate a one-time password. slot is the number of the
slot to generate the password from. algorithm is the OTP
algorithm to use. Possible values are hotp for the HOTP
algorithm according to RFC 4226 and totp for the TOTP
algorithm according to RFC 6238 (default). Per default,
this commands sets the Nitrokey's time to the system time
if the TOTP algorithm is selected. If --time is set, it
is set to time instead, which must be a Unix timestamp
(i.e., the number of seconds since 1970-01-01 00:00:00
UTC). This command might require the user PIN (see the
Configuration section).
nitrocli otp set slot name secret|- [-a|--algorithm algorithm]
[-d|--digits digits] [-c|--counter counter] [-t|--time-window
time-window] [-f|--format ascii|base32|hex]
Configure a one-time password slot. slot is the number of
the slot to configure. name is the name of the slot (may
not be empty). secret is the secret value to store in
that slot. If secret is set to -, the secret is read from
the standard input.
The --format option specifies the format of the secret.
If it is set to ascii, each character of the given secret
is interpreted as the ASCII code of one byte. If it is
set to base32, the secret is interpreted as a base32
string according to RFC 4648. If it is set to hex, every
two characters are interpreted as the hexadecimal value of
one byte. The default value is base32.
algorithm is the OTP algorithm to use. Possible values
are hotp for the HOTP algorithm according to RFC 4226 and
totp for the TOTP algorithm according to RFC 6238
(default). digits is the number of digits the one-time
password should have. Allowed values are 6 and 8
(default: 6). counter is the initial counter if the HOTP
algorithm is used (default: 0). time-window is the time
window used with TOTP in seconds (default: 30).
nitrocli otp clear slot [-a|--algorithm algorithm]
Delete the name and the secret stored in a one-time
password slot. slot is the number of the slot to clear.
algorithm is the OTP algorithm to use. Possible values
are hotp for the HOTP algorithm according to RFC 4226 and
totp for the TOTP algorithm according to RFC 6238
(default).
nitrocli otp status [-a|--all]
List all OTP slots. If --all is not set, empty slots are
ignored.
Configuration
Nitrokey devices have four configuration settings: the Num Lock,
Caps Lock and Scroll Lock keys can be mapped to an HOTP slot, and
OTP generation can be set to require the user PIN.
nitrocli config get
Print the current Nitrokey configuration.
nitrocli config set [[-n|--num-lock slot] | [-N|--no-num-lock]]
[[-c|--caps-lock slot] | [-C|--no-caps-lock]] [[-s|--scroll-lock
slot] | [-S|--no-scroll-lock]] [[-o|--otp-pin] |
[-O|--no-otp-pin]]
Update the Nitrokey configuration. This command requires
the admin PIN.
With the --num-lock, --caps-lock and --scroll-lock
options, the respective bindings can be set. slot is the
number of the HOTP slot to bind the key to. If --no-num-
lock, --no-caps-lock or --no-scroll-lock is set, the
respective binding is disabled. The two corresponding
options are mutually exclusive.
If --otp-pin is set, the user PIN will be required to
generate one-time passwords using the otp get command. If
--no-otp-pin is set, OTP generation can be performed
without PIN. These two options are mutually exclusive.
Password safe
The Nitrokey Pro, the Nitrokey Storage, and the Librem Key
provide a password safe (PWS) with 16 slots. In each of these
slots you can store a name, a login, and a password. The PWS is
not encrypted, but it is protected with the user PIN by the
firmware. Once the PWS is unlocked by one of the commands listed
below, it can be accessed without authentication. You can use
the lock command to lock the password safe.
nitrocli pws get slot [-n|--name] [-l|--login] [-p|--password]
[-q|--quiet]
Print the content of one PWS slot. slot is the number of
the slot. Per default, this command prints the name, the
login and the password (in that order). If one or more of
the options --name, --login, and --password are set, only
the selected fields are printed. The order of the fields
never changes.
The fields are printed together with a label. Use the
--quiet option to suppress the labels and to only output
the values stored in the PWS slot.
nitrocli pws add [-s|--slot slot] name login password|-
Add a new PWS slot. If the --slot option is set, this
command writes the data to the given slot and fails if the
slot is already programmed. If the --slot option is not
set, this command locates the first free PWS slot and sets
its content to the given values. It fails if all PWS
slots are programmed.
If password is set to -, the password is read from the
standard input.
nitrocli pws update slot [-n|--name name] [-l|--login login]
[-p|--password password|-]
Update the content of a programmed PWS slot. slot is the
number of the slot to write. This command only sets the
data given with the --name, --login, and --password
options and does not overwrite the other fields of the
slot.
If password is set to -, the password is read from the
standard input.
nitrocli pws clear slot
Delete the data stored in a PWS slot. slot is the number
of the slot clear.
nitrocli pws status [-a|--all]
List all PWS slots. If --all is not set, empty slots are
ignored.
PINs
Nitrokey devices have two PINs: the user PIN and the admin PIN.
The user PIN must have at least six, the admin PIN at least eight
characters. The user PIN is required for commands such as otp get
(depending on the configuration) and for all pws commands. The
admin PIN is usually required to change the device configuration.
Each PIN has a retry counter that is decreased with every wrong
PIN entry and reset if the PIN was entered correctly. The
initial retry counter is three. If the retry counter for the
user PIN is zero, you can use the pin unblock command to unblock
and reset the user PIN. If the retry counter for the admin PIN
is zero, you have to perform a factory reset using the reset
command or gpg(1). Use the status command to check the retry
counters.
nitrocli pin clear
Clear the PINs cached by the other commands. Note that
cached PINs are associated with the device they belong to
and the clear command will only clear the PIN for the
currently used device, not all others.
nitrocli pin set type
Change a PIN. type is the type of the PIN that will be
changed: admin to change the admin PIN or user to change
the user PIN. This command only works if the retry
counter for the PIN type is at least one. (Use the status
command to check the retry counters.)
nitrocli pin unblock
Unblock and reset the user PIN. This command requires the
admin PIN. The admin PIN cannot be unblocked. This
operation is equivalent to the unblock PIN option provided
by gpg(1) (using the --change-pin option).
Extensions
In addition to the above built-in commands, nitrocli supports
user-provided functionality in the form of extensions. An
extension can be any executable file whose filename starts with
"nitrocli-" and that is discoverable through lookup via the PATH
environment variable. Those executables can be invoked as regular
subcommands (without the need of the prefix; e.g., an extension
with the name "nitrocli-otp-cache" could be invoked as "nitrocli
otp-cache").
More information on how to write extensions can be found in the
Extensions section below.
