1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
|
.TH NITROCLI 1 2020-09-07
.SH NAME
nitrocli \- access Nitrokey devices
.SH SYNOPSIS
.B nitrocli
\fIcommand\fR
[\fIarguments\fR]
.SH DESCRIPTION
\fBnitrocli\fR provides access to Nitrokey devices.
It supports the Nitrokey Pro and the Nitrokey Storage.
It can be used to access the encrypted volume, the one-time password generator,
and the password safe.
.SS Device selection
Per default, \fBnitrocli\fR connects to any attached Nitrokey device.
You can use the \fB\-\-model\fR and \fB\-\-serial-number\fR options to select
the device to connect to.
\fBnitrocli\fR fails if more than one attached Nitrokey device matches this
filter or if multiple Nitrokey devices are attached and none of the filter
options is set.
.SH OPTIONS
.TP
\fB\-m\fR, \fB\-\-model pro\fR|\fBstorage\fR
Restrict connections to the given device model, see the Device selection
section.
.TP
\fB\-\-serial-number \fIserial-number\fR
Restrict connections to the given serial number, see the Device selection
section.
\fIserial-number\fR must be a hex string with an optional 0x prefix.
This option can be set multiple times to allow any of the given serial numbers.
Nitrokey Storage devices never match this restriction as they do not expose
their serial number in the USB device descriptor.
.TP
\fB\-\-no\-cache\fR
If this option is set, nitrocli will not cache any inquired secrets using
\fBgpg\-agent\fR(1) but ask for them each time they are needed.
Note that this option does not cause any cached secrets to be cleared.
If a secret is already in the cache it will be ignored, but left otherwise
untouched.
Use the \fBpin clear\fR command to clear secrets from the cache.
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Enable additional logging and control its verbosity. Logging enabled through
this option will appear on the standard error stream. This option can be
supplied multiple times. A single occurrence will show additional warnings.
Commands sent to the device will be shown when supplied three times and full
device communication is available with four occurrences. Supplying this option
five times enables the highest verbosity.
.TP
\fB\-V\fR, \fB\-\-version\fR
Print the nitrocli version and exit.
.SH COMMANDS
.SS General
.TP
.B nitrocli list \fR[\fB-n\fR|\fB\-\-no-connect\fR]
List all attached Nitrokey devices.
This command prints a list of the device path, the model and the serial number
of all attached Nitrokey devices.
To access the serial number of a Nitrokey Storage device, \fBnitrocli\fR has to
connect to it.
To omit the serial number of Nitrokey Storage devices instead of connecting to
them, set the \fB\-\-no-connect\fR option.
.TP
.B nitrocli status
Print the status of the connected Nitrokey device, including the stick serial
number, the firmware version, and the PIN retry count. If the device is a
Nitrokey Storage, also print storage related information including the SD card
serial number, the encryption status, and the status of the volumes.
.TP
.B nitrocli lock
Lock the Nitrokey.
This command locks the password safe (see the Password safe section). On the
Nitrokey Storage, it will also close any active encrypted or hidden volumes (see
the Storage section).
.TP
.B nitrocli reset
Perform a factory reset on the Nitrokey.
This command performs a factory reset on the OpenPGP smart card, clears the
flash storage and builds a new AES key.
The user PIN is reset to 123456, the admin PIN to 12345678.
This command requires the admin PIN.
To avoid accidental calls of this command, the user has to enter the PIN even
if it has been cached.
.SS Storage
The Nitrokey Storage comes with a storage area. This area is comprised of an
\fIunencrypted\fR region and an \fIencrypted\fR one of fixed sizes, each made
available to the user in the form of block devices. The encrypted region can
optionally further be overlayed with up to four \fIhidden\fR volumes. Because of
this overlay (which is required to achieve plausible deniability of the
existence of hidden volumes), the burden of ensuring that data on the encrypted
volume does not overlap with data on one of the hidden volumes is on the user.
.TP
\fBnitrocli unencrypted set \fImode\fR
Change the read-write mode of the volume.
\fImode\fR is the type of the mode to change to: \fBread-write\fR to make the
volume readable and writable or \fBread-only\fR to make it only readable.
This command requires the admin PIN.
Note that this command requires firmware version 0.51 or higher. Earlier
versions are not supported.
.TP
\fBnitrocli encrypted open
Open the encrypted volume on the Nitrokey Storage.
The user PIN that is required to open the volume is queried using
\fBpinentry\fR(1) and cached by \fBgpg\-agent\fR(1).
.TP
\fBnitrocli encrypted close
Close the encrypted volume on the Nitrokey Storage.
.TP
\fBnitrocli hidden create \fIslot\fR \fIstart\fR \fIend\fR
Create a new hidden volume inside the encrypted volume. \fIslot\fR must indicate
one of the four available slots. \fIstart\fR and \fIend\fR represent,
respectively, the start and end position of the hidden volume inside the
encrypted volume, as a percentage of the encrypted volume's size.
This command requires a password which is later used to look up the hidden
volume to open. Unlike a PIN, this password is not cached by \fBgpg\-agent\fR(1).
.TP
\fBnitrocli hidden open
Open a hidden volume. The volume to open is determined based on the password
entered, which must have a minimum of six characters. Only one hidden volume can
be active at any point in time and previously opened volumes will be
automatically closed. Similarly, the encrypted volume will be closed if it was
open.
.TP
\fBnitrocli hidden close
Close a hidden volume.
.SS One-time passwords
The Nitrokey Pro and the Nitrokey Storage support the generation of one-time
passwords using the HOTP algorithm according to RFC 4226 or the TOTP algorithm
according to RFC 6238.
The required data \(en a name and the secret \(en is stored in slots.
Currently, the Nitrokey devices provide three HOTP slots and 15 TOTP slots.
The slots are numbered per algorithm starting at zero.
.P
The TOTP algorithm is a modified version of the HOTP algorithm that also uses
the current time.
Therefore, the Nitrokey clock must be synchronized with the clock of the
application that requests the one-time password.
.TP
\fBnitrocli otp get \fIslot \fR[\fB\-a\fR|\fB\-\-algorithm \fIalgorithm\fR] \
\fB[\-t\fR|\fB\-\-time \fItime\fR]
Generate a one-time password.
\fIslot\fR is the number of the slot to generate the password from.
\fIalgorithm\fR is the OTP algorithm to use.
Possible values are \fBhotp\fR for the HOTP algorithm according to RFC 4226 and
\fBtotp\fR for the TOTP algorithm according to RFC 6238 (default).
Per default, this commands sets the Nitrokey's time to the system time if the
TOTP algorithm is selected.
If \fB\-\-time\fR is set, it is set to \fItime\fR instead, which must be a Unix
timestamp (i.e., the number of seconds since 1970-01-01 00:00:00 UTC).
This command might require the user PIN (see the Configuration section).
.TP
\fBnitrocli otp set \fIslot name secret \
\fR[\fB\-a\fR|\fB\-\-algorithm \fIalgorithm\fR] \
[\fB\-d\fR|\fB\-\-digits \fIdigits\fR] [\fB\-c\fR|\fB\-\-counter \fIcounter\fR] \
[\fB\-t\fR|\fB\-\-time-window \fItime-window\fR] \
[\fB-f\fR|\fB\-\-format ascii\fR|\fBbase32\fR|\fBhex\fR]
Configure a one-time password slot.
\fIslot\fR is the number of the slot to configure.
\fIname\fR is the name of the slot (may not be empty).
\fIsecret\fR is the secret value to store in that slot.
The \fB\-\-format\fR option specifies the format of the secret.
If it is set to \fBascii\fR, each character of the given secret is interpreted
as the ASCII code of one byte.
If it is set to \fBbase32\fR, the secret is interpreted as a base32 string
according to RFC 4648.
If it is set to \fBhex\fR, every two characters are interpreted as the
hexadecimal value of one byte.
The default value is \fBbase32\fR.
\fIalgorithm\fR is the OTP algorithm to use.
Possible values are \fBhotp\fR for the HOTP algorithm according to RFC 4226 and
\fBtotp\fR for the TOTP algorithm according to RFC 6238 (default).
\fIdigits\fR is the number of digits the one-time password should have.
Allowed values are 6 and 8 (default: 6).
\fIcounter\fR is the initial counter if the HOTP algorithm is used (default: 0).
\fItime window\fR is the time window used with TOTP in seconds (default: 30).
.TP
\fBnitrocli otp clear \fIslot \fR[\fB\-a\fR|\fB\-\-algorithm \fIalgorithm\fR]
Delete the name and the secret stored in a one-time password slot.
\fIslot\fR is the number of the slot to clear.
\fIalgorithm\fR is the OTP algorithm to use.
Possible values are \fBhotp\fR for the HOTP algorithm according to RFC 4226 and
\fBtotp\fR for the TOTP algorithm according to RFC 6238 (default).
.TP
\fBnitrocli otp status \fR[\fB\-a\fR|\fB\-\-all\fR]
List all OTP slots.
If \fB\-\-all\fR is not set, empty slots are ignored.
.SS Configuration
Nitrokey devices have four configuration settings: the numlock, capslock and
scrollock keys can be mapped to an HOTP slot, and OTP generation can be set to
require the user PIN.
.TP
\fBnitrocli config get\fR
Print the current Nitrokey configuration.
.TP
\fBnitrocli config set \fR\
[[\fB\-n\fR|\fB\-\-numlock \fIslot\fR] | [\fB\-N\fR|\fB\-\-no\-numlock\fR]] \
[[\fB\-c\fR|\fB\-\-capslock \fIslot\fR] | [\fB\-C\fR|\fB\-\-no\-capslock\fR]] \
[[\fB\-s\fR|\fB\-\-scrollock \fIslot\fR] | [\fB\-S\fR|\fB\-\-no\-scrollock\fR]] \
[[\fB\-o\fR|\fB\-\-otp\-pin\fR] | [\fB\-O\fR|\fB\-\-no\-otp\-pin\fR]]
Update the Nitrokey configuration.
This command requires the admin PIN.
With the \fB\-\-numlock\fR, \fB\-\-capslock\fR and \fB\-\-scrollock\fR options,
the respective bindings can be set.
\fIslot\fR is the number of the HOTP slot to bind the key to.
If \fB\-\-no\-numlock\fR, \fB\-\-no\-capslock\fR or \fB\-\-no\-scrollock\fR is
set, the respective binding is disabled.
The two corresponding options are mutually exclusive.
If \fB\-\-otp\-pin\fR is set, the user PIN will be required to generate one-time
passwords using the \fBotp get\fR command.
If \fB\-\-no\-otp\-pin\fR is set, OTP generation can be performed without PIN.
These two options are mutually exclusive.
.SS Password safe
The Nitrokey Pro and the Nitrokey Storage provide a password safe (PWS) with 20
slots.
In each of these slots you can store a name, a login, and a password.
The PWS is not encrypted, but it is protected with the user PIN by the firmware.
Once the PWS is unlocked by one of the commands listed below, it can be
accessed without authentication.
You can use the \fBlock\fR command to lock the password safe.
.TP
\fBnitrocli pws get \fIslot \fR[\fB\-n\fR|\fB\-\-name\fR] \
[\fB\-l\fR|\fB\-\-login\fR] \
[\fB\-p\fR|\fB\-\-password\fR] \
[\fB\-q\fR|\fB\-\-quiet\fR]
Print the content of one PWS slot.
\fIslot\fR is the number of the slot.
Per default, this command prints the name, the login and the password (in that
order).
If one or more of the options \fB\-\-name\fR, \fB\-\-login\fR, and
\fB\-\-password\fR are set, only the selected fields are printed.
The order of the fields never changes.
The fields are printed together with a label.
Use the \fB\-\-quiet\fR option to suppress the labels and to only output the
values stored in the PWS slot.
.TP
\fBnitrocli pws set \fIslot name login password\fR
Set the content of a PWS slot.
\fIslot\fR is the number of the slot to write.
\fIname\fR, \fIlogin\fR, and \fIpassword\fR represent the data to write to the
slot.
.TP
\fBnitrocli pws clear \fIslot\fR
Delete the data stored in a PWS slot.
\fIslot\fR is the number of the slot clear.
.TP
\fBnitrocli pws status \fR[\fB\-a\fR|\fB\-\-all\fR]
List all PWS slots.
If \fB\-\-all\fR is not set, empty slots are ignored.
.SS PINs
Nitrokey devices have two PINs: the user PIN and the admin PIN. The user
PIN must have at least six, the admin PIN at least eight characters. The
user PIN is required for commands such as \fBotp get\fR (depending on
the configuration) and for all \fBpws\fR commands.
The admin PIN is usually required to change the device configuration.
.P
Each PIN has a retry counter that is decreased with every wrong PIN entry and
reset if the PIN was entered correctly.
The initial retry counter is three.
If the retry counter for the user PIN is zero, you can use the
\fBpin unblock\fR command to unblock and reset the user PIN.
If the retry counter for the admin PIN is zero, you have to perform a factory
reset using the \fBreset\fR command or \fBgpg\fR(1).
Use the \fBstatus\fR command to check the retry counters.
.TP
.B nitrocli pin clear
Clear the PINs cached by the other commands. Note that cached PINs are
associated with the device they belong to and the \fBclear\fR command will only
clear the PIN for the currently used device, not all others.
.TP
\fBnitrocli pin set \fItype\fR
Change a PIN.
\fItype\fR is the type of the PIN that will be changed: \fBadmin\fR to change
the admin PIN or \fBuser\fR to change the user PIN.
This command only works if the retry counter for the PIN type is at least one.
(Use the \fBstatus\fR command to check the retry counters.)
.TP
.B nitrocli pin unblock
Unblock and reset the user PIN.
This command requires the admin PIN.
The admin PIN cannot be unblocked.
This operation is equivalent to the unblock PIN option provided by \fBgpg\fR(1)
(using the \fB\-\-change\-pin\fR option).
.SH CONFIG FILE
\fBnitrocli\fR tries to read the configuration file at
\fB${XDG_CONFIG_HOME}/nitrocli/config.toml\fR (or
\fB${HOME}/nitrocli/config.toml\fR if the \fBXDG_CONFIG_HOME\fR environment
variable is not set).
It is used to set default values for the options listed below.
.P
You can also set the environment variable \fBNITROCLI_\fIKEY\fR to overwrite
the configuration for \fIkey\fR (see the Environment section).
Note that command-line arguments overwrite both the configuration file and the
environment variables.
.P
The following values can be set in the configuration file:
.TP
.B model
Restrict connections to the given device model (string, default: not set, see
\fB\-\-model\fR).
.TP
.B serial_numbers
Restrict connections to the given serial numbers (list of strings, default:
empty, see \fB\-\-serial-number\fR).
.TP
.B no_cache
If set to true, do not cache any inquired secrets (boolean, default: false,
see \fB\-\-no\-cache\fR).
.TP
.B verbosity
Set the log level (integer, default: 0, see \fB\-\-verbose\fR).
.P
The configuration file must use the TOML format, for example:
model = "pro"
serial_numbers = ["0xf00baa", "deadbeef"]
no_cache = false
verbosity = 0
.SH ENVIRONMENT
The program honors a set of environment variables that can be used to
suppress interactive PIN entry through \fBpinentry\fR(1). The following
variables are recognized:
.TP
.B NITROCLI_ADMIN_PIN
The admin PIN to use.
.TP
.B NITROCLI_USER_PIN
The user PIN to use.
.TP
.B NITROCLI_NEW_ADMIN_PIN
The new admin PIN to set. This variable is only used by the \fBpin set\fR
command for the \fBadmin\fR type.
.TP
.B NITROCLI_NEW_USER_PIN
The new user PIN to set. This variable is only used by the \fBpin set\fR command
for the \fBuser\fR type.
.TP
.B NITROCLI_PASSWORD
A password used by commands that require one (e.g., \fBhidden open\fR).
.P
Additionally, these environment variables can be used to overwrite the
configuration (see the Config file section):
.TP
.B NITROCLI_MODEL
Restrict connections to the given device model (string, default: not set, see
\fB\-\-model\fR).
.TP
.B NITROCLI_SERIAL_NUMBERS
Restrict connections to the given list of serial numbers (comma-separated list
of strings, default: empty, see \fB\-\-serial-number\fR).
.TP
.B NITROCLI_NO_CACHE
If set to true, do not cache any inquired secrets (boolean, default: false,
see \fB\-\-no\-cache\fR).
.TP
.B NITROCLI_VERBOSITY
Set the log level (integer, default: 0, see \fB\-\-verbose\fR).
.SH FILES
.TP
.B ${XDG_CONFIG_HOME}/nitrocli/config.toml
.TP
.B ${HOME}/nitrocli/config.toml
User configuration file, see the Config file section.
.SH EXAMPLES
.SS Storage
Create a hidden volume in the first available slot, starting at half the size of
the encrypted volume (i.e., 50%) and stretching all the way to its end (100%):
$ \fBnitrocli hidden create 0 50 100\fR
.SS One-time passwords
Configure a one-time password slot with a hexadecimal secret representation:
$ \fBnitrocli otp set 0 test\-rfc4226 3132333435363738393031323334353637383930 \-\-algorithm hotp\fR
$ \fBnitrocli otp set 1 test\-foobar 666F6F626172 \-\-algorithm hotp\fR
$ \fBnitrocli otp set 0 test\-rfc6238 3132333435363738393031323334353637383930 \-\-algorithm totp \-\-digits 8\fR
.P
Configure a one-time password slot with an ASCII secret representation:
$ \fBnitrocli otp set 0 test\-rfc4226 12345678901234567890 \-\-format ascii \-\-algorithm hotp\fR
$ \fBnitrocli otp set 1 test\-foobar foobar \-\-format ascii \-\-algorithm hotp\fR
$ \fBnitrocli otp set 0 test\-rfc6238 12345678901234567890 \-\-format ascii \-\-algorithm totp \-\-digits 8\fR
.P
Configure a one-time password slot with a base32 secret representation:
$ \fBnitrocli otp set 0 test\-rfc4226 gezdgnbvgy3tqojqgezdgnbvgy3tqojq \-\-format base32 \-\-algorithm hotp\fR
$ \fBnitrocli otp set 1 test\-foobar mzxw6ytboi====== \-\-format base32 \-\-algorithm hotp\fR
$ \fBnitrocli otp set 0 test\-rfc6238 gezdgnbvgy3tqojqgezdgnbvgy3tqojq \-\-format base32 \-\-algorithm totp \-\-digits 8\fR
.P
Generate a one-time password:
$ \fBnitrocli otp get 0 \-\-algorithm hotp\fR
755224
$ \fBnitrocli otp get 0 \-\-algorithm totp \-\-time 1234567890\fR
89005924
.P
Clear a one-time password slot:
$ \fBnitrocli otp clear 0 \-\-algorithm hotp\fR
.SS Configuration
Query the configuration:
$ \fBnitrocli config get\fR
Config:
numlock binding: not set
capslock binding: not set
scrollock binding: not set
require user PIN for OTP: true
.P
Change the configuration:
$ \fBnitrocli config set \-\-otp\-pin\fR
.SS Password safe
Configure a PWS slot:
$ \fBnitrocli pws set 0 example.org john.doe passw0rd\fR
Get the data from a slot:
$ \fBnitrocli pws get 0\fR
name: example.org
login: john.doe
password: passw0rd
Copy the password to the clipboard (requires \fBxclip\fR(1)).
$ \fBnitrocli pws get 0 \-\-password \-\-quiet | xclip \-in\fR
Query the PWS slots:
$ \fB nitrocli pws status\fR
slot name
0 example.org
|