nitrokey-3-firmware icon indicating copy to clipboard operation
nitrokey-3-firmware copied to clipboard

Published 20 hours ago verified publisher icon Nitrokey

Provide dashboard / overview of what is provided as a feature at present

Open jerabaul29 opened this issue 1 year ago • 4 comments

I get confused about what features are provided or not at present. For example, if I understand correctly, the secret key is so far contained in the MCU, not the secure element? Or is the most recent firmware fully leveraging the secure element? This kind of information is quite critical, and important for me to decide when to transition from the Nitrokey Pro 2 to the Nitrokey 3.

Would it be possible to add a dashboard / overview, either ideally on the readme of this repo, or else somewhere easy to find in the documentation, to track this kind of questions (and other similar questions that may arise)?

jerabaul29 avatar Aug 04 '23 13:08 jerabaul29

The idea would be to be able as a user, just taking a quick look, to decide if "we are NK3 ready yet" :) .

jerabaul29 avatar Aug 04 '23 13:08 jerabaul29

So is the actual secure element now used by default for all GPG operations after the latest release? Or is it still only some of the operations, with some cryptography still taking place in the MCU even after the release 1.7.0? :)

jerabaul29 avatar May 06 '24 12:05 jerabaul29

With 1.7.0, you can choose whether the software implementation or the secure element is used. The secure element is the default, but if you used GPG before with your device, it stays in software mode until you change that. There will be a blog post that explains this in detail soon.

If the secure element is selected, the private keys are stored on it and all relevant cryptography operations are performed by the secure element.

robin-nitrokey avatar May 06 '24 12:05 robin-nitrokey

Excellent, many thanks :) This is great news, finally I will be able to move from NKPro to NK3 :) .

jerabaul29 avatar May 06 '24 12:05 jerabaul29

One other point that would be welcome in this dashboard: if I understand correctly, GPG is now supported by the secure element, while FIDO2 over NFC is (and will always, due to power requirements) be supported by the MCU and not the secure element, right? What about FIDO2 over USB, can it be on either the MCU or the secure element / does that mean there are 2 backends possible ultimately with FIDO2 too (one of them being USB only)?

jerabaul29 avatar May 10 '24 15:05 jerabaul29

Yes, adding SE050 support for FIDO2 over USB would be possible in the future. But it is not yet decided if and when it will be implemented.

robin-nitrokey avatar May 13 '24 09:05 robin-nitrokey

We now have a Features page in the Nitrokey 3 documentation that lists the available applications and whether they use the secure element.

robin-nitrokey avatar May 14 '24 06:05 robin-nitrokey