.TH NITROCLI 1 2021-04-24 .SH NAME nitrocli \- access Nitrokey devices .SH SYNOPSIS .B nitrocli \fIcommand\fR [\fIarguments\fR] .SH DESCRIPTION \fBnitrocli\fR provides access to Nitrokey devices. It supports the Nitrokey Pro, the Nitrokey Storage, and the Librem Key. It can be used to access the encrypted volume, the one-time password generator, and the password safe. .SS Device selection Per default, \fBnitrocli\fR connects to any attached Nitrokey device. You can use the \fB\-\-model\fR, \fB\-\-serial-number\fR and \fB\-\-usb-path\fR options to select the device to connect to. \fBnitrocli\fR fails if more than one attached Nitrokey device matches this filter or if multiple Nitrokey devices are attached and none of the filter options is set. Use the \fBlist\fR command to list all attached devices with their USB path, model, and serial number (if available). .SH OPTIONS .TP \fB\-m\fR, \fB\-\-model librem\fR|\fBpro\fR|\fBstorage\fR Restrict connections to the given device model, see the Device selection section. .TP \fB\-\-serial-number \fIserial-number\fR Restrict connections to the given serial number, see the Device selection section. \fIserial-number\fR must be a hex string with an optional 0x prefix. This option can be set multiple times to allow any of the given serial numbers. Nitrokey Storage devices never match this restriction as they do not expose their serial number in the USB device descriptor. .TP \fB\-\-usb-path \fIusb-path\fR Restrict connections to the given USB path, see the Device selection section. .TP \fB\-\-no\-cache\fR If this option is set, nitrocli will not cache any inquired secrets using \fBgpg\-agent\fR(1) but ask for them each time they are needed. Note that this option does not cause any cached secrets to be cleared. If a secret is already in the cache it will be ignored, but left otherwise untouched. Use the \fBpin clear\fR command to clear secrets from the cache. .TP \fB\-v\fR, \fB\-\-verbose\fR Enable additional logging and control its verbosity. Logging enabled through this option will appear on the standard error stream. This option can be supplied multiple times. A single occurrence will show additional warnings. Commands sent to the device will be shown when supplied three times and full device communication is available with four occurrences. Supplying this option five times enables the highest verbosity. .TP \fB\-V\fR, \fB\-\-version\fR Print the nitrocli version and exit. .SH COMMANDS .SS General .TP .B nitrocli list \fR[\fB-n\fR|\fB\-\-no-connect\fR] List all attached Nitrokey devices. This command prints a list of the USB path, the model and the serial number of all attached Nitrokey devices. To access the serial number of a Nitrokey Storage device, \fBnitrocli\fR has to connect to it. To omit the serial number of Nitrokey Storage devices instead of connecting to them, set the \fB\-\-no-connect\fR option. .TP .B nitrocli status Print the status of the connected Nitrokey device, including the stick serial number, the firmware version, and the PIN retry count. If the device is a Nitrokey Storage, also print storage related information including the SD card serial number, the SD card usage during this power cycle, the encryption status, and the status of the volumes. .TP .B nitrocli lock Lock the Nitrokey. This command locks the password safe (see the Password safe section). On the Nitrokey Storage, it will also close any active encrypted or hidden volumes (see the Storage section). .TP .B nitrocli reset \fR[\fB\-\-only-aes-key\fR] Perform a factory reset on the Nitrokey. This command performs a factory reset on the OpenPGP smart card, clears the flash storage and builds a new AES key. The user PIN is reset to 123456, the admin PIN to 12345678. If the \fB\-\-only-aes-key\fR option is set, the command does not perform a full factory reset but only creates a new AES key. The AES key is for example used to encrypt the password safe. This command requires the admin PIN. To avoid accidental calls of this command, the user has to enter the PIN even if it has been cached. .SS Storage The Nitrokey Storage comes with a storage area. This area is comprised of an \fIunencrypted\fR region and an \fIencrypted\fR one of fixed sizes, each made available to the user in the form of block devices. The encrypted region can optionally further be overlayed with up to four \fIhidden\fR volumes. Because of this overlay (which is required to achieve plausible deniability of the existence of hidden volumes), the burden of ensuring that data on the encrypted volume does not overlap with data on one of the hidden volumes is on the user. .TP \fBnitrocli unencrypted set \fImode\fR Change the read-write mode of the volume. \fImode\fR is the type of the mode to change to: \fBread-write\fR to make the volume readable and writable or \fBread-only\fR to make it only readable. This command requires the admin PIN. Note that this command requires firmware version 0.51 or higher. Earlier versions are not supported. .TP \fBnitrocli encrypted open Open the encrypted volume on the Nitrokey Storage. The user PIN that is required to open the volume is queried using \fBpinentry\fR(1) and cached by \fBgpg\-agent\fR(1). .TP \fBnitrocli encrypted close Close the encrypted volume on the Nitrokey Storage. .TP \fBnitrocli hidden create \fIslot\fR \fIstart\fR \fIend\fR Create a new hidden volume inside the encrypted volume. \fIslot\fR must indicate one of the four available slots. \fIstart\fR and \fIend\fR represent, respectively, the start and end position of the hidden volume inside the encrypted volume, as a percentage of the encrypted volume's size. This command requires a password which is later used to look up the hidden volume to open. Unlike a PIN, this password is not cached by \fBgpg\-agent\fR(1). As a guide line for creating new hidden volumes, the \fBstatus\fR command provides a range of the SD card that has not been written to during this power cycle. .TP \fBnitrocli hidden open Open a hidden volume. The volume to open is determined based on the password entered, which must have a minimum of six characters. Only one hidden volume can be active at any point in time and previously opened volumes will be automatically closed. Similarly, the encrypted volume will be closed if it was open. .TP \fBnitrocli hidden close Close a hidden volume. .TP \fBnitrocli fill \fR[\fB\-a\fR|\fB\-\-attach\fR Fills the SD card with random data, overwriting all existing data. This operation takes about one hour to finish for a 16 GiB SD card. It cannot be canceled, even if the \fBnitrocli\fR process is terminated before it finishes. This command requires the admin PIN. To avoid accidental calls of this command, the user has to enter the PIN even if it has been cached. If the \fB\-\-attach\fR option is set, this command will not start a new fill operation. Instead it checks whether a fill operation is currently running on the device and shows its progress. .SS One-time passwords The Nitrokey Pro, the Nitrokey Storage, and the Librem Key support the generation of one-time passwords using the HOTP algorithm according to RFC 4226 or the TOTP algorithm according to RFC 6238. The required data \(en a name and the secret \(en is stored in slots. Currently, the Nitrokey devices provide three HOTP slots and 15 TOTP slots. The slots are numbered per algorithm starting at zero. .P The TOTP algorithm is a modified version of the HOTP algorithm that also uses the current time. Therefore, the Nitrokey clock must be synchronized with the clock of the application that requests the one-time password. .TP \fBnitrocli otp get \fIslot \fR[\fB\-a\fR|\fB\-\-algorithm \fIalgorithm\fR] \ \fB[\-t\fR|\fB\-\-time \fItime\fR] Generate a one-time password. \fIslot\fR is the number of the slot to generate the password from. \fIalgorithm\fR is the OTP algorithm to use. Possible values are \fBhotp\fR for the HOTP algorithm according to RFC 4226 and \fBtotp\fR for the TOTP algorithm according to RFC 6238 (default). Per default, this commands sets the Nitrokey's time to the system time if the TOTP algorithm is selected. If \fB\-\-time\fR is set, it is set to \fItime\fR instead, which must be a Unix timestamp (i.e., the number of seconds since 1970-01-01 00:00:00 UTC). This command might require the user PIN (see the Configuration section). .TP \fBnitrocli otp set \fIslot name secret\fR|\fB-\fR \ \fR[\fB\-a\fR|\fB\-\-algorithm \fIalgorithm\fR] \ [\fB\-d\fR|\fB\-\-digits \fIdigits\fR] [\fB\-c\fR|\fB\-\-counter \fIcounter\fR] \ [\fB\-t\fR|\fB\-\-time-window \fItime-window\fR] \ [\fB-f\fR|\fB\-\-format ascii\fR|\fBbase32\fR|\fBhex\fR] Configure a one-time password slot. \fIslot\fR is the number of the slot to configure. \fIname\fR is the name of the slot (may not be empty). \fIsecret\fR is the secret value to store in that slot. If \fIsecret\fR is set to \fB-\fR, the secret is read from the standard input. The \fB\-\-format\fR option specifies the format of the secret. If it is set to \fBascii\fR, each character of the given secret is interpreted as the ASCII code of one byte. If it is set to \fBbase32\fR, the secret is interpreted as a base32 string according to RFC 4648. If it is set to \fBhex\fR, every two characters are interpreted as the hexadecimal value of one byte. The default value is \fBbase32\fR. \fIalgorithm\fR is the OTP algorithm to use. Possible values are \fBhotp\fR for the HOTP algorithm according to RFC 4226 and \fBtotp\fR for the TOTP algorithm according to RFC 6238 (default). \fIdigits\fR is the number of digits the one-time password should have. Allowed values are 6 and 8 (default: 6). \fIcounter\fR is the initial counter if the HOTP algorithm is used (default: 0). \fItime-window\fR is the time window used with TOTP in seconds (default: 30). .TP \fBnitrocli otp clear \fIslot \fR[\fB\-a\fR|\fB\-\-algorithm \fIalgorithm\fR] Delete the name and the secret stored in a one-time password slot. \fIslot\fR is the number of the slot to clear. \fIalgorithm\fR is the OTP algorithm to use. Possible values are \fBhotp\fR for the HOTP algorithm according to RFC 4226 and \fBtotp\fR for the TOTP algorithm according to RFC 6238 (default). .TP \fBnitrocli otp status \fR[\fB\-a\fR|\fB\-\-all\fR] List all OTP slots. If \fB\-\-all\fR is not set, empty slots are ignored. .SS Configuration Nitrokey devices have four configuration settings: the Num Lock, Caps Lock and Scroll Lock keys can be mapped to an HOTP slot, and OTP generation can be set to require the user PIN. .TP \fBnitrocli config get\fR Print the current Nitrokey configuration. .TP \fBnitrocli config set \fR\ [[\fB\-n\fR|\fB\-\-num-lock \fIslot\fR] | [\fB\-N\fR|\fB\-\-no\-num-lock\fR]] \ [[\fB\-c\fR|\fB\-\-caps-lock \fIslot\fR] | [\fB\-C\fR|\fB\-\-no\-caps-lock\fR]] \ [[\fB\-s\fR|\fB\-\-scroll-lock \fIslot\fR] | [\fB\-S\fR|\fB\-\-no\-scroll-lock\fR]] \ [[\fB\-o\fR|\fB\-\-otp\-pin\fR] | [\fB\-O\fR|\fB\-\-no\-otp\-pin\fR]] Update the Nitrokey configuration. This command requires the admin PIN. With the \fB\-\-num-lock\fR, \fB\-\-caps-lock\fR and \fB\-\-scroll-lock\fR options, the respective bindings can be set. \fIslot\fR is the number of the HOTP slot to bind the key to. If \fB\-\-no\-num-lock\fR, \fB\-\-no\-caps-lock\fR or \fB\-\-no\-scroll-lock\fR is set, the respective binding is disabled. The two corresponding options are mutually exclusive. If \fB\-\-otp\-pin\fR is set, the user PIN will be required to generate one-time passwords using the \fBotp get\fR command. If \fB\-\-no\-otp\-pin\fR is set, OTP generation can be performed without PIN. These two options are mutually exclusive. .SS Password safe The Nitrokey Pro, the Nitrokey Storage, and the Librem Key provide a password safe (PWS) with 16 slots. In each of these slots you can store a name, a login, and a password. The PWS is not encrypted, but it is protected with the user PIN by the firmware. Once the PWS is unlocked by one of the commands listed below, it can be accessed without authentication. You can use the \fBlock\fR command to lock the password safe. .TP \fBnitrocli pws get \fIslot \fR[\fB\-n\fR|\fB\-\-name\fR] \ [\fB\-l\fR|\fB\-\-login\fR] \ [\fB\-p\fR|\fB\-\-password\fR] \ [\fB\-q\fR|\fB\-\-quiet\fR] Print the content of one PWS slot. \fIslot\fR is the number of the slot. Per default, this command prints the name, the login and the password (in that order). If one or more of the options \fB\-\-name\fR, \fB\-\-login\fR, and \fB\-\-password\fR are set, only the selected fields are printed. The order of the fields never changes. The fields are printed together with a label. Use the \fB\-\-quiet\fR option to suppress the labels and to only output the values stored in the PWS slot. .TP \fBnitrocli pws add \fR[\fB\-s\fR|\fB\-\-slot \fIslot\fR] \ \fIname login password\fR|\fB-\fR Add a new PWS slot. If the \fB\-\-slot\fR option is set, this command writes the data to the given slot and fails if the slot is already programmed. If the \fB\-\-slot\fR option is not set, this command locates the first free PWS slot and sets its content to the given values. It fails if all PWS slots are programmed. If \fIpassword\fR is set to \fB-\fR, the password is read from the standard input. .TP \fBnitrocli pws update \fIslot\fR \ [\fB\-n\fR|\fB\-\-name \fIname\fR] \ [\fB\-l\fR|\fB\-\-login \fIlogin\fR] \ [\fB\-p\fR|\fB\-\-password \fIpassword\fR|\fB-\fR] Update the content of a programmed PWS slot. \fIslot\fR is the number of the slot to write. This command only sets the data given with the \fB\-\-name\fR, \fB\-\-login\fR, and \fB\-\-password\fR options and does not overwrite the other fields of the slot. If \fIpassword\fR is set to \fB-\fR, the password is read from the standard input. .TP \fBnitrocli pws clear \fIslot\fR Delete the data stored in a PWS slot. \fIslot\fR is the number of the slot clear. .TP \fBnitrocli pws status \fR[\fB\-a\fR|\fB\-\-all\fR] List all PWS slots. If \fB\-\-all\fR is not set, empty slots are ignored. .SS PINs Nitrokey devices have two PINs: the user PIN and the admin PIN. The user PIN must have at least six, the admin PIN at least eight characters. The user PIN is required for commands such as \fBotp get\fR (depending on the configuration) and for all \fBpws\fR commands. The admin PIN is usually required to change the device configuration. .P Each PIN has a retry counter that is decreased with every wrong PIN entry and reset if the PIN was entered correctly. The initial retry counter is three. If the retry counter for the user PIN is zero, you can use the \fBpin unblock\fR command to unblock and reset the user PIN. If the retry counter for the admin PIN is zero, you have to perform a factory reset using the \fBreset\fR command or \fBgpg\fR(1). Use the \fBstatus\fR command to check the retry counters. .TP .B nitrocli pin clear Clear the PINs cached by the other commands. Note that cached PINs are associated with the device they belong to and the \fBclear\fR command will only clear the PIN for the currently used device, not all others. .TP \fBnitrocli pin set \fItype\fR Change a PIN. \fItype\fR is the type of the PIN that will be changed: \fBadmin\fR to change the admin PIN or \fBuser\fR to change the user PIN. This command only works if the retry counter for the PIN type is at least one. (Use the \fBstatus\fR command to check the retry counters.) .TP .B nitrocli pin unblock Unblock and reset the user PIN. This command requires the admin PIN. The admin PIN cannot be unblocked. This operation is equivalent to the unblock PIN option provided by \fBgpg\fR(1) (using the \fB\-\-change\-pin\fR option). .SS Extensions In addition to the above built-in commands, \fBnitrocli\fR supports user-provided functionality in the form of extensions. An extension can be any executable file whose filename starts with "nitrocli-" and that is discoverable through lookup via the \fBPATH\fR environment variable. Those executables can be invoked as regular subcommands (without the need of the prefix; e.g., an extension with the name "nitrocli-otp-cache" could be invoked as "nitrocli otp-cache"). .P More information on how to write extensions can be found in the Extensions section below. .SH CONFIG FILE \fBnitrocli\fR tries to read the configuration file at \fB${XDG_CONFIG_HOME}/nitrocli/config.toml\fR (or \fB${HOME}/nitrocli/config.toml\fR if the \fBXDG_CONFIG_HOME\fR environment variable is not set). It is used to set default values for the options listed below. .P You can also set the environment variable \fBNITROCLI_\fIKEY\fR to overwrite the configuration for \fIkey\fR (see the Environment section). Note that command-line arguments overwrite both the configuration file and the environment variables. .P The following values can be set in the configuration file: .TP .B model Restrict connections to the given device model (string, default: not set, see \fB\-\-model\fR). .TP .B serial_numbers Restrict connections to the given serial numbers (list of strings, default: empty, see \fB\-\-serial-number\fR). .TP .B usb_path Restrict connections to the given USB path (string, default: not set, see \fB\-\-usb-path\fR). .TP .B no_cache If set to true, do not cache any inquired secrets (boolean, default: false, see \fB\-\-no\-cache\fR). .TP .B verbosity Set the log level (integer, default: 0, see \fB\-\-verbose\fR). .P The configuration file must use the TOML format, for example: model = "pro" serial_numbers = ["0xf00baa", "deadbeef"] usb_path = "0001:0006:02" no_cache = false verbosity = 0 .SH ENVIRONMENT The program honors two sets of environment variables, all prefixed by "NITROCLI_". .SS Configuration The first set controls basic configuration of the program. These variables mirror the respective command line options and configuration file settings. They are: .TP .B NITROCLI_MODEL Restrict connections to the given device model (string, default: not set, see \fB\-\-model\fR). .TP .B NITROCLI_SERIAL_NUMBERS Restrict connections to the given list of serial numbers (comma-separated list of strings, default: empty, see \fB\-\-serial-number\fR). .TP .B NITROCLI_USB_PATH Restrict connections to the given USB path (string, default: not set, see \fB\-\-usb-path\fR). .TP .B NITROCLI_NO_CACHE If set to true, do not cache any inquired secrets (boolean, default: false, see \fB\-\-no\-cache\fR). .TP .B NITROCLI_VERBOSITY Set the log level (integer, default: 0, see \fB\-\-verbose\fR). .SS Password & PIN entry The second set can be used to provide password & PIN data to the program to suppress interactive entry through \fBpinentry\fR(1) for operations that otherwise would ask for it. The following variables are recognized: .TP .B NITROCLI_ADMIN_PIN The admin PIN to use. .TP .B NITROCLI_USER_PIN The user PIN to use. .TP .B NITROCLI_NEW_ADMIN_PIN The new admin PIN to set. This variable is only used by the \fBpin set\fR command for the \fBadmin\fR type. .TP .B NITROCLI_NEW_USER_PIN The new user PIN to set. This variable is only used by the \fBpin set\fR command for the \fBuser\fR type. .TP .B NITROCLI_PASSWORD A password used by commands that require one (e.g., \fBhidden open\fR). .SH EXTENSIONS \fBnitrocli\fR supports user-provided extensions that are executable files whose filename starts with "nitrocli-" and that are discoverable through lookup via the \fBPATH\fR environment variable. The program conveys basic configuration information to any extension being started this way. Specifically, it will set each environment variable as described in the Configuration subsection of the Environment section above, if the corresponding \fBnitrocli\fR program configuration was set. In addition, the following variables will be set: .TP .B NITROCLI_BINARY The absolute path to the \fBnitrocli\fR binary through which the extension was invoked. This path may be used to recursively invoke \fBnitrocli\fR to implement certain functionality. .TP .B NITROCLI_RESOLVED_USB_PATH The USB path of the device that \fBnitrocli\fR would connect to based on the \fB\-\-model\fR, \fB\-\-serial-number\fR, and \fB\-\-usb-path\fR options. If there is no matching Nitrokey device, or if multiple devices match the options, the environment variable is not set. .P All other variables present in the environment will be passed through to the extension verbatim. .P Newer versions of the program reserve the right to set additional environment variables inside the "NITROCLI_" namespace. As such, extensions are advised to not define custom variables with this prefix. However, "NITROCLI_EXT_" is provided specifically for this purpose. To further avoid conflicts between extensions, it is recommended that this prefix be followed by the extension's name (uppercased). .P Extensions may optionally read or write persistent data of various forms. Similar to the main program, extensions should follow the XDG Base Directory Specification as a guideline where to store such data. More specifically, the following conventions should be followed: For configuration data, \fB${XDG_CONFIG_HOME}/\fIextension/\fR is the preferred directory, where \fIextension\fR is the full extension name, including the "nitrocli-" prefix. The recommended configuration format is TOML. If only a single configuration file is used, \fBconfig.toml\fR is the recommended name. Similarly, regular data should reside in \fB${XDG_DATA_HOME}/\fIextension/\fR and cached data be stored in \fB${XDG_CACHE_HOME}/\fIextension/\fR. .SH FILES .TP .B ${XDG_CONFIG_HOME}/nitrocli/config.toml .TP .B ${HOME}/nitrocli/config.toml User configuration file, see the Config file section. .SH EXAMPLES .SS Storage Create a hidden volume in the first available slot, starting at half the size of the encrypted volume (i.e., 50%) and stretching all the way to its end (100%): $ \fBnitrocli hidden create 0 50 100\fR .SS One-time passwords Configure a one-time password slot with a hexadecimal secret representation: $ \fBnitrocli otp set 0 test\-rfc4226 3132333435363738393031323334353637383930 \-\-format hex \-\-algorithm hotp\fR $ \fBnitrocli otp set 1 test\-foobar 666F6F626172 \-\-format hex \-\-algorithm hotp\fR $ \fBnitrocli otp set 0 test\-rfc6238 3132333435363738393031323334353637383930 \-\-format hex \-\-algorithm totp \-\-digits 8\fR .P Configure a one-time password slot with an ASCII secret representation: $ \fBnitrocli otp set 0 test\-rfc4226 12345678901234567890 \-\-format ascii \-\-algorithm hotp\fR $ \fBnitrocli otp set 1 test\-foobar foobar \-\-format ascii \-\-algorithm hotp\fR $ \fBnitrocli otp set 0 test\-rfc6238 12345678901234567890 \-\-format ascii \-\-algorithm totp \-\-digits 8\fR .P Configure a one-time password slot with a base32 secret representation: $ \fBnitrocli otp set 0 test\-rfc4226 gezdgnbvgy3tqojqgezdgnbvgy3tqojq \-\-algorithm hotp\fR $ \fBnitrocli otp set 1 test\-foobar mzxw6ytboi====== \-\-algorithm hotp\fR $ \fBnitrocli otp set 0 test\-rfc6238 gezdgnbvgy3tqojqgezdgnbvgy3tqojq \-\-algorithm totp \-\-digits 8\fR .P Generate a one-time password: $ \fBnitrocli otp get 0 \-\-algorithm hotp\fR 755224 $ \fBnitrocli otp get 0 \-\-algorithm totp \-\-time 1234567890\fR 89005924 .P Clear a one-time password slot: $ \fBnitrocli otp clear 0 \-\-algorithm hotp\fR .SS Configuration Query the configuration: $ \fBnitrocli config get\fR Config: numlock binding: not set capslock binding: not set scrollock binding: not set require user PIN for OTP: true .P Change the configuration: $ \fBnitrocli config set \-\-otp\-pin\fR .SS Password safe Configure a PWS slot: $ \fBnitrocli pws add example.org john.doe passw0rd\fR Added PWS slot 0 Get the data from a slot: $ \fBnitrocli pws get 0\fR name: example.org login: john.doe password: passw0rd Copy the password to the clipboard (requires \fBxclip\fR(1)). $ \fBnitrocli pws get 0 \-\-password \-\-quiet | xclip \-in\fR Query the PWS slots: $ \fB nitrocli pws status\fR slot name 0 example.org