Send in your ideas. Deadline October 1, 2024
Source code :
Vendor stores
Nix Flake
Theme fund: NGI0 PET
Start: 2019-06
End: 2022-10
More projects like this
Software engineering


Open hardware for encryption and authentication

Nitrokey is an open source hardware USB key for data encryption and two-factor authentication with FIDO. While FIDO is supported by web browsers, using Nitrokey as a secure key store for email and (arbitrary) data encryption requires a native software. Therefore email encryption in webmail isn’t possible with Nitrokey. At the same time strong end-to-end encryption in web applications all share the same challenge: To store users' private keys securely and conveniently. Therefore secure end-to-end encryption usually requires native software too (e.g. instant messenger app) or - less secure - store the user keys password-encrypted on servers. Nitrokey aims to solve these issues by developing a way to use Nitrokey with web applications. To avoid the necessity of device driver, browser add-on or separate software this project is going to utilize the FIDO (CTAP) protocol. As a result the solution will work with any modern browser (which all support WebAuthn), on any operating system even on Android. This will give any web application the option to store private keys on ones own Nitrokey devices.

Why does this actually matter to end users?

Email was designed without privacy or security in mind, which is amazing for such a popular service. When you send an email, anyone that can gain access to your mail server or the mail server of the recipient can read your mail, from top to bottom. And copy it, for later usage. Computer specialists have been protecting their email with encryption for decades. This is the equivalent of putting your message very carefully in the blender, pressing the button before anyone else has read your mesage, shredding it up and sending a packet of shreds over to the other end. The amazing thing about cryptography is that you can magically (or rather mathematically) make it possible for your secret love - and not anyone else - to recreate the message from the shreds, and know it was you - and not anyone else - that sent it. For the rest of the world, the message would be meaningless garble pretty much forever. However, the solution they came up with is not easy for normal people to work with. This means that most people are probably not even aware that it is possible to protect the contents of their email with cryptography.

Good cryptography begins and ends with key management: to encrypt and decrypt data you create a secret key you store safely and a public key you share with others to communicate privately and securely. Users that need to be sure no one can access their files, like journalists, activists and whistleblowers, would want to make sure their secret key are somewhere else then on their one device. They would need a failsafe, a backup plan, like a separate and protected storage device. That is what the Nitrokey can be: an open-source USB key that can store secret keys to protect emails and encrypted files and store important sensitive data. The key is PIN-protected and resistant to brute force and hardware attacks. Next to storing secret cryptographic key, Nitrokey allows its users to better protect their passwords by creating one time passwords or providing two-factor-authentication.

To make this arsenal of privacy and security measures work for as many users and services as possible, this project wants to make Nitrokey better protect your web services through encryption, which you can use for example to secure your webmail. Through adding this feature any web application can now store the private keys used to encrypt your communication and files safely on a separate, secure device.

Run by Nitrokey

Logo NLnet: abstract logo of four people seen from above Logo NGI Zero: letterlogo shaped like a tag

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.