I first came across Nitrokey as a provider of U2F USB sticks, little hardware devices that authenticate users with a physical device. The idea there is that you can use this physical device as part of a multifactor authentication process to strengthen your security. Using a physical device means that even if your username and password had been leaked through a data breach, the bad guys would still not be able to log in as you since they wouldn’t have the device.
The most remarkable thing about Nitrokey is that they’re completely committed to open source. Both their hardware and software are open source and available in their GitHub repository. I’m in 100% agreement with their assertion that security requires open source.
Since I’d already got hardware keys setup I didn’t need a Nitrokey for that use case but I noticed something curious and interesting in their product line-up – the Nitrokey HSM 2. If you’ve not come across a Hardware Security Module before, have a read of my article: What is an HSM? but fundamentally they store private keys for encryption in a tamper proof hardware device. There’s a whole market for these things that the HSM article covers, but the remarkable thing with the Nitrokey is that you can get enterprise grade security for < $100.
When asked to join the Nitrokey Community Programme I jumped at the chance and they kindly sent me an HSM 2 device with no strings attached, no NDAs, no restrictions – exactly how it should be and in line with the ethos of their company. Thank you Nitrokey.
I’m really looking forward to getting to know the HSM, working to get software taking advantage of it and seeing what interesting uses I can put it to.