A libnitrokey wrapper for Rust providing access to Nitrokey devices.
For usage information, have a look at the API reference and at
the examples in the
examples directory. You can also have a look at the
nitrocli crate, a command-line interface for Nitrokey devices that uses
This crate provides access to all features of the
libnitrokey C API for
both the Nitrokey Pro and the Nitrokey Storage: general configuration, one-time
password generation, the password safe and the secure storage on the Nitrokey
libnitrokey version is built from source. The host system
libhidapi-libusb0 (Linux) or
libhidapi (non-Linux) in the
default library search path. Depending on your system, you might also have to
install the Nitrokey udev rules.
If you want to use a precompiled version of
libnitrokey, you can set the
USE_SYSTEM_LIBNITROKEY environment variable during build. In this case,
libnitrokey must be available in the library search path.
The following functions provided by
libnitrokey are deliberately not
NK_list_devices_by_cpuID. These functions can be replaced by calls to
NK_list_devices, which also have a cleaner API.
NK_change_firmware_password_pro. These functions execute commands that are not yet supported by the Nitrokey Pro firmware.
NK_get_device_model. We know which model we connected to, so we can provide this information without calling
NK_is_AES_supported. This function is no longer needed for Nitrokey devices with a recent firmware version.
NK_send_startup. Currently, this function is redundant to
NK_set_unencrypted_volume_rorw_pin_type_user: This function is only relevant for older firmware versions (pre-v0.51). As the Nitrokey Storage firmware can be updated easily, we do not support these outdated versions.
NK_set_unencrypted_read_write. These functions are deprecated.
NK_read_HOTP_slot. This function is only available for HOTP slots, not for TOTP. We will support it once both types are supported by
*_as_stringfunctions that return string representations of data returned by other functions.
This crate has tests for different scenarios: Some tests require that no
Nitrokey device is connected, others require a Nitrokey Storage or a Nitrokey
Pro. We use the
nitrokey-test crate to select the test cases. You can
cargo test to auto-detect connected Nitrokey devices and to run the
appropriate tests. If you want to manually select the tests, set the
NITROKEY_TEST_GROUP environment variable to
nodev (no device connected),
pro (Nitrokey Pro connected) or
storage (Nitrokey Storage connected).
Note that the tests assume that the device’s passwords are the factory defaults
12345678, user PIN
123456, update password
12345678) and that
an AES key has been built. Some tests will overwrite the data stored on the
Nitrokey device or perform a factory reset. Never execute the tests if you
don’t want to destroy all data on any connected Nitrokey device!
The test suite contains some test that take very long to execute, for example
filling the SD card of a Nitrokey Storage with random data. These tests are
ignored per default. Use
cargo test -- --ignored to execute the tests.
Currently, there are no tests specifically for the Librem Key as we first have
to release a new
nitrokey-rs version that
nitrokey-test can use.
Contributions to this project are welcome! Please submit patches to the
mailing list ~email@example.com (archive) using the
[PATCH nitrokey-rs] subject prefix. For more information, see the
Thanks to Nitrokey GmbH for providing two Nitrokey devices to support the
development of this crate. Thanks to Daniel Mueller for contributions to
nitrokey-rs and for the
This crate supports Rust 1.40.0 or later.
This project is licensed under the MIT license. The documentation and
configuration files contained in this repository are licensed under the
Creative Commons Zero license. You can find a copy of the license texts
libnitrokey is licensed under the LGPL-3.0.
nitrokey-rs complies with version 3.0 of the REUSE specification.