Nitrokey Pro Setup

I got my hands on a Nitrokey pro! I went for Nitrokey over Yubikey since Nitrokey is totally open-source (something I strongly believe in) meaning more control and security. That's not to say Yubikey is necessarily insecure.
Being new to OpenPGP 'smart cards', I had to go and figure out how to put it all together.
Thankfully it's quite straightforward! Here's how I went about it:

Contents: Caution Preparation Key Generation Key Editing Key Transfer

Caution

The Nitrokey utilises 2 PINs (passwords) by default: The user PIN and the admin PIN. If you enter the user PIN incorrectly 3 times in a row, the device will become blocked, but it can be unblocked with the admin PIN. If the admin PIN is entered incorrectly 3 times in a row, the device will be permanently locked, and you have to factory reset it:

$ gpg2 --card-edit
gpg/card> factory-reset

There is also a "Reset code". The Reset code can only unblock the user PIN. It is an alternative to using the admin PIN.

Preparing your Nitrokey

If you'd like to be absolutely secure, you should do this on an non-networked device, running a fresh, secure system.
First make sure you've got a version gpg installed. I had both gpg and gpg2 already installed, and used gpg2 to setup my keys.
Plug in your Nitrokey, and run:

$ gpg2 --card-status
Reader............: 20A0:...
Application ID ...: D27...
Version...........: 2.1
Manufacturer......: ZeitControl
...

You should get a list of information about the device. We haven't filled in any details yet, so there will be a bunch of undefined bits and bobs.
To add some of your own info in start with:

$ gpg --card-edit

If you type help you'll get a list of available commands, but we're in user mode right now, so the list will be limited. Toggle the admin commands:

gpg/card> admin
Admin commands are allowed

Now type help again and you'll see the extra options available.
We want to first change the PIN codes (passwords).

gpg/card> passwd
gpg: OpenPGP card no. D27... detected
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection?

1 is the user password/PIN (6-25 chars), you need this to actually use your keys on the device.
3 is the admin password/PIN (8-25 chars), you need this to change/update the keys on the device.
4 is the reset code. It is disabled by default and acts as an alternative to the admin key for unlocking the user key.
The default user PIN is 123456. The default admin PIN is 12345678.

Once you've finished up there, you can also change other details associated with the Nitrokey (name, sex, language (2 digits), and public key URL).
Fill in as appropriate.

We can generate your keys straight on the device BUT only up to 2048 bit keys. The Nitrokey Pro supports 4096 bit keys, which we have to manually generate and transfer over.
If you already have a key you would like to use with your Nitrokey, skip straight down to "Edit and load your keys".

Generate your keys

To generate our 4096 bit keys, enter the following:

$ gpg2 --full-gen-key

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1

We need to choose option 1(RSA and RSA (default).

RSA keys maybe be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits

It could be called overkill, but we want our keys to be 4096 bit to take full advantage of our Nitrokey pro.

Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at (Today's date + 1 year)
Is this correct? (y/N) y

I chose for my key to expire in a years time. You could have your keys not expire, or expire sooner if you'd like.
Keep in mind that you can easily update the key's expiry time whenever you like with gpg.

GnuPG needs to construct a user ID to identify your key.
Real Name: your name
Email address: your@email.addr
Comment: comment
You selected this USER-ID:
"your name (comment) <your@email.addr>"
(C)hange (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You will be prompted for a password and password confirmation to secure your key.
gpg will now generate your key, you can help speed up the process by (as it tells you) moving the mouse, typing on the keyboard, utilizing the disks.

...
pub rsa4096 2017-05-09 [S] [expires: (Today's date + 1 year)]
D5501F32D2BF456187E1433F8EDD0B3AF3BBEA13
uid [ultimate] your name (comment) <your@email.addr>
sub rsa4096 2017-05-09 [] [expires: (Today's date + 1 year)]

When it completes you should get something like this, your key ID is the last 16 digits: D5501F32D2BF456187E1433F8EDD0B3AF3BBEA13

Edit and load your keys

Time to put 8EDD0B3AF3BBEA13 on the Nitrokey. The Nitrokey supports 3 subkeys (sign, encrypt, authenticate) instead of 1 master key, so we have to edit the key we just generated. Instead of typing out 8EDD0B3AF3BBEA13 every time, we can often just use the email address we entered for the key.

gpg2 --expert --edit-key your@email.addr
...
Secret key is available.
sec rsa4096/8EDD0B3AF3BBEA13
created: (today) expires: (today+1yr) usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0DB1524B9C52BBA8
created: (today) expires: (today+1yr) usage: E
[ultimate] (1). your name (comment) <your@email.addr>

Our key already has 1 sub key for encryption, so we need add 2 more sub keys. One for signing, one for authentication.

gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 8

We want to choose the capabilities of each sub key, so we choose 8

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt cabability
(A) Toggle the authenticate capability
(Q) Finished
Your selection?

Typing s, e, or a toggle each allowed action.
Let's first make a signing key, so make sure you have:

Current allowed actions: Sign

Then hit q. We want 4096 bit keys to take full advantage of our Nitrokey pro, with the same expiry as our master key. You'll be asked if you're super sure, and then asked to enter the key's password (the one we used when we created the key).

Repeat this again, but this time make an authentication key. You should have something like:

sec rsa4096/8EDD0B3AF3BBEA13
created: (today) expires: (today+1yr) usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/0DB1524B9C52BBA8
created: (today) expires: (today+1yr) usage: E
ssb rsa4096/0D7E2EB2CC5BEDC6
created: (today) expires: (today+1yr) usage: S
ssb rsa4096/0DA1312H9S22KCE1
created: (today) expires: (today+1yr) usage: A
[ultimate] (1). your name (comment) <your@email.addr>

Now it's time to transfer your keys to your Nitrokey!

Transferring the subkeys

Toggle the key selection with key 1.

gpg> key 1
sec rsa4096/8EDD0B3AF3BBEA13
created: (today) expires: (today+1yr) usage: SC
trust: ultimate validity: ultimate
ssb* rsa4096/0DB1524B9C52BBA8
created: (today) expires: (today+1yr) usage: E
ssb rsa4096/0D7E2EB2CC5BEDC6
created: (today) expires: (today+1yr) usage: S
ssb rsa4096/0DA1312H9S22KCE1
created: (today) expires: (today+1yr) usage: A
[ultimate] (1). your name (comment) <your@email.addr>

Then keytocard to move your key to the Nitrokey.

gpg> keytocard
Please select where to store the key:
(2) Encryption key
Your selection? 2

Repeat for each key. Be sure to remember which key you selected, and to store it in the correct slot (e.g. encryption key in the encyption key slot).

Congratulations, your keys should now be securely on your Nitrokey device!
When you're finished just save and quit with:

gpg> save

To confirm your keys were copied across, run gpg2 --card-status. You can see the keys under Signature key....:, Encryption key....:, and Authentication key:.

Let's generate our public key! This is the key we have publicly available.

gpg2 --export --armor your@email.addr

Unplug the Nitrokey, and delete the gpg key from your PC with:

gpg2 --delete-secret-key 8EDD0B3AF3BBEA13

Now you're all set up! :)

You can upload your public key to publicly availble keyservers (default: keys.gnupg.net) with:

gpg2 --send-keys 8EDD0B3AF3BBEA13

Or manually upload them another way.