diff --git a/README.md b/README.md index 45ce59d689..0a27b5caca 100644 --- a/README.md +++ b/README.md @@ -23,8 +23,6 @@ - Relative paths (also included and double included) are always evaluated from the path of the final including page. Images within pages that are included elsewhere must therefore always be specified with an absolute path starting with `/` which stands for the root directory of the document. -- add the ToC for local headings in `/$product/$platform/*.rst` with `.. include:: ./product_platform_heading.rst` - - After each commit, the CI pushes translations automatically. Therefore always do `git pull` before `git commit ...` - More information about RST: diff --git a/conf.py b/conf.py index 67cdf66ea5..1c1a834fe5 100644 --- a/conf.py +++ b/conf.py @@ -72,7 +72,7 @@ # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. # This pattern also affects html_static_path and html_extra_path. -exclude_patterns = ['venv/*', 'nethsm/_*.rst', '*/*/product_platform_heading.rst', 'to-be-integrated.rst'] +exclude_patterns = ['venv/*', 'nethsm/_*.rst', 'to-be-integrated.rst'] # The name of the Pygments (syntax highlighting) style to use. #pygments_style = "solarizeddark" diff --git a/fido2/2fa-odoo.rst.inc b/fido2/2fa-odoo.rst.inc index a407c9b544..bc568fa24c 100644 --- a/fido2/2fa-odoo.rst.inc +++ b/fido2/2fa-odoo.rst.inc @@ -1,8 +1,6 @@ Two-Factor Authentication For ERP Software Odoo =============================================== -.. include:: ./product_platform_heading.rst - .. only:: comment .. contents:: :local: diff --git a/fido2/linux/desktop-login.rst b/fido2/linux/desktop-login.rst index cf630dd99d..da961ada90 100644 --- a/fido2/linux/desktop-login.rst +++ b/fido2/linux/desktop-login.rst @@ -1,8 +1,6 @@ Desktop Login And Linux User Authentication =========================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: Introduction @@ -30,207 +28,210 @@ GUI Method 1. **In the lower left corner click on** ``Show Applications`` **and type settings in the search bar as following:** -.. figure:: /fido2/linux/images/fidou2f-1.png - :alt: img1 + .. figure:: /fido2/linux/images/fidou2f-1.png + :alt: img1 2. **Scroll down in the right bar to** ``Users`` -.. figure:: /fido2/linux/images/fidou2f-2.png - :alt: img2 + .. figure:: /fido2/linux/images/fidou2f-2.png + :alt: img2 3. **In the left corner click on** ``Unlock`` **and that would prompt for your password** -.. figure:: /fido2/linux/images/fidou2f-3.png - :alt: img3 + .. figure:: /fido2/linux/images/fidou2f-3.png + :alt: img3 4. **Select** ``Administrator`` **and enter the user name and password of your choice** -.. figure:: /fido2/linux/images/fidou2f-4.png - :alt: img4 + .. figure:: /fido2/linux/images/fidou2f-4.png + :alt: img4 5. **Once you finish Step 4 you should be done** -.. figure:: /fido2/linux/images/fidou2f-5.png - :alt: img5 + .. figure:: /fido2/linux/images/fidou2f-5.png + :alt: img5 CLI Method '''''''''' 1. **Create a backup user and give it root privileges** -You can do so by using these commands: + You can do so by using these commands: -.. code-block:: bash + .. rstcheck: ignore-next-code-block + .. code-block:: bash - $ sudo adduser - $ sudo usermod -aG sudo + $ sudo adduser + $ sudo usermod -aG sudo -In case you prefer to setup U2F for a single user, and are locked out of your -user session, you would still be able to login with the ````, and -proceed with the maintenance. + In case you prefer to setup U2F for a single user, and are locked out of your + user session, you would still be able to login with the ````, and + proceed with the maintenance. -.. warning:: + .. warning:: - The following guide can potentially lock you out of your computer. - You should be aware of these risks, as it is recommended to first use - the instructions below on a secondary computer, or after a full - backup. + The following guide can potentially lock you out of your computer. + You should be aware of these risks, as it is recommended to first use + the instructions below on a secondary computer, or after a full + backup. - You might lose access to your data after configuring `PAM - modules `__. + You might lose access to your data after configuring `PAM + modules `__. 2. **Set up the** ``rules`` **to recognize the Nitrokey FIDO2** -Under ``/etc/udev/rules.d`` download ``41-nitrokey.rules`` + Under ``/etc/udev/rules.d`` download ``41-nitrokey.rules`` -.. code-block:: bash + .. code-block:: bash - $ cd /etc/udev/rules.d/ - $ sudo wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules + $ cd /etc/udev/rules.d/ + $ sudo wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules -And restart ``udev`` service + And restart ``udev`` service -.. code-block:: bash + .. code-block:: bash - $ sudo systemctl restart udev + $ sudo systemctl restart udev 3. **Install** ``libpam-u2f`` -On Ubuntu 20.04 it is possible to download directly ``libpam-u2f`` from the official repos + On Ubuntu 20.04 it is possible to download directly ``libpam-u2f`` from the official repos -.. code-block:: bash + .. code-block:: bash - $ sudo apt install libpam-u2f + $ sudo apt install libpam-u2f -.. note:: + .. note:: - Click for more options + Click for more options - - Alternatively you can build ``libpam-u2f`` from - `Git `__. + - Alternatively you can build ``libpam-u2f`` from + `Git `__. - - To verify that the library is properly installed enter the - following command: + - To verify that the library is properly installed enter the + following command: - .. code-block:: bash + .. code-block:: bash - $ file /lib/x86_64-linux-gnu/security/pam_u2f.so + $ file /lib/x86_64-linux-gnu/security/pam_u2f.so - The Output should be something like the following: + The Output should be something like the following: - .. code-block:: bash + .. rstcheck: ignore-next-code-block + .. code-block:: bash - /lib/x86_64-linux-gnu/security/pam_u2f.so: \ ELF 64-bit LSB shared object, x86-64, version 1 (SYSV),\ dynamically linked, BuildID[sha1]=1d55e1b11a97be2038c6a139579f6c0d91caedb1, stripped + /lib/x86_64-linux-gnu/security/pam_u2f.so: \ ELF 64-bit LSB shared object, x86-64, version 1 (SYSV),\ dynamically linked, BuildID[sha1]=1d55e1b11a97be2038c6a139579f6c0d91caedb1, stripped 4. **Prepare the Directory** -Create ``.config/Nitrokey/`` under your home directory + Create ``.config/Nitrokey/`` under your home directory -.. code-block:: bash + .. code-block:: bash - $ mkdir ~/.config/Nitrokey + $ mkdir ~/.config/Nitrokey -And plug your Nitrokey FIDO2. + And plug your Nitrokey FIDO2. -Once done with the preparation, we can start to configure the computer to use the Nitrokey FIDO2 for 2nd factor authentication at login and ``sudo``. + Once done with the preparation, we can start to configure the computer to use the Nitrokey FIDO2 for 2nd factor authentication at login and ``sudo``. 5. **Generate the U2F config file** -To generate the configuration file we will use the ``pamu2fcfg`` utility that comes with the ``libpam-u2f``. For convenience, we will directly write the output of the utility to the ``u2f_keys`` file under ``.config/Nitrokey``. First plug your Nitrokey FIDO2 (if you did not already), and enter the following command: + To generate the configuration file we will use the ``pamu2fcfg`` utility that comes with the ``libpam-u2f``. For convenience, we will directly write the output of the utility to the ``u2f_keys`` file under ``.config/Nitrokey``. First plug your Nitrokey FIDO2 (if you did not already), and enter the following command: -.. code-block:: bash + .. code-block:: bash - $ pamu2fcfg > ~/.config/Nitrokey/u2f_keys + $ pamu2fcfg > ~/.config/Nitrokey/u2f_keys -Once you run the command above, you will need to touch the key while it flashes. Once done, ``pamu2fcfg`` will append its output the ``u2f_keys`` in the following format: + Once you run the command above, you will need to touch the key while it flashes. Once done, ``pamu2fcfg`` will append its output the ``u2f_keys`` in the following format: -.. code-block:: bash + .. code-block:: bash - :Zx...mw,04...0a + :Zx...mw,04...0a -Note, the output will be much longer, but sensitive parts have been removed here. For better security, and once the config file generated, we will move the ``.config/Nitrokey`` directory under the ``etc/`` -directory with this command: + Note, the output will be much longer, but sensitive parts have been removed here. For better security, and once the config file generated, we will move the ``.config/Nitrokey`` directory under the ``etc/`` + directory with this command: -.. code-block:: bash + .. code-block:: bash - $ sudo mv ~/.config/Nitrokey /etc + $ sudo mv ~/.config/Nitrokey /etc -.. tip:: + .. tip:: - - The file under ``.config/Nitrokey`` must be named ``u2f_keys`` + - The file under ``.config/Nitrokey`` must be named ``u2f_keys`` - - It is recommended to first test the instructions with a single - user. For this purpose the previous command takes the ``-u`` - option, to specify a user, like in the example below: + - It is recommended to first test the instructions with a single + user. For this purpose the previous command takes the ``-u`` + option, to specify a user, like in the example below: - .. code-block:: bash + .. rstcheck: ignore-next-code-block + .. code-block:: bash - $ pamu2fcfg -u > ~/.config/Nitrokey/u2f_keys + $ pamu2fcfg -u > ~/.config/Nitrokey/u2f_keys - - For individual user configuration you should point to the home - directory in the next step, or not include the ``authfile`` option - in the PAM configuration. + - For individual user configuration you should point to the home + directory in the next step, or not include the ``authfile`` option + in the PAM configuration. 6. **Backup** -This step is optional, however it is advised to have a backup Nitrokey in the case of loss, theft or destruction of your Nitrokey FIDO. + This step is optional, however it is advised to have a backup Nitrokey in the case of loss, theft or destruction of your Nitrokey FIDO. -To set up a backup key, repeat the procedure above, and use ``pamu2fcfg -n``. This will omit the ```` field, and the output can be appended to the line with your ```` like this: + To set up a backup key, repeat the procedure above, and use ``pamu2fcfg -n``. This will omit the ```` field, and the output can be appended to the line with your ```` like this: -.. code-block:: bash + .. code-block:: bash - :Zx...mw,04...0a:xB...fw,04...3f + :Zx...mw,04...0a:xB...fw,04...3f 7. **Modify the Pluggable Authentication Module** ``PAM`` -The final step is configure the PAM module files under ``/etc/pam.d/``. In this guide we will modify the ``common-auth`` file as it handles the authentication settings which are common to all services, but other options are possible. You can modify the file with the following command: + The final step is configure the PAM module files under ``/etc/pam.d/``. In this guide we will modify the ``common-auth`` file as it handles the authentication settings which are common to all services, but other options are possible. You can modify the file with the following command: -.. code-block:: bash + .. code-block:: bash - $ cd /etc/pam.d - $ sudo $editor common-auth + $ cd /etc/pam.d + $ sudo $editor common-auth -And add the following lines: + And add the following lines: -.. code-block:: bash + .. code-block:: bash - #Nitrokey FIDO2 config - auth sufficient pam_u2f.so authfile=/etc/Nitrokey/u2f_keys cue prompt nouserok + #Nitrokey FIDO2 config + auth sufficient pam_u2f.so authfile=/etc/Nitrokey/u2f_keys cue prompt nouserok -.. tip:: + .. tip:: - - Since we are using Central Authentication Mapping, we need to tell - ``pam_u2f`` the location of the file to use with the ``authfile`` - option. + - Since we are using Central Authentication Mapping, we need to tell + ``pam_u2f`` the location of the file to use with the ``authfile`` + option. - - If you often forget to insert the key, ``prompt`` option make - ``pam_u2f`` print ``Insert your U2F device, then press ENTER.`` - and give you a chance to insert the Nitrokey. + - If you often forget to insert the key, ``prompt`` option make + ``pam_u2f`` print ``Insert your U2F device, then press ENTER.`` + and give you a chance to insert the Nitrokey. - - If you would like to be prompted to touch the Nitrokey, ``cue`` - option will make ``pam_u2f`` print ``Please touch the device.`` - message. + - If you would like to be prompted to touch the Nitrokey, ``cue`` + option will make ``pam_u2f`` print ``Please touch the device.`` + message. - - `nouserok` will ensure that you can still login using the username and - password, you might want to remove this at some point once the setup - is working and you don't want regular username & password based logins. + - `nouserok` will ensure that you can still login using the username and + password, you might want to remove this at some point once the setup + is working and you don't want regular username & password based logins. -Once we modified the ``common-auth``, we can save and exit the file. + Once we modified the ``common-auth``, we can save and exit the file. -You can test the configuration by typing ``sudo ls`` in the terminal. You should be prompted the message ``Please touch the device.`` and have a similar output on the terminal: + You can test the configuration by typing ``sudo ls`` in the terminal. You should be prompted the message ``Please touch the device.`` and have a similar output on the terminal: -.. code-block:: bash + .. code-block:: bash - nitrouser@nitrouser:~$ sudo ls - [sudo] password for nitrouser: Please touch the device. + nitrouser@nitrouser:~$ sudo ls + [sudo] password for nitrouser: Please touch the device. -You can also test your configuration by logging out of the user session and logging back. A similar screen should be displayed once you you unplug/replug yout Nitrokey FIDO2 and type your password: + You can also test your configuration by logging out of the user session and logging back. A similar screen should be displayed once you you unplug/replug yout Nitrokey FIDO2 and type your password: -.. figure:: /fido2/linux/images/u2f-fido-pam-2.png - :alt: img6 + .. figure:: /fido2/linux/images/u2f-fido-pam-2.png + :alt: img6 Usage ----- diff --git a/fido2/linux/product_platform_heading.rst b/fido2/linux/product_platform_heading.rst deleted file mode 100644 index 0cb919ffef..0000000000 --- a/fido2/linux/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey FIDO2 - Linux) diff --git a/fido2/mac/product_platform_heading.rst b/fido2/mac/product_platform_heading.rst deleted file mode 100644 index dad2421d98..0000000000 --- a/fido2/mac/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey FIDO2 - macOS) diff --git a/fido2/shared/firmware-update.rst.inc b/fido2/shared/firmware-update.rst.inc index 988b312795..d3d6406eba 100644 --- a/fido2/shared/firmware-update.rst.inc +++ b/fido2/shared/firmware-update.rst.inc @@ -1,8 +1,6 @@ Firmware Update =============== -.. include:: ./product_platform_heading.rst - This guide describes how to update the firmware on the Nitrokey FIDO2. .. important:: diff --git a/fido2/shared/index-content2.rst.inc b/fido2/shared/index-content2.rst.inc index 52162a4077..53e137388d 100644 --- a/fido2/shared/index-content2.rst.inc +++ b/fido2/shared/index-content2.rst.inc @@ -1,8 +1,6 @@ Nitrokey Reset -------------- -.. include:: ./product_platform_heading.rst - .. contents:: :local: Factory Reset operation regenerates the secret material stored on the Nitrokey FIDO U2F / Nitrokey FIDO2, which makes it a completely new key logic-side. New owner cannot use it to login to account of the previous one. In case of the FIDO2 Resident Keys the material is erased. diff --git a/fido2/windows/passwordless-microsoft.rst b/fido2/windows/passwordless-microsoft.rst index 251e404d43..61919f8be2 100644 --- a/fido2/windows/passwordless-microsoft.rst +++ b/fido2/windows/passwordless-microsoft.rst @@ -1,8 +1,6 @@ Passwordless Authentication With Microsoft ========================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: The Nitrokey FIDO2 supports password-less authentication, where entering a password is replaced by logging in with the Nitrokey FIDO2 and a PIN. @@ -12,22 +10,22 @@ Sample Login to Microsoft With The Nitrokey FIDO2 1. Click on “Sign in with security key”. -.. figure:: ./images/passwordless-microsoft/1.png - :alt: img0 + .. figure:: ./images/passwordless-microsoft/1.png + :alt: img0 2. Enter your PIN for the Nitrokey FIDO2. -.. figure:: ./images/passwordless-microsoft/2.png - :alt: img1 + .. figure:: ./images/passwordless-microsoft/2.png + :alt: img1 3. Touch your Nitrokey FIDO2 at the indicated spot. -.. figure:: ./images/passwordless-microsoft/3.png - :alt: img2 + .. figure:: ./images/passwordless-microsoft/3.png + :alt: img2 @@ -45,65 +43,65 @@ Here we offer you a guide on how to set up passwordless authentication for your 3. Select “Security”. -.. figure:: ./images/passwordless-microsoft/4.png - :alt: img3 + .. figure:: ./images/passwordless-microsoft/4.png + :alt: img3 4. Select “More security options” -.. figure:: ./images/passwordless-microsoft/5.png - :alt: img4 + .. figure:: ./images/passwordless-microsoft/5.png + :alt: img4 5. Select “Set up a security key”. -.. figure:: ./images/passwordless-microsoft/6.png - :alt: img5 + .. figure:: ./images/passwordless-microsoft/6.png + :alt: img5 6. Confirm with “Next” under “USB device”. -.. figure:: ./images/passwordless-microsoft/7.png - :alt: img6 + .. figure:: ./images/passwordless-microsoft/7.png + :alt: img6 7. Enter a PIN that you want to use for your Nitrokey FIDO2 and then select “Next”. -.. figure:: ./images/passwordless-microsoft/8.png - :alt: img7 + .. figure:: ./images/passwordless-microsoft/8.png + :alt: img7 8. Now tap on the marked position of the Nitrokey FIDO2. -.. figure:: ./images/passwordless-microsoft/9.png - :alt: img8 + .. figure:: ./images/passwordless-microsoft/9.png + :alt: img8 9. Confirm with “Allow”. -.. figure:: ./images/passwordless-microsoft/10.png - :alt: img9 + .. figure:: ./images/passwordless-microsoft/10.png + :alt: img9 10. Name your Nitrokey FIDO2 and then select “Next”. -.. figure:: ./images/passwordless-microsoft/11.png - :alt: img10 + .. figure:: ./images/passwordless-microsoft/11.png + :alt: img10 11. Now you have successfully set up password-free authentication for your Microsoft account! Confirm with “Got it”. -.. figure:: ./images/passwordless-microsoft/12.png - :alt: img11 + .. figure:: ./images/passwordless-microsoft/12.png + :alt: img11 diff --git a/fido2/windows/product_platform_heading.rst b/fido2/windows/product_platform_heading.rst deleted file mode 100644 index 71749e2b1f..0000000000 --- a/fido2/windows/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey FIDO2 - Windows) diff --git a/fido2/windows/reset.rst b/fido2/windows/reset.rst index 58e6b6d46a..c568a0757d 100644 --- a/fido2/windows/reset.rst +++ b/fido2/windows/reset.rst @@ -1,8 +1,6 @@ Nitrokey Reset -------------- -.. include:: ./product_platform_heading.rst - .. contents:: :local: The Factory Reset operation deletes the FIDO secret keys stored on the Nitrokey and generates new ones. Afterwards the Nitrokey behaves like a new device. diff --git a/hsm/apache2-tls.rst.inc b/hsm/apache2-tls.rst.inc index 58d13e1b32..78a27eafa6 100644 --- a/hsm/apache2-tls.rst.inc +++ b/hsm/apache2-tls.rst.inc @@ -1,8 +1,6 @@ TLS Setup With Apache2 ====================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: .. hint:: diff --git a/hsm/certificate-authority.rst.inc b/hsm/certificate-authority.rst.inc index d328132a09..6e64e24933 100644 --- a/hsm/certificate-authority.rst.inc +++ b/hsm/certificate-authority.rst.inc @@ -1,8 +1,6 @@ Creating a Certificate Authority ================================ -.. include:: ./product_platform_heading.rst - .. contents:: :local: This article shows you how to setup your own private certificate authority backed by a Nitrokey HSM. This certificate authority has no automation and does not really scale. Other open source projects can be referenced for automation and scalability. diff --git a/hsm/import-keys-certs.rst.inc b/hsm/import-keys-certs.rst.inc index 862fa7fcdf..633a197d5c 100644 --- a/hsm/import-keys-certs.rst.inc +++ b/hsm/import-keys-certs.rst.inc @@ -1,8 +1,6 @@ Importing Keys And Certificates =============================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: Generally the concept to import key-pairs and/or certificates diff --git a/hsm/ipsec.rst.inc b/hsm/ipsec.rst.inc index b5b2a6cc91..4fe4c78568 100644 --- a/hsm/ipsec.rst.inc +++ b/hsm/ipsec.rst.inc @@ -1,5 +1,3 @@ -.. include:: ./product_platform_heading.rst - .. contents:: :local: `Strong Swan `__ works using the `PKCS#11 driver `__. Basically follow these steps: diff --git a/hsm/linux/dnssec.rst b/hsm/linux/dnssec.rst index 6bdf3ee5d6..60a10d0b2b 100644 --- a/hsm/linux/dnssec.rst +++ b/hsm/linux/dnssec.rst @@ -1,8 +1,6 @@ DNSSEC ====================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: diff --git a/hsm/linux/product_platform_heading.rst b/hsm/linux/product_platform_heading.rst deleted file mode 100644 index 09eea07e4f..0000000000 --- a/hsm/linux/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey HSM 2 - Linux) diff --git a/hsm/mac/product_platform_heading.rst b/hsm/mac/product_platform_heading.rst deleted file mode 100644 index 9bf9f75745..0000000000 --- a/hsm/mac/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey HSM 2 - macOS) diff --git a/hsm/pkcs11-url.rst.inc b/hsm/pkcs11-url.rst.inc index 57db51edf0..67302aaa1f 100644 --- a/hsm/pkcs11-url.rst.inc +++ b/hsm/pkcs11-url.rst.inc @@ -1,8 +1,6 @@ PKCS#11 URL Generation ====================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: diff --git a/hsm/smime.rst.inc b/hsm/smime.rst.inc index 3e1bee9295..906c5be8b1 100644 --- a/hsm/smime.rst.inc +++ b/hsm/smime.rst.inc @@ -1,8 +1,6 @@ S/MIME Email Encryption ======================= -.. include:: ./product_platform_heading.rst - .. contents:: :local: Prerequisites diff --git a/hsm/stunnel.rst.inc b/hsm/stunnel.rst.inc index 6c53079411..4869e58c9f 100644 --- a/hsm/stunnel.rst.inc +++ b/hsm/stunnel.rst.inc @@ -1,5 +1,3 @@ -.. include:: ./product_platform_heading.rst - .. contents:: :local: `Stunnel `__ works as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. diff --git a/hsm/windows/product_platform_heading.rst b/hsm/windows/product_platform_heading.rst deleted file mode 100644 index 811bd08425..0000000000 --- a/hsm/windows/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey HSM 2 - Windows) diff --git a/nethsm/administration.rst b/nethsm/administration.rst index f6d7546d16..59abc2c3d3 100644 --- a/nethsm/administration.rst +++ b/nethsm/administration.rst @@ -182,7 +182,7 @@ Unlock Passphrase The *Unlock Passphrase* is used to derive an *Unlock Key* if the NetHSM is in *Locked* state. The passphrase is initially set during provisioning of the NetHSM. -... warning:: +.. warning:: The unlock passphrase cannot be reset without knowing the current value. If the unlock passphrase is lost, neither can it be reset to a new value nor can the NetHSM be unlocked. diff --git a/nextbox/clients/android.rst b/nextbox/clients/android.rst index 099ac4a2bb..9ee034e0f1 100644 --- a/nextbox/clients/android.rst +++ b/nextbox/clients/android.rst @@ -7,31 +7,31 @@ Connect the NextBox with your smartphone 1. Download the Nextcloud app from the app store or play store. -.. figure:: /nextbox/images/gettingstarted/sp_1.jpg - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/gettingstarted/sp_1.jpg + :alt: imgsp1 + :scale: 30 % 2. Cick on "Sign in". -.. figure:: /nextbox/images/gettingstarted/sp_2.jpg - :alt: imgsp2 - :scale: 30 % + .. figure:: /nextbox/images/gettingstarted/sp_2.jpg + :alt: imgsp2 + :scale: 30 % 3. Enter your domain. -.. figure:: /nextbox/images/gettingstarted/sp_3.jpg - :alt: imgsp3 - :scale: 30 % + .. figure:: /nextbox/images/gettingstarted/sp_3.jpg + :alt: imgsp3 + :scale: 30 % 4. Enter your username and password and click "Log in". -.. figure:: /nextbox/images/gettingstarted/sp_4.jpg - :alt: imgsp4 - :scale: 30 % + .. figure:: /nextbox/images/gettingstarted/sp_4.jpg + :alt: imgsp4 + :scale: 30 % 5. Now you have access to your NextBox with your smartphone! -.. figure:: /nextbox/images/gettingstarted/sp_5.jpg - :alt: imgsp5 - :scale: 30 % + .. figure:: /nextbox/images/gettingstarted/sp_5.jpg + :alt: imgsp5 + :scale: 30 % diff --git a/nextbox/clients/linux.rst b/nextbox/clients/linux.rst index 6878fdb0ae..de28f443ad 100644 --- a/nextbox/clients/linux.rst +++ b/nextbox/clients/linux.rst @@ -8,8 +8,8 @@ Connect using the Nextcloud App 1. Download the client application from: https://nextcloud.com/install/ -.. hint:: Most distributions do provide the Nextcloud client via their - package managers. (e.g., Ubuntu, Arch Linux, Mint, ...) + .. hint:: Most distributions do provide the Nextcloud client via their + package managers. (e.g., Ubuntu, Arch Linux, Mint, ...) 2. After starting the ``nextcloud`` application, you will find it as a tray icon. @@ -30,8 +30,8 @@ Connect using WebDAV * To mount use: -.. code-block:: bash + .. code-block:: bash - mount -t davfs https://my.domain.tld/remote.php/webdav/ /mnt/target/path + mount -t davfs https://my.domain.tld/remote.php/webdav/ /mnt/target/path diff --git a/nextbox/clients/macosx.rst b/nextbox/clients/macosx.rst index a1cf5bfa47..1c978db335 100644 --- a/nextbox/clients/macosx.rst +++ b/nextbox/clients/macosx.rst @@ -9,39 +9,39 @@ Connect using the Nextcloud App 1. Download the Nextcloud client application: https://nextcloud.com/install/ -.. figure:: /nextbox/images/mac_app/nextc-download.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_app/nextc-download.png + :alt: imgsp1 + :scale: 30 % 2. After installation, click "Log in to your Nextcloud". Afterwards please provide your Nextcloud's domain. -.. figure:: /nextbox/images/mac_app/nextc-connect.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_app/nextc-connect.png + :alt: imgsp1 + :scale: 30 % 3. Provide your username and password and click "Log in". -.. figure:: /nextbox/images/mac_app/nextc-login.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_app/nextc-login.png + :alt: imgsp1 + :scale: 30 % -* Inside the menu bar there will be a Nextcloud icon to open the Nextcloud application settings. + Inside the menu bar there will be a Nextcloud icon to open the Nextcloud application settings. -.. figure:: /nextbox/images/mac_app/nextc-menu-bar-icon.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_app/nextc-menu-bar-icon.png + :alt: imgsp1 + :scale: 30 % -* Inside *Finder* below "favorites" you will find a "Nextcloud" directory with the user's files. + Inside *Finder* below "favorites" you will find a "Nextcloud" directory with the user's files. -.. figure:: /nextbox/images/mac_app/nextc-finder.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_app/nextc-finder.png + :alt: imgsp1 + :scale: 30 % Connect using WebDAV @@ -49,26 +49,26 @@ Connect using WebDAV 1. Inside *Finder*, open *Go* and choose *Connect to Server* -.. figure:: /nextbox/images/mac_webdav/1.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_webdav/1.png + :alt: imgsp1 + :scale: 30 % 2. Provide the WebDAV URL `https://yourdomain.xyz/remote.php/webdav` -.. figure:: /nextbox/images/mac_webdav/2.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_webdav/2.png + :alt: imgsp1 + :scale: 30 % 3. In the next step, provide the username and password to login to your Nextcloud instance. -.. figure:: /nextbox/images/mac_webdav/3.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_webdav/3.png + :alt: imgsp1 + :scale: 30 % 4. Once finished you can find your Nextcloud files in *Locations*. -.. figure:: /nextbox/images/mac_webdav/4.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/mac_webdav/4.png + :alt: imgsp1 + :scale: 30 % diff --git a/nextbox/clients/windows.rst b/nextbox/clients/windows.rst index eea24c0efd..8422d054e5 100644 --- a/nextbox/clients/windows.rst +++ b/nextbox/clients/windows.rst @@ -9,39 +9,39 @@ Connect using the Nextcloud App 1. Download the Nextcloud client application: https://nextcloud.com/install/ -.. figure:: /nextbox/images/win_app/1.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/win_app/1.png + :alt: imgsp1 + :scale: 30 % 2. After installation, click "Log in to your Nextcloud". Afterwards please provide your Nextcloud's domain. -.. figure:: /nextbox/images/win_app/2.png - :alt: imgsp1 - :scale: 50 % + .. figure:: /nextbox/images/win_app/2.png + :alt: imgsp1 + :scale: 50 % 3. Provide your username and password and click "Log in". -.. figure:: /nextbox/images/win_app/nextc-login.png - :alt: imgsp1 - :scale: 30 % + .. figure:: /nextbox/images/win_app/nextc-login.png + :alt: imgsp1 + :scale: 30 % -* Inside the tray there will be a Nextcloud icon to open the Nextcloud application settings. + Inside the tray there will be a Nextcloud icon to open the Nextcloud application settings. -.. figure:: /nextbox/images/win_app/4.png - :alt: imgsp1 - :scale: 50 % + .. figure:: /nextbox/images/win_app/4.png + :alt: imgsp1 + :scale: 50 % -* Inside the file-explorer you can now find your Nextcloud instance files. + Inside the file-explorer you can now find your Nextcloud instance files. -.. figure:: /nextbox/images/win_app/5.png - :alt: imgsp1 - :scale: 50 % + .. figure:: /nextbox/images/win_app/5.png + :alt: imgsp1 + :scale: 50 % Connect using WebDAV @@ -56,9 +56,9 @@ Connect using WebDAV 1. Add a WebDAV drive using the file explorer's "Add a network location" icon. (You can also use "Map network drive" to bind your Nextcloud to a drive, like *Z:*). -.. figure:: /nextbox/images/win_webdav/6.png - :alt: imgsp1 - :scale: 50 % + .. figure:: /nextbox/images/win_webdav/6.png + :alt: imgsp1 + :scale: 50 % 2. In the following dialog please enter the full WebDAV address of your NextBox: ``https://my.domain.tld/remote.php/dav/files/USERNAME``. Replace *my.domain.tld* with @@ -67,9 +67,9 @@ Connect using WebDAV 3. In the following window insert your full Nextcloud credentials, means your username and password you use to login into your Nextcloud. -.. figure:: /nextbox/images/win_webdav/8.png - :alt: imgsp1 - :scale: 50 % + .. figure:: /nextbox/images/win_webdav/8.png + :alt: imgsp1 + :scale: 50 % Now your files from your Nextcloud instance are accessible via the file-explorer. diff --git a/nextbox/gettingstarted.rst b/nextbox/gettingstarted.rst index f4a2d7f999..03deb781d4 100644 --- a/nextbox/gettingstarted.rst +++ b/nextbox/gettingstarted.rst @@ -15,12 +15,12 @@ Quickstart green (see :doc:`LEDs `). -.. Warning:: + .. Warning:: - External storage drives without an external power supply must NOT be - connected to the USB sockets. Otherwise, this can lead to data loss on the - internal hard disk. **Always use external storage drives with a separate - power supply together with the NextBox.** + External storage drives without an external power supply must NOT be + connected to the USB sockets. Otherwise, this can lead to data loss on the + internal hard disk. **Always use external storage drives with a separate + power supply together with the NextBox.** Create Admin Account -------------------- @@ -28,17 +28,17 @@ Create Admin Account 1. Enter your desired username and password. Remember to choose a strong password for your admin account. -.. figure:: /nextbox/images/gettingstarted/1.png - :alt: img1 + .. figure:: /nextbox/images/gettingstarted/1.png + :alt: img1 -.. .. Note:: + .. note:: - An occurring warning can be ignored since you are on your local network. + An occurring warning can be ignored since you are on your local network. 2. Press "Finish Setup". This process may take a few minutes. -.. figure:: /nextbox/images/gettingstarted/2.png - :alt: img2 + .. figure:: /nextbox/images/gettingstarted/2.png + :alt: img2 Configure NextBox Related Features ---------------------------------- @@ -63,10 +63,8 @@ continue on: private cloud from the internet. Our :doc:`guide ` covers various approaches. -.. hint:: We prepared a *one-click* remote access method, allowing you - to set up basic remote access in seconds. - - + .. hint:: We prepared a *one-click* remote access method, allowing you + to set up basic remote access in seconds. * **Connect your devices to your NextBox.** For smartphones the official `Android App`_ and `iOS App`_ are both great additions for your personal diff --git a/nextbox/hardware-overview.rst b/nextbox/hardware-overview.rst index 4431aa75f5..dc613c51e9 100644 --- a/nextbox/hardware-overview.rst +++ b/nextbox/hardware-overview.rst @@ -31,21 +31,21 @@ the different connectors and interfaces is given. 1. Hardware button for :doc:`Factory-Reset` 2. :doc:`Status LED` -.. figure:: /nextbox/images/hardware-overview/back-side.jpg - :alt: back view - :align: center + .. figure:: /nextbox/images/hardware-overview/back-side.jpg + :alt: back view + :align: center 3. **USB Type-C / Power Supply** connector is designated as a replacement for the stock connector on the front side and is exclusively for supplying power to the NextBox and cannot transfer data. -.. hint:: The right side of the NextBox is designed so that all mandatory - interfaces can be accessed from this side. + .. hint:: The right side of the NextBox is designed so that all mandatory + interfaces can be accessed from this side. -.. figure:: /nextbox/images/hardware-overview/right-side.jpg - :alt: right view - :align: center + .. figure:: /nextbox/images/hardware-overview/right-side.jpg + :alt: right view + :align: center 4. The **RJ45 - 1GbE Ethernet** connector connects your NextBox with your home network and shall stay connected at all times. @@ -53,18 +53,18 @@ the different connectors and interfaces is given. 6. **Reserved USB 3 - Type A Slot**, used for the internal hard-disk. *Never remove this connector!* 7. **2x Free USB 2 - Type A Slots**, please see :ref:`Hardware FAQ` -.. hint:: Using a hard-drive with an external power supply you can use any of - the available USB slots. Keep in mind that the data transfer bandwidth for - the USB 2 slots is less compared to the USB 3 slot. + .. hint:: Using a hard-drive with an external power supply you can use any of + the available USB slots. Keep in mind that the data transfer bandwidth for + the USB 2 slots is less compared to the USB 3 slot. 8. **USB Type-C / Power Supply** (stock) connector, can be used as **[3]** 9. **Micro HDMI 1 slot**, usable but not needed. 10. **Micro HDMI 2 slot**, usable but not needed. 11. **Headphone Jack**, usable but not needed. -.. figure:: /nextbox/images/hardware-overview/front-side.jpg - :alt: front view - :align: center + .. figure:: /nextbox/images/hardware-overview/front-side.jpg + :alt: front view + :align: center .. hint:: The front interfaces are all optional and not necessary for NextBox usage in general. While the **USB Type-C/Power Supply** may be used, the diff --git a/nextbox/technical/replace-drive.rst b/nextbox/technical/replace-drive.rst index eba00e650c..06b9db1db9 100644 --- a/nextbox/technical/replace-drive.rst +++ b/nextbox/technical/replace-drive.rst @@ -43,20 +43,20 @@ Prepare New Hard-Disk 6. Determine your hard-disk's device name (e.g., ``/dev/sdb``) and make sure none of its partitions are mounted -.. warning:: - **Again: think at least twice about the following step. Make sure you are referring to the - correct hard-drive device (and NOT a partition, means** ``/dev/sdb1`` **is wrong).** The script will - decline to do the operation on ``/dev/sda`` as there are good chances this might be your - system hard-disk, if you really need this you can comment out lines 23-26 inside the script. + .. warning:: + **Again: think at least twice about the following step. Make sure you are referring to the + correct hard-drive device (and NOT a partition, means** ``/dev/sdb1`` **is wrong).** The script will + decline to do the operation on ``/dev/sda`` as there are good chances this might be your + system hard-disk, if you really need this you can comment out lines 23-26 inside the script. 7. Run the script using the device name you have determined. Once prompted for your sudo-password please provide it to allow r/w access to the hard-drive: -.. code:: + .. code:: - $ ./simple_prepare_harddrive.sh - - # example: ./simple_prepare_harddrive.sh /dev/sdb + $ ./simple_prepare_harddrive.sh + + # example: ./simple_prepare_harddrive.sh /dev/sdb 8. Watch the script's output for any errors, there should be none @@ -79,25 +79,25 @@ Replacement Guide 6. Unfold the USB-to-SATA cable and put the NextBox bridge upside down onto a electronics friendly surface like a desk as shown in the following image -.. figure:: /nextbox/images/technical/nextbox_bridge_backside.jpeg - :alt: nextbox-backside - :align: center + .. figure:: /nextbox/images/technical/nextbox_bridge_backside.jpeg + :alt: nextbox-backside + :align: center 7. Unscrew the Phillips screws holding the hard-disk in position (the amount of screws may differ, depending on your hard-disk type) shown in the following image: -.. figure:: /nextbox/images/technical/nextbox_bridge_backside_screws.jpeg - :alt: nextbox-backside-screws - :align: center + .. figure:: /nextbox/images/technical/nextbox_bridge_backside_screws.jpeg + :alt: nextbox-backside-screws + :align: center 8. Once the screws are removed, push the hard-disk carefully towards the direction shown in the image above. Do not push it towards the other direction, you might damage the USB cable. 9. Remove the USB-to-SATA cable from the hard-drive -.. warning:: - Avoid disconnecting the male-female USB connector to not change the position and bending - of the cable. If you have to: be careful to keep the force as small as possible onto the - 90° part of the USB extension cable. + .. warning:: + Avoid disconnecting the male-female USB connector to not change the position and bending + of the cable. If you have to: be careful to keep the force as small as possible onto the + 90° part of the USB extension cable. 10. Connect your previously prepared new hard-drive 11. Carefully slide your new hard-drive into the bridge and fix it into the right position diff --git a/nitrokey3/adsk.rst.inc b/nitrokey3/adsk.rst.inc index a78404e478..7ec053c335 100644 --- a/nitrokey3/adsk.rst.inc +++ b/nitrokey3/adsk.rst.inc @@ -1,8 +1,6 @@ Additional Decryption Subkeys (ADSK) with GnuPG =============================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: `Additional Decryption Subkeys (ADSK) `__ can be used to automatically add recipients when encrypting a message with GnuPG. diff --git a/nitrokey3/firmware-update.rst.inc b/nitrokey3/firmware-update.rst.inc index ca037cfc60..1ea0e3ed90 100644 --- a/nitrokey3/firmware-update.rst.inc +++ b/nitrokey3/firmware-update.rst.inc @@ -1,8 +1,6 @@ Firmware Update =============== -.. include:: ./product_platform_heading.rst - .. only:: comment .. contents:: :local: diff --git a/nitrokey3/linux/product_platform_heading.rst b/nitrokey3/linux/product_platform_heading.rst deleted file mode 100644 index 20babecf30..0000000000 --- a/nitrokey3/linux/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey 3 - Linux) diff --git a/nitrokey3/mac/product_platform_heading.rst b/nitrokey3/mac/product_platform_heading.rst deleted file mode 100644 index b3cd932380..0000000000 --- a/nitrokey3/mac/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey 3 - macOS) diff --git a/nitrokey3/shared/openpgp-uif.rst.inc b/nitrokey3/shared/openpgp-uif.rst.inc index 59e2de012d..bd56e48e0e 100644 --- a/nitrokey3/shared/openpgp-uif.rst.inc +++ b/nitrokey3/shared/openpgp-uif.rst.inc @@ -1,8 +1,6 @@ OpenPGP Touch Confirmation (UIF) ================================ -.. include:: ./product_platform_heading.rst - .. contents:: :local: The Nitrokey 3 OpenPGP Card functionality supports touch button confirmations (so called User Interaction Flags, UIF) when performing cryptographic key operations. It can be configured separately for each operation (Signature, Decryption and Authentication). diff --git a/nitrokey3/shared/openpgp.rst.inc b/nitrokey3/shared/openpgp.rst.inc index d08a475b8d..c7efd1430d 100644 --- a/nitrokey3/shared/openpgp.rst.inc +++ b/nitrokey3/shared/openpgp.rst.inc @@ -1,8 +1,6 @@ OpenPGP Email Encryption ======================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: .. note:: diff --git a/nitrokey3/shared/reset.rst.inc b/nitrokey3/shared/reset.rst.inc index 3126b83e96..8a07740cf7 100644 --- a/nitrokey3/shared/reset.rst.inc +++ b/nitrokey3/shared/reset.rst.inc @@ -1,8 +1,6 @@ Factory Reset ============= -.. include:: ./product_platform_heading.rst - .. contents:: :local: Each functionality of the Nitrokey 3 can be reset individually. diff --git a/nitrokey3/troubleshooting.rst.inc b/nitrokey3/troubleshooting.rst.inc index 76064a9863..91bbb14cfa 100644 --- a/nitrokey3/troubleshooting.rst.inc +++ b/nitrokey3/troubleshooting.rst.inc @@ -1,8 +1,6 @@ Troubleshooting =============== -.. include:: ./product_platform_heading.rst - .. contents:: :local: .. toctree:: diff --git a/nitrokey3/windows/product_platform_heading.rst b/nitrokey3/windows/product_platform_heading.rst deleted file mode 100644 index e8874c25be..0000000000 --- a/nitrokey3/windows/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey 3 - Windows) diff --git a/nitropad/default-boot.rst.inc b/nitropad/default-boot.rst.inc index d4f768d135..2cfa7942fc 100644 --- a/nitropad/default-boot.rst.inc +++ b/nitropad/default-boot.rst.inc @@ -1,8 +1,6 @@ Default Boot ============ -.. include:: ./product_platform_heading.rst - .. contents:: :local: If you have installed a new operating system, it may be that default boot is not yet assigned. If this is the case, please proceed as described below. diff --git a/nitropad/factory-reset-heads2.rst.inc b/nitropad/factory-reset-heads2.rst.inc index 6c0e6ae6b0..ee06dda5df 100644 --- a/nitropad/factory-reset-heads2.rst.inc +++ b/nitropad/factory-reset-heads2.rst.inc @@ -1,8 +1,6 @@ Factory Reset Heads 2.0 ======================= -.. include:: ./product_platform_heading.rst - .. contents:: :local: Reasons for resetting to factory settings diff --git a/nitropad/factory-reset.rst.inc b/nitropad/factory-reset.rst.inc index b63d3829c2..7ce29f0fdb 100644 --- a/nitropad/factory-reset.rst.inc +++ b/nitropad/factory-reset.rst.inc @@ -1,8 +1,6 @@ Factory Reset ============= -.. include:: ./product_platform_heading.rst - .. contents:: :local: Reasons for resetting to factory settings diff --git a/nitropad/firmware-update-1.4.rst.inc b/nitropad/firmware-update-1.4.rst.inc index cad6b4798a..8321762ca1 100644 --- a/nitropad/firmware-update-1.4.rst.inc +++ b/nitropad/firmware-update-1.4.rst.inc @@ -1,8 +1,6 @@ Firmware Update v1.4+ ======================= -.. include:: ./product_platform_heading.rst - .. contents:: :local: Starting with v1.4 due to elementary changes inside Heads and the firmware diff --git a/nitropad/firmware-update.rst.inc b/nitropad/firmware-update.rst.inc index 6d4ca7235c..dec12f8693 100644 --- a/nitropad/firmware-update.rst.inc +++ b/nitropad/firmware-update.rst.inc @@ -1,8 +1,6 @@ Firmware Update =============== -.. include:: ./product_platform_heading.rst - .. contents:: :local: This guide describes how to update the Heads firmware of the NitroPad. diff --git a/nitropad/os-reinstallation.rst.inc b/nitropad/os-reinstallation.rst.inc index bd255569b8..75108be87f 100644 --- a/nitropad/os-reinstallation.rst.inc +++ b/nitropad/os-reinstallation.rst.inc @@ -1,8 +1,6 @@ Operating System Reinstallation =============================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: .. warning:: diff --git a/nitropad/qubes/network-settings.rst b/nitropad/qubes/network-settings.rst index ab220ed7d6..2090d06cc8 100644 --- a/nitropad/qubes/network-settings.rst +++ b/nitropad/qubes/network-settings.rst @@ -6,16 +6,16 @@ To be able to use Wifi, Bluetooth and other functionalities, "Settings" must be 1. Click on the top left Qubes Icon and select Qubes:Settings under sys-net. -.. figure:: ../images/network-settings/settings_0.png - :alt: img1 + .. figure:: ../images/network-settings/settings_0.png + :alt: img1 2. Go to Applications, select "Settings" and click ">" to move it to the right side. 3. Click "Apply" and after wards "Ok". 4. Now you should have "Settings" visible under sys-net. -.. Note:: + .. Note:: - If it won't open Settings after clicking on it, please follow the instructions below. + If it won't open Settings after clicking on it, please follow the instructions below. Fix sys-net Settings ~~~~~~~~~~~~~~~~~~~~ @@ -23,13 +23,13 @@ Fix sys-net Settings 1. Go to the sys-net Terminal. 2. Open the bashrc-file with ``sudo vim ~/.bashrc``. -.. figure:: ../images/network-settings/settings_1.png - :alt: img2 + .. figure:: ../images/network-settings/settings_1.png + :alt: img2 3. Press "i" to enable the editing and add ``export XDG_CURRENT_DESKTOP=GNOME`` to the file. -.. figure:: ../images/network-settings/settings_2.png - :alt: img3 + .. figure:: ../images/network-settings/settings_2.png + :alt: img3 4. Save the changes with ``:wq``. 5. Restart your NitroPad. diff --git a/nitropad/qubes/nitrokey-app.rst b/nitropad/qubes/nitrokey-app.rst index d68d6ec7b8..d5f72e90c1 100644 --- a/nitropad/qubes/nitrokey-app.rst +++ b/nitropad/qubes/nitrokey-app.rst @@ -8,18 +8,18 @@ Nitrokey App Installation 1. Set in the "Qubes Settings" of sys-usb "Networking" to default and "Apply" the changes. -.. figure:: /images/qubes/install-nitrokey-app-images/Settings-sys-usb.png - :alt: img1 + .. figure:: /images/qubes/install-nitrokey-app-images/Settings-sys-usb.png + :alt: img1 2. Set in the "Qubes Settings" of fedora template "Networking" to default and "Apply" the changes. -.. figure:: /images/qubes/install-nitrokey-app-images/Settings-fedora.png - :alt: img2 + .. figure:: /images/qubes/install-nitrokey-app-images/Settings-fedora.png + :alt: img2 3. Open the terminal of the fedora template and run ``sudo dnf install nitrokey-app``. -.. figure:: /images/qubes/install-nitrokey-app-images/fedora-terminal.png - :alt: img3 + .. figure:: /images/qubes/install-nitrokey-app-images/fedora-terminal.png + :alt: img3 4. Shut down the template. @@ -27,15 +27,15 @@ Nitrokey App Installation 6. Go to "Application" of sys-usb and select the Nitrokey App. -.. figure:: /images/qubes/install-nitrokey-app-images/Settings-sys-usb_2.png - :alt: img5 + .. figure:: /images/qubes/install-nitrokey-app-images/Settings-sys-usb_2.png + :alt: img5 7. Click the arrow pointing to the right side to move it to the shortcuts and "Apply" the changes. -.. figure:: /images/qubes/install-nitrokey-app-images/Settings-sys-usb_3.png - :alt: img6 + .. figure:: /images/qubes/install-nitrokey-app-images/Settings-sys-usb_3.png + :alt: img6 8. Now you can access the Nitrokey App by clicking on sys-usb. -.. figure:: /images/qubes/install-nitrokey-app-images/sys-usb-nitrokey-app.png - :alt: img7 + .. figure:: /images/qubes/install-nitrokey-app-images/sys-usb-nitrokey-app.png + :alt: img7 diff --git a/nitropad/qubes/product_platform_heading.rst b/nitropad/qubes/product_platform_heading.rst deleted file mode 100644 index 6c7f2830bc..0000000000 --- a/nitropad/qubes/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (NitroPad - Qubes OS) diff --git a/nitropad/qubes/user-password-reset.rst b/nitropad/qubes/user-password-reset.rst index cab8eb6c1a..2345b51e26 100644 --- a/nitropad/qubes/user-password-reset.rst +++ b/nitropad/qubes/user-password-reset.rst @@ -3,20 +3,20 @@ User Password Reset 1. Follow the next five steps to boot from the installation media -.. figure:: ./images/user-password-reset/step-one.jpg - :alt: Step 1 + .. figure:: ./images/user-password-reset/step-one.jpg + :alt: Step 1 -.. figure:: ./images/user-password-reset/step-two.jpg - :alt: Step 2 + .. figure:: ./images/user-password-reset/step-two.jpg + :alt: Step 2 -.. figure:: ./images/user-password-reset/step-three.jpg - :alt: Step 3 + .. figure:: ./images/user-password-reset/step-three.jpg + :alt: Step 3 -.. figure:: ./images/user-password-reset/step-four.jpg - :alt: Step 4 + .. figure:: ./images/user-password-reset/step-four.jpg + :alt: Step 4 -.. figure:: ./images/user-password-reset/step-five.jpg - :alt: Step 5 + .. figure:: ./images/user-password-reset/step-five.jpg + :alt: Step 5 2. In the rescue shell, type: `cryptsetup open /dev/sda3 qubes` to unlock the encrypted root drive @@ -24,7 +24,7 @@ User Password Reset 4. Change root to it `chroot /mnt` -5) Change the password `passwd user` (where "user" is your Qubes login) -6) Type in a new password and confirm -7) Type `exit` to exit the chroot -8) Type `reboot` and then boot as usal without the installation medium +5. Change the password `passwd user` (where "user" is your Qubes login) +6. Type in a new password and confirm +7. Type `exit` to exit the chroot +8. Type `reboot` and then boot as usal without the installation medium diff --git a/nitropad/sealed-hardware.rst.inc b/nitropad/sealed-hardware.rst.inc index da9787cef4..32be8125cf 100644 --- a/nitropad/sealed-hardware.rst.inc +++ b/nitropad/sealed-hardware.rst.inc @@ -1,8 +1,6 @@ Verify Sealed Hardware ====================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: If you ordered your NitroPad with sealed screws and in a sealed bag, it allows you to check if the NitroPad has been tampered with during shipping. diff --git a/nitropad/system-update.rst.inc b/nitropad/system-update.rst.inc index d262fa04a7..46737526dc 100644 --- a/nitropad/system-update.rst.inc +++ b/nitropad/system-update.rst.inc @@ -1,8 +1,6 @@ System update ============= -.. include:: ./product_platform_heading.rst - .. contents:: :local: The NitroPad watches for changes to important system files to detect third-party tampering. This means that special steps are sometimes necessary when updating the system. This can often be recognized by the fact that the system prompts you to reboot. diff --git a/nitropad/troubleshooting.rst.inc b/nitropad/troubleshooting.rst.inc index cfbee3bb0b..1d2987cfd1 100644 --- a/nitropad/troubleshooting.rst.inc +++ b/nitropad/troubleshooting.rst.inc @@ -1,8 +1,6 @@ Troubleshooting =============== -.. include:: ./product_platform_heading.rst - .. contents:: :local: .. toctree:: diff --git a/nitropad/ubuntu/change-disk-encryption-passphrase.rst b/nitropad/ubuntu/change-disk-encryption-passphrase.rst index 377fbc002b..72aad162d0 100644 --- a/nitropad/ubuntu/change-disk-encryption-passphrase.rst +++ b/nitropad/ubuntu/change-disk-encryption-passphrase.rst @@ -1,39 +1,37 @@ Change Disk Encryption Passphrase ================================= -.. include:: ./product_platform_heading.rst - 1. To change the passphrase for disk encryption, first click on “Activities” in the upper left corner and enter “disk” in the search bar. Then select the “Disks” program that appears in the middle of the screen. -.. figure:: ../images/change-disk-encryption-passphrase/1.png - :alt: img1 + .. figure:: ../images/change-disk-encryption-passphrase/1.png + :alt: img1 2. Select the field that says “Luks”. Afterwards it should have an orange background. -.. figure:: ../images/change-disk-encryption-passphrase/2.png - :alt: img2 + .. figure:: ../images/change-disk-encryption-passphrase/2.png + :alt: img2 3. Left click on the gears and select “Change Passphrase” from the context menu. -.. figure:: ../images/change-disk-encryption-passphrase/3.png - :alt: img3 + .. figure:: ../images/change-disk-encryption-passphrase/3.png + :alt: img3 4. Enter “PleaseChangeMe” as the current passphrase and select a secure new one. -.. figure:: ../images/change-disk-encryption-passphrase/4.png - :alt: img4 + .. figure:: ../images/change-disk-encryption-passphrase/4.png + :alt: img4 diff --git a/nitropad/ubuntu/product_platform_heading.rst b/nitropad/ubuntu/product_platform_heading.rst deleted file mode 100644 index ede4843406..0000000000 --- a/nitropad/ubuntu/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (NitroPad - Ubuntu Linux) diff --git a/nitrowall/firmware-update-nw678.rst b/nitrowall/firmware-update-nw678.rst index b68edf2f27..6206044947 100644 --- a/nitrowall/firmware-update-nw678.rst +++ b/nitrowall/firmware-update-nw678.rst @@ -6,7 +6,7 @@ Update OpenWrt Firmware .. contents:: :local: -We recommend updating OpenWrt via the pre-installed `Attended Sysupgrade `_. To be able to use this service you need to configure it to ignore the "nitrowall" package, if it has been installed before: +We recommend updating OpenWrt via the pre-installed `Attended Sysupgrade `__. To be able to use this service you need to configure it to ignore the "nitrowall" package, if it has been installed before: 1. Go to System -> Attended Sysupgrade -> Configuration and enable the Advanced Mode -> Save & Apply @@ -38,7 +38,7 @@ We recommend updating OpenWrt via the pre-installed `Attended Sysupgrade `_. +9. Update OpenWrt via `Attended Sysupgrade `__. Alternatively to the above instructions, you can login via ssh and execute this script:: diff --git a/nitrowall/index.rst b/nitrowall/index.rst index 233d5ebeec..80124d9f4d 100644 --- a/nitrowall/index.rst +++ b/nitrowall/index.rst @@ -8,8 +8,8 @@ Getting Started 1. Connect the NitroWalls LAN1 port by a patch cable with the Ethernet port of your laptop or PC -.. important:: - Note that the standard configuration of OPNsense uses LAN2 as the WAN port and LAN1,3,4 as LAN ports. By default LAN3 and LAN4 are disabled. So you have to enable them (i.e. via bridging). + .. important:: + Note that the standard configuration of OPNsense uses LAN2 as the WAN port and LAN1,3,4 as LAN ports. By default LAN3 and LAN4 are disabled. So you have to enable them (i.e. via bridging). 2. Connect the NitroWall with power supply 3. Turn on the NitroWall by I/O switch on the front side @@ -20,33 +20,31 @@ Getting Started 5. Confirm browser security warning 6. After logging in you are at the admin dashboard of the NitroWall -- Login: root -- Password: opnsense + - Login: root + - Password: opnsense 7. Start the system wizard via the menu of the left-hand side: system → system wizard → setup. The wizard is going through the configuration with you step-by-step. + .. figure:: ./images/nitrowall_back.jpg + :alt: NitroWall backside + NitroWall back side -.. figure:: ./images/nitrowall_back.jpg - :alt: NitroWall backside + .. figure:: ./images/nitrowall_front.jpg + :alt: NitroWall frontside - NitroWall back side + NitroWall front side -.. figure:: ./images/nitrowall_front.jpg - :alt: NitroWall frontside - NitroWall front side + .. figure:: ./images/dashboard.png + :alt: dashboard + NitroWall dashboard -.. figure:: ./images/dashboard.png - :alt: dashboard + .. figure:: ./images/reload.png + :alt: reload - NitroWall dashboard - -.. figure:: ./images/reload.png - :alt: reload - - Reload the NitroWall + Reload the NitroWall 8. After configuring your NitroWall reload it to make the changes persistent. As soon as the process terminates, you are back again at the dashboard. 9. After the installation is complete, install the necessary updates. To do this, go to System → Firmware → Updates. diff --git a/pro/2fa-google.rst.inc b/pro/2fa-google.rst.inc index 0852b6aec4..401bc1bf1a 100644 --- a/pro/2fa-google.rst.inc +++ b/pro/2fa-google.rst.inc @@ -1,8 +1,6 @@ Two-factor Authentication for Google ==================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: These are the basic steps for registering the Nitrokey Pro or Nitrokey Storage as a second factor of a Google account: diff --git a/pro/2fa-nextcloud.rst.inc b/pro/2fa-nextcloud.rst.inc index 8a47f375bf..b0efcab989 100644 --- a/pro/2fa-nextcloud.rst.inc +++ b/pro/2fa-nextcloud.rst.inc @@ -1,8 +1,6 @@ Two-factor Authentication for Nextcloud accounts ================================================ -.. include:: ./product_platform_heading.rst - .. contents:: :local: These are the basic steps for registering the Nitrokey Pro or Nitrokey Storage as a second factor of a Nextcloud account. diff --git a/pro/2fa-odoo.rst.inc b/pro/2fa-odoo.rst.inc index 1a633c5c42..cdf8ede5d4 100644 --- a/pro/2fa-odoo.rst.inc +++ b/pro/2fa-odoo.rst.inc @@ -1,8 +1,6 @@ Two-Factor Authentication For ERP Software Odoo =============================================== -.. include:: ./product_platform_heading.rst - .. only:: comment .. contents:: :local: diff --git a/pro/change-pins.rst.inc b/pro/change-pins.rst.inc index 72c6b87cd5..ce87b7b515 100644 --- a/pro/change-pins.rst.inc +++ b/pro/change-pins.rst.inc @@ -1,8 +1,6 @@ Change User and Admin PIN ========================= -.. include:: ./product_platform_heading.rst - .. contents:: :local: User PIN diff --git a/pro/ecc.rst.inc b/pro/ecc.rst.inc index f0933ea14c..7eb28ac0e4 100644 --- a/pro/ecc.rst.inc +++ b/pro/ecc.rst.inc @@ -1,8 +1,6 @@ Elliptic Curves (ECC) Support ============================= -.. include:: ./product_platform_heading.rst - .. contents:: :local: RSA-2048 Becomes Increasingly Insecure diff --git a/pro/eidauthenticate.rst.inc b/pro/eidauthenticate.rst.inc index b3d27095a4..0d763342d9 100644 --- a/pro/eidauthenticate.rst.inc +++ b/pro/eidauthenticate.rst.inc @@ -1,8 +1,6 @@ Login With EIDAuthenticate on Stand Alone Windows Computers =========================================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: 1. Download and install the latest version of `OpenSC `__. Please install the `OpenPGP-CSP `__ driver **instead** if using Nitrokey Storage 2 or Nitrokey Pro 2. diff --git a/pro/factory-reset.rst.inc b/pro/factory-reset.rst.inc index ff871c8a1a..3a8a095568 100644 --- a/pro/factory-reset.rst.inc +++ b/pro/factory-reset.rst.inc @@ -1,8 +1,6 @@ Factory Reset ============= -.. include:: ./product_platform_heading.rst - .. contents:: :local: There are two types of factory resets for Nitrokey Pro devices: diff --git a/pro/firmware-update.rst.inc b/pro/firmware-update.rst.inc index a5346520db..8555b7c07c 100644 --- a/pro/firmware-update.rst.inc +++ b/pro/firmware-update.rst.inc @@ -1,8 +1,6 @@ Firmware Update =============== -.. include:: ./product_platform_heading.rst - This guide describes how to update the firmware on the Nitrokey Pro. .. warning:: diff --git a/pro/hard-disk-encryption.rst.inc b/pro/hard-disk-encryption.rst.inc index e5305141f2..d9b8a1887e 100644 --- a/pro/hard-disk-encryption.rst.inc +++ b/pro/hard-disk-encryption.rst.inc @@ -1,6 +1,3 @@ - -.. include:: ./product_platform_heading.rst - .. only:: comment .. contents:: :local: diff --git a/pro/linux/automatic-screen-lock.rst b/pro/linux/automatic-screen-lock.rst index eb59ca53dd..a79abdc700 100644 --- a/pro/linux/automatic-screen-lock.rst +++ b/pro/linux/automatic-screen-lock.rst @@ -1,8 +1,6 @@ Automatic Screen Lock at Removal ================================ -.. include:: ./product_platform_heading.rst - .. contents:: :local: This guide will walk you through the configuration of your computer, to automatically lock your session when you remove the Nitrokey. diff --git a/pro/linux/disk-encryption-luks.rst b/pro/linux/disk-encryption-luks.rst index 60e33bba11..4f21b6c3b5 100644 --- a/pro/linux/disk-encryption-luks.rst +++ b/pro/linux/disk-encryption-luks.rst @@ -1,8 +1,6 @@ Full-Disk Encryption With cryptsetup/LUKS ========================================= -.. include:: ./product_platform_heading.rst - .. contents:: :local: This guide shows how to configure LUKS-encrypted volumes, to authenticate at boot with `Nitrokey Pro `__ or `Nitrokey Storage `__. diff --git a/pro/linux/hard-disk-encryption.rst b/pro/linux/hard-disk-encryption.rst index c9d41b1013..f9f5aa740a 100644 --- a/pro/linux/hard-disk-encryption.rst +++ b/pro/linux/hard-disk-encryption.rst @@ -1,8 +1,6 @@ Hard Disk Encryption ==================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: VeraCrypt (formerly TrueCrypt) diff --git a/pro/linux/openvpn-easyrsa.rst b/pro/linux/openvpn-easyrsa.rst index e53a07f8e1..8629026ffd 100644 --- a/pro/linux/openvpn-easyrsa.rst +++ b/pro/linux/openvpn-easyrsa.rst @@ -1,8 +1,6 @@ OpenVPN Configuration with Easy-RSA =================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: :depth: 2 diff --git a/pro/linux/product_platform_heading.rst b/pro/linux/product_platform_heading.rst deleted file mode 100644 index ada07d42bc..0000000000 --- a/pro/linux/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey Pro 2 - Linux) diff --git a/pro/login-with-pam.rst.inc b/pro/login-with-pam.rst.inc index ce98ce3977..42f922fb9a 100644 --- a/pro/login-with-pam.rst.inc +++ b/pro/login-with-pam.rst.inc @@ -1,6 +1,3 @@ - -.. include:: ./product_platform_heading.rst - .. contents:: :local: How to Setup The Login diff --git a/pro/mac/product_platform_heading.rst b/pro/mac/product_platform_heading.rst deleted file mode 100644 index 1458f92ad9..0000000000 --- a/pro/mac/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey Pro 2 - macOS) diff --git a/pro/openpgp-keygen-backup.rst.inc b/pro/openpgp-keygen-backup.rst.inc index 896d085b89..9249a0f871 100644 --- a/pro/openpgp-keygen-backup.rst.inc +++ b/pro/openpgp-keygen-backup.rst.inc @@ -1,8 +1,6 @@ OpenPGP Key Generation With Backup ================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: The following instructions explain the generation of OpenPGP keys and how to copy them to the Nitrokey. This method has the advantage of providing a backup of the keys in case of losing or breaking the Nitrokey. The instructions are based on the command line interface of GnuPG. Thus, you need to have GnuPG installed on your system. The newest GnuPG version for Windows can be found `here `__ and the newest version for MacOS can be found `here `__. Users of Linux systems please install GnuPG with help of the package manager. diff --git a/pro/openpgp-keygen-gpa.rst.inc b/pro/openpgp-keygen-gpa.rst.inc index 9c781f6dcb..04a2b828c3 100644 --- a/pro/openpgp-keygen-gpa.rst.inc +++ b/pro/openpgp-keygen-gpa.rst.inc @@ -1,8 +1,6 @@ OpenPGP Key Generation Using GPA ================================ -.. include:: ./product_platform_heading.rst - .. contents:: :local: The following instructions explain the generation of OpenPGP keys directly on the Nitrokey with help of the GNU Privacy Assistant (GPA). You won’t be able to create a backup of these keys. Thus, if you lose the Nitrokey or it breaks you can not decrypt mails or use these keys anymore. Please see `here `_ for a comparison of the different methods to generate OpenPGP keys. diff --git a/pro/openpgp-keygen-on-device.rst.inc b/pro/openpgp-keygen-on-device.rst.inc index 4ea36b6e8d..3012967dae 100644 --- a/pro/openpgp-keygen-on-device.rst.inc +++ b/pro/openpgp-keygen-on-device.rst.inc @@ -1,8 +1,6 @@ OpenPGP Key Generation On-Device ================================ -.. include:: ./product_platform_heading.rst - .. contents:: :local: The following instructions explain the generation of OpenPGP keys directly on the Nitrokey. This is done by using the command line interface of GnuPG. Thus, you need to have GnuPG installed on your system. The newest GnuPG version for Windows can be found `here `__ and the newest version for MacOS can be found `here `__. Users of Linux systems please install GnuPG with help of the package manager. diff --git a/pro/openpgp-outlook.rst.inc b/pro/openpgp-outlook.rst.inc index 27967e5a63..2b53d3239f 100644 --- a/pro/openpgp-outlook.rst.inc +++ b/pro/openpgp-outlook.rst.inc @@ -1,8 +1,6 @@ OpenPGP Email Encryption with Outlook ===================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: .. note:: diff --git a/pro/openpgp-thunderbird.rst.inc b/pro/openpgp-thunderbird.rst.inc index 5b85a0588c..a0bf2846df 100644 --- a/pro/openpgp-thunderbird.rst.inc +++ b/pro/openpgp-thunderbird.rst.inc @@ -1,8 +1,6 @@ OpenPGP Email Encryption With Thunderbird ========================================= -.. include:: ./product_platform_heading.rst - .. contents:: :local: Thunderbird 78.3 and newer diff --git a/pro/openpgp.rst.inc b/pro/openpgp.rst.inc index 3b24790ec6..e3ff07503e 100644 --- a/pro/openpgp.rst.inc +++ b/pro/openpgp.rst.inc @@ -1,8 +1,6 @@ OpenPGP Email Encryption ======================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: .. include:: ../../shared/openpgp.rst.inc diff --git a/pro/otp.rst.inc b/pro/otp.rst.inc index ed8bec1602..fe35ca9c48 100644 --- a/pro/otp.rst.inc +++ b/pro/otp.rst.inc @@ -1,8 +1,6 @@ Two-factor Authentication with One-Time Passwords (OTP) ======================================================= -.. include:: ./product_platform_heading.rst - .. contents:: :local: The use of One-time Passwords (OTP) is called very differently on the various services supporting it. Sometimes it is referred to as Multi-factor Authentication (MFA), sometimes it is Two-factor Authentication (2FA) or just “authentication via authenticator app” like Google Authenticator. Most of these services are compatible for usage with the Nitrokey Pro and Nitrokey Storage. The following instructions show how to enable OTP on our `support forum `__. The procedure is quite similar on most services. For a list of websites supporting OTP have a look at `dongleauth.com `__. diff --git a/pro/putty.rst.inc b/pro/putty.rst.inc index f5effe4797..54e1ecf07b 100644 --- a/pro/putty.rst.inc +++ b/pro/putty.rst.inc @@ -1,8 +1,6 @@ PuTTY ===== -.. include:: ./product_platform_heading.rst - .. contents:: :local: This mini-howto assumes that the Nitrokey has been initialized and contains cryptographic keys. diff --git a/pro/smart-policy.rst.inc b/pro/smart-policy.rst.inc index 75e07a6f16..4dfe76da02 100644 --- a/pro/smart-policy.rst.inc +++ b/pro/smart-policy.rst.inc @@ -1,8 +1,6 @@ Login to Windows Domain Computers With MS Active Directory ========================================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: 1. Download and install the latest diff --git a/pro/smime-outlook.rst.inc b/pro/smime-outlook.rst.inc index cee1474517..23e82e1386 100644 --- a/pro/smime-outlook.rst.inc +++ b/pro/smime-outlook.rst.inc @@ -1,8 +1,6 @@ S/MIME Email Encryption with Outlook ==================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: Prerequisites diff --git a/pro/smime-thunderbird.rst.inc b/pro/smime-thunderbird.rst.inc index 544c71284a..b1e3a5ca87 100644 --- a/pro/smime-thunderbird.rst.inc +++ b/pro/smime-thunderbird.rst.inc @@ -1,8 +1,6 @@ S/MIME Email Encryption with Thunderbird ======================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: Prerequisites diff --git a/pro/smime.rst.inc b/pro/smime.rst.inc index 7e25cb1971..405d4c06e8 100644 --- a/pro/smime.rst.inc +++ b/pro/smime.rst.inc @@ -1,8 +1,6 @@ S/MIME Email Encryption ======================= -.. include:: ./product_platform_heading.rst - .. contents:: :local: Prerequisites diff --git a/pro/windows/2fa-microsoft.rst b/pro/windows/2fa-microsoft.rst index cb9e1dd019..1b28d54d83 100644 --- a/pro/windows/2fa-microsoft.rst +++ b/pro/windows/2fa-microsoft.rst @@ -1,8 +1,6 @@ Two-factor Authentication for Microsoft Account =============================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: These are the basic steps for registering the Nitrokey Pro or Nitrokey Storage as a second factor of a Microsoft account. diff --git a/pro/windows/openpgp-csp.rst b/pro/windows/openpgp-csp.rst index ca0a28c3d4..5565c27e8f 100644 --- a/pro/windows/openpgp-csp.rst +++ b/pro/windows/openpgp-csp.rst @@ -1,8 +1,6 @@ Windows Login and S/MIME Email Encryption with Active Directory =============================================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: Please note that this driver is still in development/testing. Please tell us your experiences! See our `contact page `__. diff --git a/pro/windows/openvpn-easyrsa.rst b/pro/windows/openvpn-easyrsa.rst index e79197f4db..cd7df30537 100644 --- a/pro/windows/openvpn-easyrsa.rst +++ b/pro/windows/openvpn-easyrsa.rst @@ -1,8 +1,6 @@ OpenVPN Configuration with Easy-RSA =================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: :depth: 2 diff --git a/pro/windows/openvpn-viscosity.rst b/pro/windows/openvpn-viscosity.rst index 92dd96c10b..2eba770d17 100644 --- a/pro/windows/openvpn-viscosity.rst +++ b/pro/windows/openvpn-viscosity.rst @@ -5,8 +5,6 @@ Viscosity Client Configuration with OpenVPN =========================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: This guide will show to configure `Viscosity client `__ to connect to an OpenVPN instance, using a `Nitrokey Pro diff --git a/pro/windows/product_platform_heading.rst b/pro/windows/product_platform_heading.rst deleted file mode 100644 index 890f9e4422..0000000000 --- a/pro/windows/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey Pro 2 - Windows) diff --git a/software/nitropy/linux/udev.rst b/software/nitropy/linux/udev.rst index 4b0891d728..b274835a54 100644 --- a/software/nitropy/linux/udev.rst +++ b/software/nitropy/linux/udev.rst @@ -23,7 +23,3 @@ After installing the rules, you need to reload them:: If you still cannot access your device, try again after rebooting your system. If you encouter issues, look at this `github comment `__ for some debugging hints. - -.. todo:: - - describe requirements: systemd, load order diff --git a/software/nk-app2/index.rst b/software/nk-app2/index.rst index ce1a0ff8d3..17adae0078 100644 --- a/software/nk-app2/index.rst +++ b/software/nk-app2/index.rst @@ -10,8 +10,8 @@ Supported Features ------------------ - Updating the firmware -- :ref:`One-Time Passwords (OTP)` -- :ref:`Password Storage ` +- One-Time Passwords (OTP) +- Password Storage Planned Features ---------------- diff --git a/software/nk-app2/passwords.rst b/software/nk-app2/passwords.rst index 35f3e1e49d..1bd1fd3401 100644 --- a/software/nk-app2/passwords.rst +++ b/software/nk-app2/passwords.rst @@ -1,6 +1,5 @@ Passwords ========= -.. _passwords: Password entries may consist of: diff --git a/start/factory-reset.rst b/start/factory-reset.rst index a40d0708c9..3bc5fe81db 100644 --- a/start/factory-reset.rst +++ b/start/factory-reset.rst @@ -14,34 +14,36 @@ Usage To change the identity it suffices to send a custom CCID command. This could be achieved with ``pynitrokey`` tool: -1. `Install - pynitrokey `__. +1. `Install pynitrokey `__. 2. Connect your Nitrokey Start and verify that it got recognized. -.. code-block:: bash + .. rstcheck: ignore-next-code-block + .. code-block:: bash - $ nitropy start list - *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start - :: 'Nitrokey Start' keys: - FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.10) + $ nitropy start list + *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start + :: 'Nitrokey Start' keys: + FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.10) -3. Change the identity, by replacing ```` with ``0``, ``1``, or - ``2``. +3. Change the identity, by replacing ```` with ``0``, ``1``, or ``2``. -.. code-block:: bash + .. rstcheck: ignore-next-code-block + .. code-block:: bash - $ nitropy start set-identity - *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start - Trying to set identity to 4 - device has reset, and should now have the new identity + $ nitropy start set-identity + *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start + Trying to set identity to 4 + device has reset, and should now have the new identity Reset ----- .. code-block:: bash - $ gpg --card-edit` -> admin -> factory-reset + $ gpg --card-edit + +In the menu enter `admin` and then `factory-reset` This will reset the current identity. To reset all identitites the following needs to be done: diff --git a/start/linux/firmware-update.rst b/start/linux/firmware-update.rst index 84cca8d355..6ba94be8c8 100644 --- a/start/linux/firmware-update.rst +++ b/start/linux/firmware-update.rst @@ -1,8 +1,6 @@ Firmware Update =============== -.. include:: ./product_platform_heading.rst - .. important:: Updating could lead to data loss, so make sure you have proper backup login methods enabled and/or ensure that the Nitrokey Start is not the only way to authenticate/2FA for your @@ -18,82 +16,85 @@ To update the firmware of your Nitrokey Start, proceed as follows. 1. Install pip3. -.. code-block:: bash + .. code-block:: bash - $ sudo apt install python3-pip + $ sudo apt install python3-pip 2. Install pynitrokey. For this you need an Internet connection. -.. code-block:: bash + .. code-block:: bash - $ pip3 install --user pynitrokey + $ pip3 install --user pynitrokey 3. Connect your Nitrokey Start and verify its recognition. -.. code-block:: bash + .. rstcheck: ignore-next-code-block + .. code-block:: bash - $ nitropy start list - *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start - :: 'Nitrokey Start' keys: - FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.8) + $ nitropy start list + *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start + :: 'Nitrokey Start' keys: + FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.8) 4. Start the update process. For this you need an Internet connection. -.. code-block:: bash + .. code-block:: bash - $ nitropy start update + $ nitropy start update 5. You will then be asked to enter the Admin PIN of your Nitrokey Start. (Default PIN: 12345678) -.. code-block:: bash + .. code-block:: bash - *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start - Nitrokey Start firmware update tool - Platform: Linux-5.3.0-59-generic-x86_64-with-Ubuntu-18 04-bionic - System: Linux, is_linux: True - Python: 3.6.9 - Saving run log to: /tmp/nitropy.log.d4erqux4 - Admin password: "your admin PIN" + *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start + Nitrokey Start firmware update tool + Platform: Linux-5.3.0-59-generic-x86_64-with-Ubuntu-18 04-bionic + System: Linux, is_linux: True + Python: 3.6.9 + Saving run log to: /tmp/nitropy.log.d4erqux4 + Admin password: "your admin PIN" 6. Under “Device” you will find information about the current version of your Nitrokey Start. In the first item under “Please note” you can see the latest firmware version available. Now you have to confirm the update with “yes”. -.. code-block:: bash + .. rstcheck: ignore-next-code-block + .. code-block:: bash - Firmware data to be used: + Firmware data to be used: - - FirmwareType.REGNUAL: 4504, hash: ...b'65ac82a1' valid (from ...built/RTM.10/regnual.bin) + - FirmwareType.REGNUAL: 4504, hash: ...b'65ac82a1' valid (from ...built/RTM.10/regnual.bin) - - FirmwareType.GNUK: 131072, hash: ...b'f85da8f7' valid (from ...prebuilt/RTM.10/gnuk.bin) - Currently connected device strings: - Device: - Vendor: Nitrokey - Product: Nitrokey Start - Serial: FSIJ-1.2.15-43100927 - Revision: RTM.9 - Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes - Sys: 3.0 - Please note: + - FirmwareType.GNUK: 131072, hash: ...b'f85da8f7' valid (from ...prebuilt/RTM.10/gnuk.bin) + Currently connected device strings: + Device: + Vendor: Nitrokey + Product: Nitrokey Start + Serial: FSIJ-1.2.15-43100927 + Revision: RTM.9 + Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes + Sys: 3.0 + Please note: - - Latest firmware available is: RTM.10 (published: 2020-06-04T12:34:14Z), - provided firmware: None + - Latest firmware available is: RTM.10 (published: 2020-06-04T12:34:14Z), + provided firmware: None - - All data will be removed from the device + - All data will be removed from the device - - Do not interrupt the update process, or the device will not run properly + - Do not interrupt the update process, or the device will not run properly - - Whole process should not take more than 1 minute - Do you want to continue? [yes/no]: yes + - Whole process should not take more than 1 minute + Do you want to continue? [yes/no]: yes 7. You can check the firmware version after the upgrade process has completed. -.. code-block:: bash + .. rstcheck: ignore-next-code-block + .. code-block:: bash - $ nitropy start list - *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start - :: 'Nitrokey Start' keys: - FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.10) + $ nitropy start list + *** Nitrokey tool for Nitrokey FIDO2 & Nitrokey Start + :: 'Nitrokey Start' keys: + FSIJ-1.2.15-87042524: Nitrokey Nitrokey Start (RTM.10) diff --git a/start/linux/index.rst b/start/linux/index.rst index 61430848a1..7882065b82 100644 --- a/start/linux/index.rst +++ b/start/linux/index.rst @@ -16,11 +16,11 @@ Nitrokey Start, Linux 3. Use GnuPG to `generate new keys or import existing ones `_. -.. note:: - It is indeed necessary to first import or create new keys and - change the PINs afterwards. Otherwise changing User PIN will fail! - Furthermore overriding keys results in PIN reset (default values), - please keep this in mind! + .. note:: + It is indeed necessary to first import or create new keys and + change the PINs afterwards. Otherwise changing User PIN will fail! + Furthermore overriding keys results in PIN reset (default values), + please keep this in mind! 4. Change the Admin PIN (default: ``12345678``) and then the User PIN (default: ``123456``) to your own choices. diff --git a/start/linux/product_platform_heading.rst b/start/linux/product_platform_heading.rst deleted file mode 100644 index 0cf7deeaa2..0000000000 --- a/start/linux/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey Start - Linux) diff --git a/start/mac/index.rst b/start/mac/index.rst index 7216177e2d..04e1917cea 100644 --- a/start/mac/index.rst +++ b/start/mac/index.rst @@ -17,11 +17,11 @@ Nitrokey Start, Mac 3. Use GnuPG to `generate new keys or import existing ones `_. -.. note:: - It is indeed necessary to first import or create new keys and - change the PINs afterwards. Otherwise changing User PIN will fail! - Furthermore overriding keys results in PIN reset (default values), - please keep this in mind! + .. note:: + It is indeed necessary to first import or create new keys and + change the PINs afterwards. Otherwise changing User PIN will fail! + Furthermore overriding keys results in PIN reset (default values), + please keep this in mind! 4. Change the Admin PIN (default: ``12345678``) and then the User PIN (default: ``123456``) to your own choices. diff --git a/start/mac/product_platform_heading.rst b/start/mac/product_platform_heading.rst deleted file mode 100644 index 48b665c351..0000000000 --- a/start/mac/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey Start - macOS) diff --git a/start/multiple-identities.rst.inc b/start/multiple-identities.rst.inc index 5ac4eec638..de88bce6b0 100644 --- a/start/multiple-identities.rst.inc +++ b/start/multiple-identities.rst.inc @@ -1,8 +1,6 @@ Multiple Identities =================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: The multiple identites feature allows to use 3 virtual smart cards in place of one, giving bigger flexibility in the every day use, as well as separation between user identities (business, personal etc.) or even allowing usage of it for more than one user (PINs are separate). diff --git a/start/setting-kdf-do.rst.inc b/start/setting-kdf-do.rst.inc index a9451cdc42..4f9135d16e 100644 --- a/start/setting-kdf-do.rst.inc +++ b/start/setting-kdf-do.rst.inc @@ -1,8 +1,6 @@ Setting KDF-DO =================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: Introduction diff --git a/start/windows/index.rst b/start/windows/index.rst index f58c33e2ff..9333e86a0d 100644 --- a/start/windows/index.rst +++ b/start/windows/index.rst @@ -15,13 +15,13 @@ Nitrokey Start, Windows that the USB smart card device driver gets installed almost automatically. -.. note:: - Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning. + .. note:: + Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning. 3. Use GnuPG to `generate new keys or import existing ones `_. -.. note:: - It is indeed necessary to first import or create new keys and change the PINs afterwards. Otherwise changing User PIN will fail! Furthermore overriding keys results in PIN reset (default values), please keep this in mind! + .. note:: + It is indeed necessary to first import or create new keys and change the PINs afterwards. Otherwise changing User PIN will fail! Furthermore overriding keys results in PIN reset (default values), please keep this in mind! 4. Change the Admin PIN (default: ``12345678``) and then the User PIN (default: ``123456``) to your own choices. diff --git a/start/windows/product_platform_heading.rst b/start/windows/product_platform_heading.rst deleted file mode 100644 index ca805400bf..0000000000 --- a/start/windows/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey Start - Windows) diff --git a/storage/firmware-update-manually.rst b/storage/firmware-update-manually.rst index 1f5c3d4cbc..10cfd13c81 100644 --- a/storage/firmware-update-manually.rst +++ b/storage/firmware-update-manually.rst @@ -2,7 +2,7 @@ .. note:: - The following steps are only necessary if you are using Windows 10 Build 1809 (or higher) and Nitrokey Storage with firmware 0.52 or older. In all other cases, or if you have access to another system, the regular update as described `here `_ is sufficient and easier. + The following steps are only necessary if you are using Windows 10 Build 1809 (or higher) and Nitrokey Storage with firmware 0.52 or older. In all other cases, or if you have access to another system, the regular update as described `here `__ is sufficient and easier. What is needed -------------- @@ -92,7 +92,7 @@ The Firmware Update Mode will be started automatically if the standard password :alt: img12 -After the system has activated the firmware update on the Nitrokey Storage, a restart is issued after 60 seconds. Please remove the USB Stick. Afterwards you can use the Nitrokey Update Tool in Windows as described `here `_. +After the system has activated the firmware update on the Nitrokey Storage, a restart is issued after 60 seconds. Please remove the USB Stick. Afterwards you can use the Nitrokey Update Tool in Windows as described `here `__. Restoring the USB Stick ----------------------- diff --git a/storage/hidden.rst b/storage/hidden.rst index b9a9d79372..11d2b103aa 100644 --- a/storage/hidden.rst +++ b/storage/hidden.rst @@ -32,12 +32,11 @@ Configuring hidden volumes 1. Unlock the encrypted volume using the Nitrokey App. 2. In the menu, select "setup hidden volume". -.. figure:: /storage/images/setup_hidden_volume.png - :alt: menu containing the hidden volume setup utility. + .. figure:: /storage/images/setup_hidden_volume.png + :alt: menu containing the hidden volume setup utility. 3. Enter a strong passphrase twice. Unlike the encrypted volume PIN, there are no limit to the number of attempts at opening hidden volumes, so the strength of the passphrase is extremely important. 4. Define the storage area to be used. Hidden volumes are stored in the free areas of the encrypted volume. When creating multiple hidden volume, you need to allocate a part of the free area for each volume, making sure they do not overlap. -.. figure:: /storage/images/hidden-storage-passphrase.png - :alt: Hidden volume dialog box - + .. figure:: /storage/images/hidden-storage-passphrase.png + :alt: Hidden volume dialog box diff --git a/storage/linux/factory-reset.rst b/storage/linux/factory-reset.rst index 455dfe6c4a..1fadfcfeee 100644 --- a/storage/linux/factory-reset.rst +++ b/storage/linux/factory-reset.rst @@ -1,6 +1,4 @@ Factory Reset ============= -.. include:: ../linux/product_platform_heading.rst - .. include:: ../factory-reset.rst diff --git a/storage/linux/firmware-update-manually.rst b/storage/linux/firmware-update-manually.rst index 856f72d18b..1f0848f0f0 100644 --- a/storage/linux/firmware-update-manually.rst +++ b/storage/linux/firmware-update-manually.rst @@ -1,6 +1,4 @@ Activate Update Mode Manually ============================= -.. include:: ../linux/product_platform_heading.rst - .. include:: ../firmware-update-manually.rst diff --git a/storage/linux/firmware-update.rst b/storage/linux/firmware-update.rst index f10f2dc332..138d94ede7 100644 --- a/storage/linux/firmware-update.rst +++ b/storage/linux/firmware-update.rst @@ -1,8 +1,6 @@ Firmware Update =============== -.. include:: ./product_platform_heading.rst - .. contents:: :local: .. warning:: @@ -22,23 +20,23 @@ Firmware Update 3. Right click on the icon of the Nitrokey App and go to “Configure” -> “Enable Firmware Update”. The default firmware password is ‘12345678’. -.. figure:: /storage/images/enable-firmware-update.png - :alt: Enable firmware update + .. figure:: /storage/images/enable-firmware-update.png + :alt: Enable firmware update -.. note:: + .. note:: - The Nitrokey Storage is not detected by Nitrokey App anymore once update mode got - activated. You have to proceed with the instructions described below - to make it work again. + The Nitrokey Storage is not detected by Nitrokey App anymore once update mode got + activated. You have to proceed with the instructions described below + to make it work again. 4. Open a terminal and execute: -.. code-block:: bash + .. code-block:: bash - sudo dfu-programmer at32uc3a3256s erase - sudo dfu-programmer at32uc3a3256s flash --suppress-bootloader-mem firmware.hex - sudo dfu-programmer at32uc3a3256s launch - # versions <0.7 of dfu-programmer use "start" instead of "launch" + sudo dfu-programmer at32uc3a3256s erase + sudo dfu-programmer at32uc3a3256s flash --suppress-bootloader-mem firmware.hex + sudo dfu-programmer at32uc3a3256s launch + # versions <0.7 of dfu-programmer use "start" instead of "launch" -whereas “firmware.hex” needs to be the path and file name of the firmware which you downloaded in step 2. + whereas “firmware.hex” needs to be the path and file name of the firmware which you downloaded in step 2. diff --git a/storage/linux/openvpn-easyrsa.rst b/storage/linux/openvpn-easyrsa.rst index 1ab6f66338..f8412c4186 100644 --- a/storage/linux/openvpn-easyrsa.rst +++ b/storage/linux/openvpn-easyrsa.rst @@ -1,8 +1,6 @@ OpenVPN Configuration with Easy-RSA =================================== -.. include:: ./product_platform_heading.rst - .. contents:: :local: :depth: 2 @@ -55,91 +53,90 @@ As a reminder, to build a Certificate Authority on Nitrokey HSM 2, you may follo Alternatively you may set up your own CA on a `on a separate machine `__, or use the OpenVPN tutorial which also relies on `Easy-RSA `__. The last 2 options rely on software solutions for key management. --------------- - Server side ----------- -1. Install OpenVPN -^^^^^^^^^^^^^^^^^^ +Install OpenVPN +^^^^^^^^^^^^^^^ 1. First we need to enable IP Forwarding by editing ``/etc/sysctl.conf`` file -.. code-block:: bash + .. code-block:: bash - $ editor /etc/sysctl.conf + $ editor /etc/sysctl.conf 2. Uncomment or edit accordingly the following line -.. code-block:: bash + .. code-block:: bash - net.ipv4.ip_forward=1 + net.ipv4.ip_forward=1 3. Close after saving it, and enter this command -.. code-block:: bash + .. code-block:: bash - $ sysctl -p + $ sysctl -p -Once IP forwarding is done, we will need to download the latest release of OpenvPN for our Debian 10 server, according to `these instructions `__: + Once IP forwarding is done, we will need to download the latest release of OpenvPN for our Debian 10 server, according to `these instructions `__: 4. Change to root and download the GPG key that signed the package -.. code-block:: bash + .. code-block:: bash - $ sudo -s - # wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add - + $ sudo -s + # wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add - 5. Add the URL of the adequate OpenVPN packages to the ``sources.list`` file -.. code-block:: bash + .. code-block:: bash - # echo "deb http://build.openvpn.net/debian/openvpn/release/2.5 buster main" > /etc/apt/sources.list.d/openvpn-aptrepo.list - # exit + # echo "deb http://build.openvpn.net/debian/openvpn/release/2.5 buster main" > /etc/apt/sources.list.d/openvpn-aptrepo.list + # exit -We downloaded OpenVPN 2.5 as “password prompt” requires at least OpenVPN `version -2.4.8 `__ to login. + We downloaded OpenVPN 2.5 as “password prompt” requires at least OpenVPN `version + 2.4.8 `__ to login. 6. Next we download OpenVPN -.. code-block:: bash + .. code-block:: bash - $ sudo apt install openvpn + $ sudo apt install openvpn -If you want to check the version, it possible by calling ``--version`` -and print the following: + If you want to check the version, it possible by calling ``--version`` + and print the following: -.. code-block:: bash + .. rstcheck: ignore-next-code-block + .. code-block:: bash - $ sudo openvpn --version - OpenVPN 2.5_beta3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 1 2020 - library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 - Originally developed by James Yonan - Copyright (C) 2002-2018 OpenVPN Inc - Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no \ enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes \ enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no \ enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no \ enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no \ enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes \ with_mem_check=no with_sysroot=no + $ sudo openvpn --version + OpenVPN 2.5_beta3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 1 2020 + library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 + Originally developed by James Yonan + Copyright (C) 2002-2018 OpenVPN Inc + Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no \ enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes \ enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no \ enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no \ enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no \ enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes \ with_mem_check=no with_sysroot=no -2. Install Easy-RSA -^^^^^^^^^^^^^^^^^^^ +Install Easy-RSA +^^^^^^^^^^^^^^^^ To build the PKI, we will download the latest version of Easy-RSA on the server and client machines. To get the latest release, go to the `Releases page on the official EasyRSA GitHub project `__, copy the download link for the file ending in ``.tgz``, and then paste it into the following command: 1. Download the latest release -.. code-block:: bash + .. code-block:: bash - $ cd ~ - wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz + $ cd ~ + wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz 2. Extract the tarball -.. code-block:: bash + .. code-block:: bash - $ cd ~ - $ tar xvf EasyRSA-3.0.7.tgz - $ mv EasyRSA-3.0.7/ easyrsa/ # rename folder + $ cd ~ + $ tar xvf EasyRSA-3.0.7.tgz + $ mv EasyRSA-3.0.7/ easyrsa/ # rename folder -3. Create a PKI for OpenVPN server -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Create a PKI for OpenVPN server +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Before you can create your OpenVPN server’s private key and certificate, you need to create a local Public Key Infrastructure directory on your OpenVPN server. You will use this directory to manage the server and clients’ certificate requests, instead of making them directly on your CA server. @@ -147,35 +144,37 @@ To build a PKI directory on your OpenVPN server, you’ll need to populate a fil 1. Create a ``vars`` file -.. code-block:: bash + .. code-block:: bash - $ touch ~/easyrsa/vars - $ cd easyrsa/ - $ editor vars + $ touch ~/easyrsa/vars + $ cd easyrsa/ + $ editor vars 2. Once the file is opened, paste in the following two lines -.. code-block:: bash + .. code-block:: bash - set_var EASYRSA_ALGO "ec" - set_var EASYRSA_DIGEST "sha512" + set_var EASYRSA_ALGO "ec" + set_var EASYRSA_DIGEST "sha512" -These are the only two lines that you need in this ``vars`` file on your OpenVPN server since it will not be used as a Certificate Authority. They will ensure that your private keys and certificate requests are configured to use Elliptic Curve Cryptography (ECC) to generate keys, and secure signatures for your clients and OpenVPN server. + These are the only two lines that you need in this ``vars`` file on your OpenVPN server since it will not be used as a Certificate Authority. + They will ensure that your private keys and certificate requests are configured to use Elliptic Curve Cryptography (ECC) to generate keys, and secure signatures for your clients and OpenVPN server. -In regards to the choice of the cryptographic algorithms, I follow the model in `this tutorial `__, and you can customize these according to your specific needs. + In regards to the choice of the cryptographic algorithms, I follow the model in `this tutorial `__, and you can customize these according to your specific needs. 3. Initialize the PKI -Once you have populated the ``vars`` file you can proceed with creating the PKI directory. To do so, run the easyrsa script with the init-pki option: + Once you have populated the ``vars`` file you can proceed with creating the PKI directory. + To do so, run the easyrsa script with the init-pki option: -.. code-block:: bash + .. code-block:: bash - $ ./easyrsa init-pki + $ ./easyrsa init-pki After you’ve initialized your PKI on the OpenVPN server, you are ready to move on to the next step, which is creating an OpenVPN server certificate request and private key. -4. Create ``server.req`` and ``server.key`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Create ``server.req`` and ``server.key`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Now that your OpenVPN server has all the prerequisites installed, the next step is to generate a key pair composed of a private key (to keep secret), and a Certificate Signing Request (``.csr``) on your OpenVPN server. @@ -195,41 +194,41 @@ In general terms, on systems where we generate a key and request, these files ar 1. Create the signing request for the server -Navigate to the ``~/easyrsa`` directory on your OpenVPN Server as your non-root user, and enter the following commands: + Navigate to the ``~/easyrsa`` directory on your OpenVPN Server as your non-root user, and enter the following commands: -.. code-block:: bash + .. code-block:: bash - $ cd easyrsa/ - $ ./easyrsa gen-req server nopass + $ cd easyrsa/ + $ ./easyrsa gen-req server nopass -This will create a private key for the server and a certificate request file called ``server.req``. + This will create a private key for the server and a certificate request file called ``server.req``. -Once you have a signed certificate, you’ll transfer it back to the OpenVPN server. + Once you have a signed certificate, you’ll transfer it back to the OpenVPN server. 2. Copy the key to the OpenVPN server directory -.. code-block:: bash + .. code-block:: bash - $ sudo cp /home/admin/EasyRSA/pki/private/server.key /etc/openvpn/server/ + $ sudo cp /home/admin/EasyRSA/pki/private/server.key /etc/openvpn/server/ -After completing these steps, you have successfully created a private key for your OpenVPN server. You have also generated a Certificate Signing Request for the OpenVPN server. + After completing these steps, you have successfully created a private key for your OpenVPN server. You have also generated a Certificate Signing Request for the OpenVPN server. -.. tip:: + .. tip:: - File extensions for certificate signing requests + File extensions for certificate signing requests - The file extension that is adopted by the CA and HSM tutorial - indicates the creation of a ``.csr`` file, however Easy-RSA creates - certificate signing requests with a ``.req`` extension. + The file extension that is adopted by the CA and HSM tutorial + indicates the creation of a ``.csr`` file, however Easy-RSA creates + certificate signing requests with a ``.req`` extension. - We will use interchangeably both extensions, while making sure that - we transfer the right files to the Certificate Authority, and - generate a final certificate with a ``.crt`` extension. + We will use interchangeably both extensions, while making sure that + we transfer the right files to the Certificate Authority, and + generate a final certificate with a ``.crt`` extension. In the next section of this guide, we will sign a ``.req`` file with our CA on deployed on the HSM 2 device. For this purpose, I will use a dedicated machine to sign the requests. -5. Sign and retrieve ``server.crt`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Sign and retrieve ``server.crt`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The following instructions require the transfer of the ``server.req`` (or ``server.csr``) file to the CA system. @@ -238,8 +237,8 @@ The transfer itself is not security sensitive, though it is wise to verify if th In order to go through these steps, I will extensively rely on `these instructions `_, to sign the certificate signing requests, once we generated them with Easy-RSA. -5.1. Sign the ``server.req`` file -''''''''''''''''''''''''''''''''' +Sign the ``server.req`` file +'''''''''''''''''''''''''''' On the local machine dedicated to access the HSM, we will use the tools provided by Opensc 0.20 in order to sign the ``.req`` file, and send it back to the OpenVPN server. We assume we have transferred the file from the server machine to the CA machine. @@ -247,75 +246,71 @@ First we start by plugging the HSM Nitrokey, and enter this instruction for list 1. Query the list of available devices -.. code-block:: bash + .. code-block:: bash - $ p11tool --list-all + $ p11tool --list-all - **(Required step)** If this is the first time you sign a certificate with the CA, you might want to retrieve the URI of the CA’s private key from the HSM, and include it in the config file. + **(Required step)** If this is the first time you sign a certificate with the CA, you might want to retrieve the URI of the CA’s private key from the HSM, and include it in the config file. -- The key’s URI should be in this format: + - The key’s URI should be in this format: -.. code-block:: bash + .. code-block:: bash - pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private + pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private 2. Create ``openvpn/`` directory under ``certificate-authority/`` -.. code-block:: bash + .. code-block:: bash - $ mkdir/opt/certificate-authority/ - $ cd /opt/certificate-authority/ + $ mkdir/opt/certificate-authority/ + $ cd /opt/certificate-authority/ 3. Sign the ``server.req`` -.. code-block:: bash + .. code-block:: bash - $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in server.req -out /home/user/pki/issued/server.crt + $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in server.req -out /home/user/pki/issued/server.crt -5.2. Retrieve the ``server.crt`` file to the server machine -''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' +Retrieve the ``server.crt`` file to the server machine +'''''''''''''''''''''''''''''''''''''''''''''''''''''' 1. Transfer the signed certificates to the server -From the CA machine, copy the files ``server.crt`` and ``chain.crt`` to the OpenVPN server. In this example we will use the ``scp`` command as following: + From the CA machine, copy the files ``server.crt`` and ``chain.crt`` to the OpenVPN server. In this example we will use the ``scp`` command as following: -.. code-block:: bash + .. code-block:: bash - $ scp openvpn/{server.crt,chain.crt} admin@your_openvpnserver_ip:/tmp + $ scp openvpn/{server.crt,chain.crt} admin@your_openvpnserver_ip:/tmp 2. Place the certificates on the server’s directory -.. code-block:: bash + .. code-block:: bash - $ mv /tmp/{server.crt,chain.crt} /etc/openvpn/server + $ mv /tmp/{server.crt,chain.crt} /etc/openvpn/server -.. warning:: + .. warning:: - CA Certificate and ``chain.crt`` + CA Certificate and ``chain.crt`` - In the above, the CA returns the signed sever certificate, and - includes the CA certificate ``CA.crt`` which is the ``chain.crt`` - file. This can be done over an insecure channel, though the client is - encouraged to confirm if the received ``chain.crt`` is valid, if the - transport is untrusted. + In the above, the CA returns the signed sever certificate, and + includes the CA certificate ``CA.crt`` which is the ``chain.crt`` + file. This can be done over an insecure channel, though the client is + encouraged to confirm if the received ``chain.crt`` is valid, if the + transport is untrusted. - It is possible to rename the file ``chain.crt`` file to ``CA.crt`` on - the target machine, however we will use ``chain.crt`` in the next - instructions. + It is possible to rename the file ``chain.crt`` file to ``CA.crt`` on + the target machine, however we will use ``chain.crt`` in the next + instructions. -6. Configure the OpenVPN server -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Configure the OpenVPN server +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ A connection that uses TLS requires multiple `certificates and keys for authentication `__. Now that we issued and signed those, we can place them in the right directories. The breakdown of the certificates and keys that must be located at the root directory are the following: -.. code-block:: bash - - OpenVPN server - - - The root certificate file (CA.crt or chain.crt in our setup) - - Server certificate - - Server key - - Diffie Hellman Parameters (optional) +- The root certificate file (CA.crt or chain.crt in our setup) +- Server certificate +- Server key +- Diffie Hellman Parameters (optional) On your OpenVPN server, now you can create the configuration file ``server.conf`` with your favorite text editor. The file can be configured according to your needs, while we make sure to change the server certificate and key sections according the names you chose for the your the files we signed: @@ -362,8 +357,8 @@ To test if the configuration functions properly, we can use this command: $ sudo openvpn --server --config server.conf -7. Start the OpenVPN service on the server -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Start the OpenVPN service on the server +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enable the OpenVPN service by adding it to systemctl, and start it using these commands: @@ -380,47 +375,45 @@ To Double check if the OpenVPN service is active use this command: The OpenVPN should be running at this point. --------------- - Client side configuration ------------------------- -1. Install OpenVPN and Easy-RSA +Install OpenVPN and Easy-RSA ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1. Install the software -We can use directly ``dnf install`` to install OpenVPN 2.4.9 and Easy-RSA 3.0.7 + We can use directly ``dnf install`` to install OpenVPN 2.4.9 and Easy-RSA 3.0.7 -.. code-block:: bash + .. code-block:: bash $ sudo dnf install openvpn easy-rsa 2. Then we create as non-root a directory for Easy RSA called ``Easy-RSA`` -.. code-block:: bash + .. code-block:: bash - $ mkdir ~/easyrsa + $ mkdir ~/easyrsa 3. And link it to the Easy RSA package we just installed -.. code-block:: bash + .. code-block:: bash - $ ln -s /usr/share/easy-rsa/3/* ~/easyrsa/ + $ ln -s /usr/share/easy-rsa/3/* ~/easyrsa/ -2. Create a PKI for the OpenVPN client -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Create a PKI for the OpenVPN client +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ In the same manner we created a PKI on the OpenVPN server, we will create a PKI using Easy-RSA on the client side. -3. Create a ``client.req`` and ``client.key`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Create a ``client.req`` and ``client.key`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ In the same manner we issued the key pair on the sever, we generate a key pair for the client which will be composed of the ``client.req`` file and the ``client.key`` file. The latter must be kept secret on the client machine. -4. Sign ``client.req`` and issue the ``client.crt`` file -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Sign ``client.req`` and issue the ``client.crt`` file +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ To transfer the ``client.req`` file to the CA machine, we will use the same method as we did for the ``server.req`` file. @@ -430,8 +423,8 @@ Once transferred, on the CA machine we sign the certificate signing request file $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in client.req -out /home/user/pki/issued/client.crt -5. Import ``client.crt`` on the Nitrokey from the CA machine -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Import ``client.crt`` on the Nitrokey from the CA machine +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ After creating the ``client.crt`` file, we plug the Nitrokey Pro 2 device in the CA machine, and import the ``.crt`` to the Pro 2 device using this command: @@ -453,22 +446,19 @@ Or alternatively Fore more commands you can refer to the `OpenSC wiki `__. -6. Retrieve the ``chain.crt`` file from the CA machine -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Retrieve the ``chain.crt`` file from the CA machine +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ While we keep the ``client.crt``\ stored on the nitrokey Pro 2 device, we must retrieve the ``chain.crt`` file on the client machine, and store it in the adequate directory. We may use ``scp`` as in the method explained in the server section of this guide. -7. Configure the client to interact with the Nitrokey -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Configure the client to interact with the Nitrokey +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Now back on the client machine, we will plug the Nitrokey Pro and use it to establish the VPN connection with the server. In general terms, a connection that uses TLS requires multiple certificates and keys for authentication: -.. code-block:: bash - - OpenVPN client - - The root certificate file (`chain.crt`) - - Client certificate - - Client key +- The root certificate file (`chain.crt`) +- Client certificate +- Client key For this guide we can the following ``client.conf`` file, and add the required options to it accordingly: @@ -494,47 +484,101 @@ For this guide we can the following ``client.conf`` file, and add the required o 1. Determine the correct object -Each PKCS#11 provider can support multiple devices. In order to view the available object list you can use the following command: + Each PKCS#11 provider can support multiple devices. In order to view the available object list you can use the following command: -.. code-block:: bash + .. code-block:: bash - $ openvpn --show-pkcs11-ids /usr/lib64/pkcs11/opensc-pkcs11.so + $ openvpn --show-pkcs11-ids /usr/lib64/pkcs11/opensc-pkcs11.so - The following objects are available for use. - Each object shown below may be used as parameter to + The following objects are available for use. + Each object shown below may be used as parameter to - --pkcs11-id option please remember to use single quote mark. + --pkcs11-id option please remember to use single quote mark. - Certificate - DN: CN=client - Serial: E53DA75C5B8F1518F520BCEF0128C09F - Serialized id: pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03 + Certificate + DN: CN=client + Serial: E53DA75C5B8F1518F520BCEF0128C09F + Serialized id: pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03 -Each certificate/private key pair have unique ``Serialized id`` string. The serialized id string of the requested certificate should be specified, in the configuration file. We can do this by adding the ``pkcs11-id`` option using single quote marks. + Each certificate/private key pair have unique ``Serialized id`` string. The serialized id string of the requested certificate should be specified, in the configuration file. We can do this by adding the ``pkcs11-id`` option using single quote marks. -.. code-block:: bash + .. code-block:: bash - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' 2. Add retrieved Serialized ID to the configuration file -Using your favorite text editor, open the server.conf file, and add the following lines, while taking care to insert your own ``Serialized id``: + Using your favorite text editor, open the server.conf file, and add the following lines, while taking care to insert your own ``Serialized id``: -.. code-block:: bash + .. code-block:: bash + + pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + For additional `settings related to OpenVPN `__ authentication, you may also add few lines to handle key maganagement, although it is optional. -For additional `settings related to OpenVPN `__ authentication, you may also add few lines to handle key maganagement, although it is optional. + .. note:: -.. note:: + Click to view the code + + .. code-block:: bash + + # nitrokey config + + pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + # pkcs11-pin-cache 300 + # daemon + # auth-retry nointeract + # management-hold + # management-signal + # management 127.0.0.1 8888 + # management-query-passwords + pkcs11-cert-private 1 # Prompt for PIN + + Optional step + + + If you need to test the configuration, with and without the token on the Nitrokey, you may add lines to the same ``client.conf`` and comment/uncomment the relevant lines according to your needs: + + .. note:: - Click to view the code + Click to view the code + + .. code-block:: bash + + # non_nitrokey login + + # cert client.crt + # key client.key + # tls-auth ta.key 1 + +3. Configure the OpenVPN client + + The final configuration file ``client.conf`` should look like this one: .. code-block:: bash - # nitrokey config - + client + dev tun + proto udp + remote 1194 + resolv-retry infinite + nobind + user nobody + group nobody + persist-key + persist-tun + ca ca.crt + remote-cert-tls server + cipher AES-256-CBC + verb 3 + redirect-gateway def1 + tls-version-min 1.2 # Lower boundary for TLS version + tls-version-max 1.2 # Higher boundary for TLS version + + # nitrokey login + pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' # pkcs11-pin-cache 300 @@ -545,141 +589,90 @@ For additional `settings related to OpenVPN 1194 - resolv-retry infinite - nobind - user nobody - group nobody - persist-key - persist-tun - ca ca.crt - remote-cert-tls server - cipher AES-256-CBC - verb 3 - redirect-gateway def1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - - # nitrokey login - - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - # pkcs11-pin-cache 300 - # daemon - # auth-retry nointeract - # management-hold - # management-signal - # management 127.0.0.1 8888 - # management-query-passwords - pkcs11-cert-private 1 # Prompt for PIN - - # OR - - # non_nitrokey login - - # cert client.crt - # key client.key - # tls-auth ta.key 1 - 4. Known issues -There are some known issues related to OpenVPN login with OpenSC. Please consult these issues `here `__. + There are some known issues related to OpenVPN login with OpenSC. Please consult these issues `here `__. -8. Start the OpenVPN client -^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Start the OpenVPN client +^^^^^^^^^^^^^^^^^^^^^^^^ 1. Start the OpenVPN service on the client -Enable the OpenVPN service, and start it using these commands: + Enable the OpenVPN service, and start it using these commands: -.. code-block:: bash + .. code-block:: bash - $ sudo systemctl -f enable openvpn-server@server.service - $ sudo systemctl start openvpn-server@server.service + $ sudo systemctl -f enable openvpn-server@server.service + $ sudo systemctl start openvpn-server@server.service -To double check if the OpenVPN service is active use this command: + To double check if the OpenVPN service is active use this command: -.. code-block:: bash + .. code-block:: bash - $ sudo systemctl status openvpn-server@server.service + $ sudo systemctl status openvpn-server@server.service 2. Enter your User PIN -When executing OpenVPN client, Nitrokey’s PIN needs to be entered: + When executing OpenVPN client, Nitrokey’s PIN needs to be entered: -.. code-block:: bash + .. rstcheck: ignore-next-code-block + .. code-block:: bash - $ sudo openvpn --client --config client.conf - Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 - Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 - Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' - Enter User PIN (OpenPGP card) token Password: ****** + $ sudo openvpn --client --config client.conf + Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 + Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 + Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' + Enter User PIN (OpenPGP card) token Password: ****** -.. warning:: - - Unfortunately OpenVPN doesn’t seem to be able to establish a handshake and stops at an error as reported `here `__, `here `__ and `here `__ + .. warning:: -.. code-block:: bash - - This is what the error output looks like: - - $ sudo openvpn --client --config client.conf - Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 - Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 - Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' - Enter User PIN (OpenPGP card) token Password: ******`` - Fri Sep 11 17:42:12 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]18.157.180.240:1194`` - Fri Sep 11 17:42:12 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]`` - Fri Sep 11 17:42:12 2020 UDP link local: (not bound) - Fri Sep 11 17:42:12 2020 UDP link remote: [AF_INET]18.157.180.240:1194 - Fri Sep 11 17:42:12 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay - Fri Sep 11 17:42:12 2020 TLS: Initial packet from [AF_INET]18.157.180.240:1194, sid=d79690cf 9e38ce89 - Fri Sep 11 17:42:12 2020 VERIFY OK: depth=1, CN=server_CA - Fri Sep 11 17:42:12 2020 VERIFY KU OK - Fri Sep 11 17:42:12 2020 Validating certificate extended key usage - Fri Sep 11 17:42:12 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication - Fri Sep 11 17:42:12 2020 VERIFY EKU OK - Fri Sep 11 17:42:12 2020 VERIFY OK: depth=0, CN=server - Fri Sep 11 17:42:12 2020 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib - Fri Sep 11 17:42:12 2020 TLS_ERROR: BIO read tls_read_plaintext error - Fri Sep 11 17:42:12 2020 TLS Error: TLS object -> incoming plaintext read error - Fri Sep 11 17:42:12 2020 TLS Error: TLS handshake failed - Fri Sep 11 17:42:12 2020 SIGUSR1[soft,tls-error] received, process restarting - Fri Sep 11 17:42:12 2020 Restart pause, 5 second(s) - -In some reported cases it does not prompt for a PIN on the terminal. One workaround would be to use to use this command to login with the PIN: + Unfortunately OpenVPN doesn’t seem to be able to establish a handshake and stops at an error as reported `here `__, `here `__ and `here `__ -.. code-block:: bash + .. rstcheck: ignore-next-code-block + .. code-block:: bash + + This is what the error output looks like: + + $ sudo openvpn --client --config client.conf + Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 + Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 + Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' + Enter User PIN (OpenPGP card) token Password: ******`` + Fri Sep 11 17:42:12 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]18.157.180.240:1194`` + Fri Sep 11 17:42:12 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]`` + Fri Sep 11 17:42:12 2020 UDP link local: (not bound) + Fri Sep 11 17:42:12 2020 UDP link remote: [AF_INET]18.157.180.240:1194 + Fri Sep 11 17:42:12 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay + Fri Sep 11 17:42:12 2020 TLS: Initial packet from [AF_INET]18.157.180.240:1194, sid=d79690cf 9e38ce89 + Fri Sep 11 17:42:12 2020 VERIFY OK: depth=1, CN=server_CA + Fri Sep 11 17:42:12 2020 VERIFY KU OK + Fri Sep 11 17:42:12 2020 Validating certificate extended key usage + Fri Sep 11 17:42:12 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication + Fri Sep 11 17:42:12 2020 VERIFY EKU OK + Fri Sep 11 17:42:12 2020 VERIFY OK: depth=0, CN=server + Fri Sep 11 17:42:12 2020 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib + Fri Sep 11 17:42:12 2020 TLS_ERROR: BIO read tls_read_plaintext error + Fri Sep 11 17:42:12 2020 TLS Error: TLS object -> incoming plaintext read error + Fri Sep 11 17:42:12 2020 TLS Error: TLS handshake failed + Fri Sep 11 17:42:12 2020 SIGUSR1[soft,tls-error] received, process restarting + Fri Sep 11 17:42:12 2020 Restart pause, 5 second(s) + + In some reported cases it does not prompt for a PIN on the terminal. One workaround would be to use to use this command to login with the PIN: + + .. rstcheck: ignore-next-code-block + .. code-block:: bash - $ telnet 8888 password 'User PIN (OpenPGP card) token' + $ telnet 8888 password 'User PIN (OpenPGP card) token' -Alternatively, you could `recompile OpenVPN `__ client with systemd support disabled, and it will prompt you for the PIN as expected. + Alternatively, you could `recompile OpenVPN `__ client with systemd support disabled, and it will prompt you for the PIN as expected. -Another option, would be to login to your OpenVPN instance with the Viscosity client which provides a better user experience especially for entering the PIN. + Another option, would be to login to your OpenVPN instance with the Viscosity client which provides a better user experience especially for entering the PIN. diff --git a/storage/linux/product_platform_heading.rst b/storage/linux/product_platform_heading.rst deleted file mode 100644 index 0556a5df76..0000000000 --- a/storage/linux/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey Storage 2 - Linux) diff --git a/storage/mac/factory-reset.rst b/storage/mac/factory-reset.rst index efebeb7171..1fadfcfeee 100644 --- a/storage/mac/factory-reset.rst +++ b/storage/mac/factory-reset.rst @@ -1,6 +1,4 @@ Factory Reset ============= -.. include:: ../mac/product_platform_heading.rst - .. include:: ../factory-reset.rst diff --git a/storage/mac/firmware-update-manually.rst b/storage/mac/firmware-update-manually.rst index 269252fe60..1f0848f0f0 100644 --- a/storage/mac/firmware-update-manually.rst +++ b/storage/mac/firmware-update-manually.rst @@ -1,6 +1,4 @@ Activate Update Mode Manually ============================= -.. include:: ../mac/product_platform_heading.rst - .. include:: ../firmware-update-manually.rst diff --git a/storage/mac/product_platform_heading.rst b/storage/mac/product_platform_heading.rst deleted file mode 100644 index 43bad4365f..0000000000 --- a/storage/mac/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey Storage 2 - macOS) diff --git a/storage/windows/factory-reset.rst b/storage/windows/factory-reset.rst index 5f29acd638..1fadfcfeee 100644 --- a/storage/windows/factory-reset.rst +++ b/storage/windows/factory-reset.rst @@ -1,6 +1,4 @@ Factory Reset ============= -.. include:: ../windows/product_platform_heading.rst - .. include:: ../factory-reset.rst diff --git a/storage/windows/firmware-update-manually.rst b/storage/windows/firmware-update-manually.rst index 762e2fc05b..1f0848f0f0 100644 --- a/storage/windows/firmware-update-manually.rst +++ b/storage/windows/firmware-update-manually.rst @@ -1,6 +1,4 @@ Activate Update Mode Manually ============================= -.. include:: ../windows/product_platform_heading.rst - .. include:: ../firmware-update-manually.rst diff --git a/storage/windows/firmware-update.rst b/storage/windows/firmware-update.rst index 99748af577..825826699d 100644 --- a/storage/windows/firmware-update.rst +++ b/storage/windows/firmware-update.rst @@ -1,8 +1,6 @@ Firmware Update =============== -.. include:: ./product_platform_heading.rst - .. contents:: :local: .. warning:: @@ -22,25 +20,25 @@ Firmware Update 3. Right click on the icon of the Nitrokey App and go to “Configure” -> “Enable Firmware Update”. The default firmware password is ‘12345678’. -.. figure:: /storage/images/enable-firmware-update.png - :alt: Enable firmware update + .. figure:: /storage/images/enable-firmware-update.png + :alt: Enable firmware update -.. note:: + .. note:: - The Nitrokey Storage is not detected by Nitrokey App anymore once update mode got - activated. You have to proceed with the instructions described below - to make it work again. + The Nitrokey Storage is not detected by Nitrokey App anymore once update mode got + activated. You have to proceed with the instructions described below + to make it work again. -.. note:: + .. note:: - If you are using Microsoft Windows Build 1809 and Nitrokey Storage - Firmware 0.52 or lower, you need to use another system or if this is not - feasible use `these - instructions `_ to - enable the Firmware Update mode. + If you are using Microsoft Windows Build 1809 and Nitrokey Storage + Firmware 0.52 or lower, you need to use another system or if this is not + feasible use `these + instructions `_ to + enable the Firmware Update mode. 4. Start the Nitrokey Update Tool and click “Select firmware file”. Select the previously downloaded firmware ".hex" file. Click on “Update firmware” to start the update process. Your device should get detected by the Nitrokey App again as soon as the update is finished. -.. figure:: /storage/windows/images/nitrokey-update-tool.png - :alt: Nitrokey Update Tool + .. figure:: /storage/windows/images/nitrokey-update-tool.png + :alt: Nitrokey Update Tool diff --git a/storage/windows/index.rst b/storage/windows/index.rst index 359ad9c43b..4e973c3959 100644 --- a/storage/windows/index.rst +++ b/storage/windows/index.rst @@ -12,14 +12,14 @@ Nitrokey Storage, Windows 1. Connect your Nitrokey to your computer and confirm all dialogs so that the USB smart card device driver gets installed almost automatically. -.. note:: + .. note:: - Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning. + Windows may fail to install an additional device driver for the smart card. Its safe to ignore this warning. 2. Download and start the `Nitrokey App `__. Perhaps you want to store it on the unencrypted partition of your Nitrokey Storage. There won’t open a window, but an icon appears in the system tray (see screenshot below). Please right-click on this icon to use all the options of the App. -.. figure:: ./images/Windows10-Systemtray.png - :alt: img1 + .. figure:: ./images/Windows10-Systemtray.png + :alt: img1 3. Open the About window from Nitrokey App’s menu and check if you have the `latest firmware `__ installed. If it’s not the latest, please diff --git a/storage/windows/product_platform_heading.rst b/storage/windows/product_platform_heading.rst deleted file mode 100644 index 85e7d5eb97..0000000000 --- a/storage/windows/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey Storage 2 - Windows) diff --git a/syntax.rst b/syntax.rst index 4530a56b3e..3b6dad7838 100644 --- a/syntax.rst +++ b/syntax.rst @@ -2,9 +2,6 @@ Nitrokey Documentation - Syntax =============================== -.. container:: product_platform_heading - - (Nitrokey Product - Platform) .. contents:: :local: diff --git a/u2f/linux/product_platform_heading.rst b/u2f/linux/product_platform_heading.rst deleted file mode 100644 index 583c8d867c..0000000000 --- a/u2f/linux/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey FIDO U2F - Linux) diff --git a/u2f/mac/product_platform_heading.rst b/u2f/mac/product_platform_heading.rst deleted file mode 100644 index 0085e62998..0000000000 --- a/u2f/mac/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey FIDO U2F - macOS) diff --git a/u2f/windows/product_platform_heading.rst b/u2f/windows/product_platform_heading.rst deleted file mode 100644 index 645cd17769..0000000000 --- a/u2f/windows/product_platform_heading.rst +++ /dev/null @@ -1,3 +0,0 @@ -.. container:: product_platform_heading - - (Nitrokey FIDO U2F - Windows)