, , ,

privacyIDEA Enrollment Station for Yubikey and Nitrokey


The Raspberry PI can act as a great enrollment station for Yubikey and Nitrokey.

Using the Yubikey and the Nitrokey with privacyIDEA is great. With the privacyIDEA admin client you can initialize the secret seeeds on both devices and thus achieving the highest trust with privacyIDEA. The vendor does not generate the seeds anymore – you do.

But to initializes these devices you need some drivers on your system. This is why it can be a good idea to set up a dedicated enrollment station. This integration guide takes you through the steps of setting up a Raspberry PI 3B as enrollment station. Thanks to the form factor this enrollment station looks like a simple smartcard reader on your desk. You connect it the LAN and power and you are done.

You connect with SSH (e.g. via putty or any other SSH client) to the enrollment station and issue a single command to initialize the tokens.

Putting Ubuntu 16.04 on the Raspberry PI

We are choosing Ubuntu 16.04 since it comes with the correct versions of all necessary drivers. Ubuntu Mate is available as 16.04 for the Raspberry PI 3.

You need to download the image and write it to the SD card. Please see the notes on the Ubuntu Mate page on how to do this on either Linux oder Windows.

After writing the SD card, insert the SD card in the Raspberry PI, connect power, monitor, keyboard and mouse and boot into the system.

Preparing for Yubikey

Install the follogin packages to be able to enroll the Yubikey.

apt-get install yubikey-personalization python-sqlite python-requests \
python-usb python-cffi python-enum python-yubico libykpers-1-1

Preparing for Nitrokey

The Nitrokey driver is not contained in the Ubuntu repositories. But you need to install the following prerequisites:

apt-get install libhidapi-dev git

You need to use the Nitrokey library available at github:

git clone
git checkout v1.0
make CXX=g++

After the successfull build, simple copy the nitrokey library to a system directory.

cp build/ /usr/lib

Install privacyIDEA admin client

You need the privacyIDEA admin client to enroll the Yubikey and Nitrokey.

add-apt-repository ppa:privacyidea/privacyidea
apt-get update
apt-get install privacyideaadm

Enrolling Tokens

To enroll Yubikeys you can now issue the command

privacyidea -U https://your.privacyidea.server --admin super token yubikey_mass_enroll

while “super” being the name of your administrator. If you do not have a trusted certificate during your tests, you might use the option “–nosslcheck”.

This command will enroll the connected Yubikey and ask you to insert the next Yubikey. It will initialize Yubikeys and create new token objects in privacyIDEA until you hit Ctrl-C to exit the program.

To enroll Nitrokeys you can run the command

privacyidea -U https://your.privacyidea.server --admin super token nitrokey_mass_enroll

Ease your life

You will login to the enrollment station via SSH when you mass enroll tokens. You may find it tedious to enter all the parameters. Thus you can use a configuration file for the admin client. Create a file “yubikey” with all the parameters as content:


and now you can easily enroll tokens with the command

privacyidea @yubikey

The “@yubikey” will read the parameters from the file “yubikey”. In the same way you can create a file for enrolling Nitrokeys.