TL;DR: The Foundation/Nitrokey partnership is sending Nitrokey Pro units that are not the same as the Nitrokey Start units vulnerable to hands-on key extraction attack. As a few people have asked about it: There was a production batch of "Nitrokey Start" units that did not have a read-protection bit configured, and thus were vulnerable to a key extraction attack: https://github.com/rot42/gnuk-extractor The issue was specific to a batch of hardware that was mis-programmed, and the issue is not present on newer Nitrokey Start units. https://github.com/Nitrokey/nitrokey-start-firmware/issues/14 The Foundation/Nitrokey partnership is providing Nitrokey Pro 2 units, which are supposedly not vulnerable to this issue (but I'd be happy for a hardware hacker to confirm this, I understand that the Pro2 has a seperate smartcard internally) If you already had an older Nitrokey Start unit, reviewing/updating the firmware is advised. -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robbat2@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136