Published on: February 18, 2025 Updated 2 times since publishing
Hardware security is a critical component in protecting digital assets, and Nitrokey has been at the forefront of developing open-source security hardware for over a decade. Founded in 2015, Nitrokey has grown from a single USB security key into a comprehensive portfolio that includes notebooks, PCs, hardware security modules (HSMs), network firewalls, and secure smartphones—all designed with transparency and security in mind.
In this SafetyDetectives interview, Jan Suhr, CEO and co-founder of Nitrokey, shares the journey of building a fully open-source security company, the challenges of hardware-based authentication, and how Nitrokey is preparing for the future of cybersecurity, including post-quantum cryptography and passwordless authentication.
Can you tell us about your journey in founding Nitrokey and what inspired you to focus on hardware-based security solutions?
Our roots trace back to 2008 when two friends and I, while traveling, found ourselves encrypting emails in internet cafés whose computers we normally would not want to share our private cryptographic keys with. At that moment, the idea of a USB key for securely using email encryption was born. We started developing such a device and established the non-profit open-source project Crypto Stick. A year later, in 2009, we released version 1.0 of the Crypto Stick, which was a predecessor of the Nitrokey USB key. Over the following years, our project grew, and we found that many more people wanted transparent, open-source security hardware. Eventually, I founded the company in 2015, focusing on protecting people’s and organizations’ digital lives through open-source security hardware.
How has Nitrokey evolved since its inception, and what sets it apart from other cybersecurity companies in the hardware security space?
Ten years ago, Nitrokey started as a self-financed enterprise with a single product, a USB key. Since then, the company has grown massively. Today, our portfolio includes notebooks, PCs, hardware security modules (HSMs), network firewalls, smartphones, and many more products. We have an engaged team of almost 20 people and count tens of thousands of customers from more than 120 countries, including numerous well-known international enterprises across various industries.
In an increasingly digitalized world with increasingly sophisticated attacks, securing the IT foundation, which is the hardware, is crucial. In recent years, Snowden and other revelations have proven that security must be transparent (open-source) because otherwise, it is prone to backdoors and other vulnerabilities. This is why Nitrokey focuses on developing and delivering open-source IT security hardware. Nitrokey is a sustainable, 10-year-old, manager-owned company, financially independent of external parties that could potentially conflict with our mission to protect organizations’ and people’s digital lives.
With the increasing adoption of passwordless authentication, how do you see Nitrokey’s FIDO2 products shaping the future of secure access?
It is great to see FIDO2, or passkeys, becoming more widely adopted as a convenient and secure successor to passwords. This aligns with the increasing demand for our Nitrokey USB keys, which people can use as their digital latchkey—a scenario we have long promoted and is now finally becoming a reality.
Open-source transparency is a key principle at Nitrokey. How do you ensure that this approach meets both user expectations and enterprise-level security needs?
Every serious development project requires sufficient funding and resources. Unlike many open-source software projects, as a hardware vendor, we have had a revenue stream from day one. To this day, we reinvest 100% of our revenue into the company and further developments. Our track record proves that our products satisfy both consumer and enterprise requirements.
What challenges do you think organizations face when implementing hardware-based security, and how does Nitrokey address these issues?
All organizations already have some form of hardware, and hardware-based security is not much different in general. However, its implementation depends on the specific product being deployed. Additionally, usability and user acceptance can be a challenge for security in general. For Nitrokey USB keys, asset management, logistics, and integration could be challenging. With WebAuthn and passkeys, a versatile standard is now available that allows native integration into all types of applications while providing a superior user experience. On top of that, we offer services to ship Nitrokeys directly to employees’ homes, which organizations can subscribe to as a flat-rate service. For other products, such as smartphones, we offer a mobile device management (MDM) solution, which is essential for any large-scale deployment. Our laptops and PCs come with similar options as well.
As cyber threats evolve, what innovative solutions or advancements is Nitrokey focusing on to stay ahead in the cybersecurity industry?
I believe that internally, having a skilled and engaged team and selectively collaborating externally is essential to act most effectively and avoid becoming an overextended and inefficient organization. For example, we collaborate with research institutions to bring post-quantum cryptography to WebAuthn and Nitrokeys, as well as to NetHSM.
Regarding our products, having the right technical foundation is critical. This is why, a few years ago, we started developing Nitrokey 3 from scratch. Now, we have a perfectly engineered solution in Rust, which we can easily maintain and improve. In security, often “less is more.” While most competitors still build IoT or embedded products with ordinary, large operating systems such as Linux, with NetHSM, we use an innovative stack of technologies, including a formally verified microkernel and a clean, secure unikernel framework. This serves as a great foundation for developing new and improving existing products over the next 10 years.