Nitrokey 3 Alpha Firmware

We have now released a new alpha version 20221130 of the firmware for now all Nitrokey 3 models. Future alpha versions will be available centrally in the Nitrokey 3 firmware repository.

One major difference is the availability for all Nitrokey 3 models, which is also an important step for the codebase. The firmware for the Nitrokey 3A NFC, 3C NFC and 3A Mini will now be built from one codebase, so all models will have the same functionality in the future.

One-time passwords (OTP)

The firmware includes an initial implementation for HOTP and TOTP as a second factor. The current version of the command line tool pynitrokey can be used to use these one-time passwords. A new Nitrokey App 2 is already in development to be able to use one-time passwords conveniently via a graphical user interface (GUI) in the future. Currently you can manage OTPs with the alpha firmware using pynitrokey as follows:

# Register a one-time password with the name 'test':
$ nitropy nk3 otp register --experimental test ABCDEFGHIJKLMNOP
# Display all registered OTP entries:
$ nitropy nk3 otp show
# Get the one-time password for the name 'test':
$ nitropy nk3 otp get --experimental test# Show help:
$ nitropy nk3 otp --help
$ nitropy nk3 otp register --help# --clear-password & --set-password do not work at the moment

OpenPGP Card

The first alpha version of the OpenPGP Card has been further improved and the current version now supports RSA. In summary, RSA 2048, NIST P256 as well as Ed25519 keys can now be generated and RSA 4096 keys can be imported but not generated. In addition, we have improved the compatibility with OpenSC, as well as fixed numerous minor bugs. Please note, if you update from an earlier alpha firmware you need to factory reset the OpenPGP Card with a specific command, otherwise it won't work properly.


Currently, the above functions are only implemented in software and the one-time passwords (or secrets) and cryptographic keys are still stored unencrypted in the microprocessor. Our goal is to integrate the Secure Element (SE050) first with one-time passwords and then with the OpenPGP Card in the next few months. Subscribe to this blog to stay informed about developments.

Short Nitrokey 3 Status Update

Essentially, there is nothing new to report. As mentioned before, we still plan to ship the Nitrokey 3C NFC with new cases starting at the end of this year.

Stay Secure
Your Nitrokey Team



I've been using the alpha software on my NK3A for the last two days. OpenPGP works as expected. I have a question, though. You write "cryptographic keys are still stored unencrypted in the microprocessor". So let me ask you: when this is resolved in a new firmware release (in the months to come), will keys be somehow transferred to the secure element or will I lose them when updating firmware? Kind regards, Mateusz
Currently the plan that there will be no migration path. It is also very likely that (some of) the alpha releases on the way will also delete your keys as the underlying storage architecture will undergo various changes - that's one of the reasons we state that the alpha shall not be used for production. We will clearly communicate once we expect the key storage to be stable (this might even be before the OpenPGP Card feature itself will move into stable).
OK, I get it. Thank you for your answer.
This sounds like really great progress, keep up the good work! :)
Hey. Since the Nitrokey 3 is CC EAL 6+ certified, has there been any consideration of getting an official Authenticator Certification Level from the FIDO alliance? They rate various FIDO2 authenticators on their ability to protect the secrets they're holding. This is useful for adoption in governments and perhaps even enterprises. The new generation of keys are supposedly utilizing the SE050 so I think this might play in your favor.
Yes, we are currently looking at the options to go for a fido-alliance certification, but no ETA yet
Hey. How many key pairs and passwords exactly can be stored in the NK3 is still unknown, right?
Initially there will only be one identity for OpenPGP Card, later likely more. But you are right, we cannot give numbers yet - we are currently working on the details of the storage concept especially on how the 2MB external flash can be incorporated together with the 50kb available on the SE050.
For alpha testers, is there a special procedure to report bugs/issues or should we just dump things into GitHub issues?
Please report on Github, thanks
Can you please clarify how fido resident keys are stored/protected? Is the security chip used? Will a firmware update erase them?
Currently they are stored exclusively inside the MCU's internal non-volatile memory. The MCUs are sealed and firmwares need to be signed, means there is no way to extract these w/o the signing keys. In the future there will be the option to save them onto the SE050 secure element for a even higher security, but this will come with the drawback that fido2 will not work through NFC (as there is not enough power to bring up the secure element during NFC operation). A firmware update will not delete the RKs.
Is there an ETA for the new app? Or a little peek on how the GUI would look like?
Currently we plan for beginning of 2023, there won't be too much functionality at the beginning - we planning for smaller, faster release cycles with this application to be able to do small (release) steps with constant improvements.
please add a hint to the realease notes / readme that libccid version 1.5 is required source: / ccid / shouldwork.html otherwise the reset command using opensc-tool will not work
thanks for the hint, will do

Add new comment

Fill in the blank.

Nitrokey - Made in Germany