KeePassXC 2.7.6 Supports Nitrokey 3

KeePassXC is the most popular open source password manager for Windows, macOS and Linux. The new version 2.7.6 allows to protect password stores not only with a master password, but to encrypt and unlock password stores with a Nitrokey 3 instead. This not only increases security but also makes KeePassXC easier to use. KeePassXC can be downloaded for free here.

17.8.2023

Comments

Submitted by jack on 17. August 2023 - 11:18
I tried to use add-challenge-response command on windows but i get this error: "base32)' is not recognized as an internal or external command"
Submitted by Szczepan on 18. August 2023 - 16:09
Hi Jack! I assume this is about pynitrokey? Please create a topic at support dot nitrokey dot com, where we help with problems like this.
Submitted by jack on 21. August 2023 - 15:59
Any help please ?
Submitted by Turbinchen on 21. August 2023 - 21:08
This example works for me in powershell (using nitropy 0.4.39 and nk3 firmware v1.5.0, writing to slot 2): nitropy.exe nk3 secrets add-challenge-response 2 ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 Of course you want to use a good random secret in practice. The example secret shown is just to reflect all base32 symbols.
Submitted by Nobody on 17. August 2023 - 11:56
Das sind ja tolle Neuigkeiten. Herzlichen Glückwunsch!
Submitted by Anonymous on 19. August 2023 - 9:34
Findet meinen Nitrokey 3A Mini immer noch nicht. Muss man vorher was am Nitrokey aktivieren?
Submitted by Anonymous on 19. August 2023 - 21:01
Doesn't work. Nitrokey is not recognized by KeepassXC on Linux Mint.
Submitted by Anonymous on 22. August 2023 - 20:48
It works you need a recent version of pynitro e.g. (v0.4.39). 1. Encode a secret using base32 e.g. using `echo "" | base32`. The resulting b32-secret-string needs to be exactly 20 bytes in length 2. ./nitropy-v0.4.39-x64-linux-binary nk3 secrets add-challenge-response {1,2} # There are two slots available 1 and 2 you need to choose one Afterwards you probably need to reboot the nitrokey e.g. by removing and reattaching it.
Submitted by Anonymous on 21. August 2023 - 17:38
Super! Jetzt fehlt nur noch, dass KeePassDX für Android das auch kann.
Submitted by Anonymous on 21. August 2023 - 22:41
Is there any documentation available? I could not manage to use KeepassXC with my NK3 on MXLinux (Firmware and KeepassXC are up to date)
Submitted by Anonymous on 22. August 2023 - 19:16

Here is what I did on Arch Linux with nitropy and base32 installed in case anyone else needed a bit of extra help figuring this out.

Install and enable the smartcard daemon (PCSCD) using your package manager/init system. On Arch, that would be:

sudo pacman -S ccid opensc

sudo systemctl start pcscd.socket

sudo systemctl enable pcscd.socket

Confirm it is running with:

systemctl status pcscd.socket

Generate a 20-byte random string with:

dd if=/dev/urandom of=/tmp/nk bs=20 count=1

Encode this and add to your nitrokey in a slot (slot 2 here):

nitropy nk3 secrets add-challenge-response 2 $(base32 /tmp/nk)

Repeat this last step on your backup nitrokey if you have one. Copy your KeePass database so you have a backup. Add the challenge-response authentication to KeePassXC under database -> database security -> challenge-response Test opening it with both nitrokeys. Be sure to add "Hardware Key" on the unlock screen the first time (I had to open KeePassXC after plugging it in then click refresh to get it to appear the first time). If it does not appear, there may be an issue with pcscd not running.

This also worked on NixOS after adding services.pcscd.enable = true;

If you are using the KeePassXC FlatPak, make sure to enable socket=pcsc (e.g. with FlatSeal).

I don't think the feature is implemented on KeePassDX yet for anyone using that on mobile.

Submitted by Anonymous on 30. August 2023 - 12:11
Thanks for the pointers on this subject! But when I run nitropy nk3 secrets add-challenge-response 2 $(base32 /tmp/nk) i get this error: Critical error: An unhandled exception occurred Exception encountered: AttributeError("module 'semver' has no attribute 'Version'") I'm also on Arch Linux running nitropy 0.4.39 Any idea what I'm missing here?
Submitted by meissner on 30. August 2023 - 13:30
looks like `Version` was renamed to `VersionInfo` in `semver`. Created an issue - we'll fix that asap and release a new pynitrokey version
Submitted by Anonymous on 30. August 2023 - 14:24
awesome! thanks
Submitted by meissner on 4. September 2023 - 13:11
Small correction, it is the other way around. Version is the correct/new name, which shall be used. The python-semver package in ArchLinux is currently outdated. Please use `pipx` to install pynitrokey until the package is updated.
Submitted by Ben on 13. September 2023 - 15:45
Does this work on the nitrokey 2 pro, too?
Submitted by meissner on 15. September 2023 - 11:34
Nope, this will only work with the Nitrokey 3
Submitted by Michael on 14. September 2023 - 11:56
Kann man sagen wann es ohne zu tun funktionieren wird? Alaso wie wenn ich einen Yubikey nutzen will?
Submitted by x on 19. September 2023 - 10:26
On debian bookworm with yubikey everything is working fine, but nitrokey 3 doesn´t gets recognized. pcscd.socket is running, a base 32 20-digit challenge-response is set, pynitrokey is up to date via pipx,KeepassXC 2.76. Any hints?
Submitted by meissner on 19. September 2023 - 17:26
Hey, hey - for technical questions the forums might be the better place to ask - simply due to the wider audience.

Add new comment

Fill in the blank.