KeePassXC 2.7.6 Supports Nitrokey 3

KeePassXC is the most popular open source password manager for Windows, macOS and Linux. The new version 2.7.6 allows to protect password stores not only with a master password, but to encrypt and unlock password stores with a Nitrokey 3 instead. This not only increases security but also makes KeePassXC easier to use. KeePassXC can be downloaded for free here.

17.8.2023

Comments

I tried to use add-challenge-response command on windows but i get this error: "base32)' is not recognized as an internal or external command"
Hi Jack! I assume this is about pynitrokey? Please create a topic at support dot nitrokey dot com, where we help with problems like this.
Any help please ?
This example works for me in powershell (using nitropy 0.4.39 and nk3 firmware v1.5.0, writing to slot 2): nitropy.exe nk3 secrets add-challenge-response 2 ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 Of course you want to use a good random secret in practice. The example secret shown is just to reflect all base32 symbols.
Das sind ja tolle Neuigkeiten. Herzlichen Glückwunsch!
Findet meinen Nitrokey 3A Mini immer noch nicht. Muss man vorher was am Nitrokey aktivieren?
Doesn't work. Nitrokey is not recognized by KeepassXC on Linux Mint.
It works you need a recent version of pynitro e.g. (v0.4.39). 1. Encode a secret using base32 e.g. using `echo "" | base32`. The resulting b32-secret-string needs to be exactly 20 bytes in length 2. ./nitropy-v0.4.39-x64-linux-binary nk3 secrets add-challenge-response {1,2} # There are two slots available 1 and 2 you need to choose one Afterwards you probably need to reboot the nitrokey e.g. by removing and reattaching it.
Super! Jetzt fehlt nur noch, dass KeePassDX für Android das auch kann.
Is there any documentation available? I could not manage to use KeepassXC with my NK3 on MXLinux (Firmware and KeepassXC are up to date)

Here is what I did on Arch Linux with nitropy and base32 installed in case anyone else needed a bit of extra help figuring this out.

Install and enable the smartcard daemon (PCSCD) using your package manager/init system. On Arch, that would be:

sudo pacman -S ccid opensc

sudo systemctl start pcscd.socket

sudo systemctl enable pcscd.socket

Confirm it is running with:

systemctl status pcscd.socket

Generate a 20-byte random string with:

dd if=/dev/urandom of=/tmp/nk bs=20 count=1

Encode this and add to your nitrokey in a slot (slot 2 here):

nitropy nk3 secrets add-challenge-response 2 $(base32 /tmp/nk)

Repeat this last step on your backup nitrokey if you have one. Copy your KeePass database so you have a backup. Add the challenge-response authentication to KeePassXC under database -> database security -> challenge-response Test opening it with both nitrokeys. Be sure to add "Hardware Key" on the unlock screen the first time (I had to open KeePassXC after plugging it in then click refresh to get it to appear the first time). If it does not appear, there may be an issue with pcscd not running.

This also worked on NixOS after adding services.pcscd.enable = true;

If you are using the KeePassXC FlatPak, make sure to enable socket=pcsc (e.g. with FlatSeal).

I don't think the feature is implemented on KeePassDX yet for anyone using that on mobile.

Thanks for the pointers on this subject! But when I run nitropy nk3 secrets add-challenge-response 2 $(base32 /tmp/nk) i get this error: Critical error: An unhandled exception occurred Exception encountered: AttributeError("module 'semver' has no attribute 'Version'") I'm also on Arch Linux running nitropy 0.4.39 Any idea what I'm missing here?
looks like `Version` was renamed to `VersionInfo` in `semver`. Created an issue - we'll fix that asap and release a new pynitrokey version
awesome! thanks
Small correction, it is the other way around. Version is the correct/new name, which shall be used. The python-semver package in ArchLinux is currently outdated. Please use `pipx` to install pynitrokey until the package is updated.
Does this work on the nitrokey 2 pro, too?
Nope, this will only work with the Nitrokey 3
Kann man sagen wann es ohne zu tun funktionieren wird? Alaso wie wenn ich einen Yubikey nutzen will?
On debian bookworm with yubikey everything is working fine, but nitrokey 3 doesn´t gets recognized. pcscd.socket is running, a base 32 20-digit challenge-response is set, pynitrokey is up to date via pipx,KeepassXC 2.76. Any hints?
Hey, hey - for technical questions the forums might be the better place to ask - simply due to the wider audience.

Add new comment

Fill in the blank.