KeePassXC 2.7.6 Supports Nitrokey 3

KeePassXC is the most popular open source password manager for Windows, macOS and Linux. The new version 2.7.6 allows to protect password stores not only with a master password, but to encrypt and unlock password stores with a Nitrokey 3 instead. This not only increases security but also makes KeePassXC easier to use. KeePassXC can be downloaded for free here.



I tried to use add-challenge-response command on windows but i get this error: "base32)' is not recognized as an internal or external command"
Hi Jack! I assume this is about pynitrokey? Please create a topic at support dot nitrokey dot com, where we help with problems like this.
Any help please ?
This example works for me in powershell (using nitropy 0.4.39 and nk3 firmware v1.5.0, writing to slot 2): nitropy.exe nk3 secrets add-challenge-response 2 ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 Of course you want to use a good random secret in practice. The example secret shown is just to reflect all base32 symbols.
Das sind ja tolle Neuigkeiten. Herzlichen Glückwunsch!
Findet meinen Nitrokey 3A Mini immer noch nicht. Muss man vorher was am Nitrokey aktivieren?
Doesn't work. Nitrokey is not recognized by KeepassXC on Linux Mint.
It works you need a recent version of pynitro e.g. (v0.4.39). 1. Encode a secret using base32 e.g. using `echo "" | base32`. The resulting b32-secret-string needs to be exactly 20 bytes in length 2. ./nitropy-v0.4.39-x64-linux-binary nk3 secrets add-challenge-response {1,2} # There are two slots available 1 and 2 you need to choose one Afterwards you probably need to reboot the nitrokey e.g. by removing and reattaching it.
I had the same Problem on Manjaro, pynitro and GPG worked, KeepassXC didn't found it. The available udev rules was correctly installed. The solution for me was installing the package "ccid", then it worked without any further configuration. On Mint, maybe it's called "libccid", I don't know.
Super! Jetzt fehlt nur noch, dass KeePassDX für Android das auch kann.
Is there any documentation available? I could not manage to use KeepassXC with my NK3 on MXLinux (Firmware and KeepassXC are up to date)

Here is what I did on Arch Linux with nitropy and base32 installed in case anyone else needed a bit of extra help figuring this out.

Install and enable the smartcard daemon (PCSCD) using your package manager/init system. On Arch, that would be:

sudo pacman -S ccid opensc

sudo systemctl start pcscd.socket

sudo systemctl enable pcscd.socket

Confirm it is running with:

systemctl status pcscd.socket

Generate a 20-byte random string with:

dd if=/dev/urandom of=/tmp/nk bs=20 count=1

Encode this and add to your nitrokey in a slot (slot 2 here):

nitropy nk3 secrets add-challenge-response 2 $(base32 /tmp/nk)

Repeat this last step on your backup nitrokey if you have one. Copy your KeePass database so you have a backup. Add the challenge-response authentication to KeePassXC under database -> database security -> challenge-response Test opening it with both nitrokeys. Be sure to add "Hardware Key" on the unlock screen the first time (I had to open KeePassXC after plugging it in then click refresh to get it to appear the first time). If it does not appear, there may be an issue with pcscd not running.

This also worked on NixOS after adding services.pcscd.enable = true;

If you are using the KeePassXC FlatPak, make sure to enable socket=pcsc (e.g. with FlatSeal).

I don't think the feature is implemented on KeePassDX yet for anyone using that on mobile.

Thanks for the pointers on this subject! But when I run nitropy nk3 secrets add-challenge-response 2 $(base32 /tmp/nk) i get this error: Critical error: An unhandled exception occurred Exception encountered: AttributeError("module 'semver' has no attribute 'Version'") I'm also on Arch Linux running nitropy 0.4.39 Any idea what I'm missing here?
looks like `Version` was renamed to `VersionInfo` in `semver`. Created an issue - we'll fix that asap and release a new pynitrokey version
awesome! thanks
Small correction, it is the other way around. Version is the correct/new name, which shall be used. The python-semver package in ArchLinux is currently outdated. Please use `pipx` to install pynitrokey until the package is updated.
Does this work on the nitrokey 2 pro, too?
Nope, this will only work with the Nitrokey 3
Kann man sagen wann es ohne zu tun funktionieren wird? Alaso wie wenn ich einen Yubikey nutzen will?
On debian bookworm with yubikey everything is working fine, but nitrokey 3 doesn´t gets recognized. pcscd.socket is running, a base 32 20-digit challenge-response is set, pynitrokey is up to date via pipx,KeepassXC 2.76. Any hints?
Hey, hey - for technical questions the forums might be the better place to ask - simply due to the wider audience.
Is there an option to require user touch when using hmac-sha1 challenge response ?
currently not, although from firmware side it might be possible already, added a github issue to track this. Looking closer: this might be already possible with updating the secrets-credential like this: `nitropy nk3 secrets update HmacSlot1 --touch-button true` (you might want to use HmacSlot2 depending on your setup)
I tried "--touch-button true" but it doesn't work...
ok, thx for the feedback, updated the github issue with this info
It's been almost 5 months by now and still nothing about this bug...
Hallo, wie bekomme ich es als einfacher Endanwender auf win10 zum laufen? KeePassXC zeigt mir den Nitrokey im Auswahlfeld leider nicht an.
Hey Hans, aktuell haben wir noch keine Windows Dokumentation für KeepassXC, du könntest einmal im Forum fragen oder auch suchen, da gibt es viele Threads dazu. Dann gibt es noch dieses Tutorial hier, das ist zwar Linux ist aber im wesentlichen sehr ähnlich. Der Teil bei dem man pynitrokey benötigt (also das Terminal) wird in Zukunft auch nicht mehr nötigt sein, da die NitrokeyApp2 das abbilden wird - das wird aber noch ein paar Wochen brauchen, bis das in einen Release einfließt.
Ok, besten Dank!
Great, but... documentation, as usual ! Always the same scheme : Feature XYZ is now available, it's up to you, poor user who bought our device, to figure out how to use it. But trust us, we'll publish documentation, some day around april 2073
Hi, mit Win10 und Ubuntu hab ichs zum laufen gebracht, aber macOS will nicht. Hat jemand einen Tip, wie KeepassXC den Nitrokey erkennen kann?
how did you get it work on ubuntu can you tell me ? i was trying on linux mint but keepassxc won't recognise it. have put a forum post on it. Any help would be appreciated.

Add new comment

Fill in the blank.