KeePassXC 2.7.6 Supports Nitrokey 3

KeePassXC is the most popular open source password manager for Windows, macOS and Linux. The new version 2.7.6 allows to protect password stores not only with a master password, but to encrypt and unlock password stores with a Nitrokey 3 instead. This not only increases security but also makes KeePassXC easier to use. KeePassXC can be downloaded for free here.

17.8.2023

Comments

Submitted by jack on 17. August 2023 - 11:18
I tried to use add-challenge-response command on windows but i get this error: "base32)' is not recognized as an internal or external command"
Submitted by Szczepan on 18. August 2023 - 16:09
Hi Jack! I assume this is about pynitrokey? Please create a topic at support dot nitrokey dot com, where we help with problems like this.
Submitted by jack on 21. August 2023 - 15:59
Any help please ?
Submitted by Turbinchen on 21. August 2023 - 21:08
This example works for me in powershell (using nitropy 0.4.39 and nk3 firmware v1.5.0, writing to slot 2): nitropy.exe nk3 secrets add-challenge-response 2 ABCDEFGHIJKLMNOPQRSTUVWXYZ234567 Of course you want to use a good random secret in practice. The example secret shown is just to reflect all base32 symbols.
Submitted by Nobody on 17. August 2023 - 11:56
Das sind ja tolle Neuigkeiten. Herzlichen Glückwunsch!
Submitted by Anonymous on 19. August 2023 - 9:34
Findet meinen Nitrokey 3A Mini immer noch nicht. Muss man vorher was am Nitrokey aktivieren?
Submitted by Anonymous on 19. August 2023 - 21:01
Doesn't work. Nitrokey is not recognized by KeepassXC on Linux Mint.
Submitted by Anonymous on 22. August 2023 - 20:48
It works you need a recent version of pynitro e.g. (v0.4.39). 1. Encode a secret using base32 e.g. using `echo "" | base32`. The resulting b32-secret-string needs to be exactly 20 bytes in length 2. ./nitropy-v0.4.39-x64-linux-binary nk3 secrets add-challenge-response {1,2} # There are two slots available 1 and 2 you need to choose one Afterwards you probably need to reboot the nitrokey e.g. by removing and reattaching it.
Submitted by Anonymous on 28. September 2023 - 10:42
I had the same Problem on Manjaro, pynitro and GPG worked, KeepassXC didn't found it. The available udev rules was correctly installed. The solution for me was installing the package "ccid", then it worked without any further configuration. On Mint, maybe it's called "libccid", I don't know.
Submitted by Anonymous on 21. August 2023 - 17:38
Super! Jetzt fehlt nur noch, dass KeePassDX für Android das auch kann.
Submitted by Anonymous on 21. August 2023 - 22:41
Is there any documentation available? I could not manage to use KeepassXC with my NK3 on MXLinux (Firmware and KeepassXC are up to date)
Submitted by Anonymous on 22. August 2023 - 19:16

Here is what I did on Arch Linux with nitropy and base32 installed in case anyone else needed a bit of extra help figuring this out.

Install and enable the smartcard daemon (PCSCD) using your package manager/init system. On Arch, that would be:

sudo pacman -S ccid opensc

sudo systemctl start pcscd.socket

sudo systemctl enable pcscd.socket

Confirm it is running with:

systemctl status pcscd.socket

Generate a 20-byte random string with:

dd if=/dev/urandom of=/tmp/nk bs=20 count=1

Encode this and add to your nitrokey in a slot (slot 2 here):

nitropy nk3 secrets add-challenge-response 2 $(base32 /tmp/nk)

Repeat this last step on your backup nitrokey if you have one. Copy your KeePass database so you have a backup. Add the challenge-response authentication to KeePassXC under database -> database security -> challenge-response Test opening it with both nitrokeys. Be sure to add "Hardware Key" on the unlock screen the first time (I had to open KeePassXC after plugging it in then click refresh to get it to appear the first time). If it does not appear, there may be an issue with pcscd not running.

This also worked on NixOS after adding services.pcscd.enable = true;

If you are using the KeePassXC FlatPak, make sure to enable socket=pcsc (e.g. with FlatSeal).

I don't think the feature is implemented on KeePassDX yet for anyone using that on mobile.

Submitted by Anonymous on 30. August 2023 - 12:11
Thanks for the pointers on this subject! But when I run nitropy nk3 secrets add-challenge-response 2 $(base32 /tmp/nk) i get this error: Critical error: An unhandled exception occurred Exception encountered: AttributeError("module 'semver' has no attribute 'Version'") I'm also on Arch Linux running nitropy 0.4.39 Any idea what I'm missing here?
Submitted by meissner on 30. August 2023 - 13:30
looks like `Version` was renamed to `VersionInfo` in `semver`. Created an issue - we'll fix that asap and release a new pynitrokey version
Submitted by Anonymous on 30. August 2023 - 14:24
awesome! thanks
Submitted by meissner on 4. September 2023 - 13:11
Small correction, it is the other way around. Version is the correct/new name, which shall be used. The python-semver package in ArchLinux is currently outdated. Please use `pipx` to install pynitrokey until the package is updated.
Submitted by Ben on 13. September 2023 - 15:45
Does this work on the nitrokey 2 pro, too?
Submitted by meissner on 15. September 2023 - 11:34
Nope, this will only work with the Nitrokey 3
Submitted by Michael on 14. September 2023 - 11:56
Kann man sagen wann es ohne zu tun funktionieren wird? Alaso wie wenn ich einen Yubikey nutzen will?
Submitted by x on 19. September 2023 - 10:26
On debian bookworm with yubikey everything is working fine, but nitrokey 3 doesn´t gets recognized. pcscd.socket is running, a base 32 20-digit challenge-response is set, pynitrokey is up to date via pipx,KeepassXC 2.76. Any hints?
Submitted by meissner on 19. September 2023 - 17:26
Hey, hey - for technical questions the forums might be the better place to ask - simply due to the wider audience.
Submitted by Anonymous on 16. December 2023 - 17:24
Is there an option to require user touch when using hmac-sha1 challenge response ?
Submitted by meissner on 18. December 2023 - 13:56
currently not, although from firmware side it might be possible already, added a github issue to track this. Looking closer: this might be already possible with updating the secrets-credential like this: `nitropy nk3 secrets update HmacSlot1 --touch-button true` (you might want to use HmacSlot2 depending on your setup)
Submitted by Anonymous on 27. December 2023 - 13:31
I tried "--touch-button true" but it doesn't work...
Submitted by meissner on 2. January 2024 - 13:18
ok, thx for the feedback, updated the github issue with this info
Submitted by Anonymous on 29. May 2024 - 16:46
It's been almost 5 months by now and still nothing about this bug...
Submitted by Hans on 7. February 2024 - 10:50
Hallo, wie bekomme ich es als einfacher Endanwender auf win10 zum laufen? KeePassXC zeigt mir den Nitrokey im Auswahlfeld leider nicht an.
Submitted by meissner on 8. February 2024 - 12:18
Hey Hans, aktuell haben wir noch keine Windows Dokumentation für KeepassXC, du könntest einmal im Forum fragen oder auch suchen, da gibt es viele Threads dazu. Dann gibt es noch dieses Tutorial hier, das ist zwar Linux ist aber im wesentlichen sehr ähnlich. Der Teil bei dem man pynitrokey benötigt (also das Terminal) wird in Zukunft auch nicht mehr nötigt sein, da die NitrokeyApp2 das abbilden wird - das wird aber noch ein paar Wochen brauchen, bis das in einen Release einfließt.
Submitted by Hans on 8. February 2024 - 19:04
Ok, besten Dank!
Submitted by Juuk on 26. March 2024 - 16:26
Great, but... ...no documentation, as usual ! Always the same scheme : Feature XYZ is now available, it's up to you, poor user who bought our device, to figure out how to use it. But trust us, we'll publish documentation, some day around april 2073
Submitted by yepo on 22. October 2024 - 7:09
Exactly that! What good are thousands of new things if the documentation is missing or hardly available to promote the open source development of your own project? And they still haven't managed to make it foolproof for customers or buyers of nitrokey who use KeepassXC.
Submitted by meissner on 22. October 2024 - 14:08
Hey, yes - we also see that and have started a major re-work of the documentation - hope this will improve soon though...
Submitted by tom on 27. February 2025 - 0:37
...any update on this?
Submitted by meissner on 3. March 2025 - 13:13
since october the documentation has undergone a major overhaul: the docs are now structured based on features instead of devices. This especially reduces redundant content and improves searchability - on top the refactoring reduced efforts and added previewing to changes go through faster and create less work. Feel free to be specific about what you are missing and we try to improve/add it.
Submitted by sam on 1. May 2024 - 20:38
Hi, mit Win10 und Ubuntu hab ichs zum laufen gebracht, aber macOS will nicht. Hat jemand einen Tip, wie KeepassXC den Nitrokey erkennen kann?
Submitted by kevin on 6. June 2024 - 15:49
how did you get it work on ubuntu can you tell me ? i was trying on linux mint but keepassxc won't recognise it. have put a forum post on it. Any help would be appreciated. support.nitrokey.com/t/nitrokey-3-keepass-xc-can-not-find-nitrokey/5612/9

Add new comment

Fill in the blank.