Nitrokey 3 Status Update

OpenPGP Card

Next week we will publish an alpha release of our brand-new OpenPGP Card implementation. We will publish more information in this blog.

Nitrokey 3A NFC

The production and shipment of pre-orders are in process. So far we shipped about half of all pre-orders and will need October to ship all remaining orders. Afterwards we will have stock to ship upcoming orders immediately.

Nitrokey 3C NFC

We are busy working on the next production batch of Nitrokey 3C NFC and stick to the plan to ship it within this year.

7.10.2022

Comments

Is there anything that non-technical people can do to help with the alpha (like test), or should we wait for an RC?
Hard to say, we will provide some guidelines how to install the alpha firmware, but also how to revert it. Any feedback is highly appreciated...
What is the roadmap for hwsecurity.dev support (if any)? Right now, the NFC just directs to nitrokey.com. Presumably it's supposed to provide Fido or GPG information?
Via NFC FIDO2 is working, the website you visit while using NFC is the so-called "ndef" app, this will start if there is no other request pending from your nfc-reader (smartphone). Please try to test NFC & FIDO2 through a website like: webauthn.io ... If it's not working please write support (at) nitrokey (dot) com, because your Nitrokey might be not fully functional.
Ich freue mich schon riesig. Wird es dann möglich sein die LUKS-Festplattenverschlüsselung beim Boot zu entschlüsseln? :-)
Ja, das sollte dann möglich sein, wir werden dann sobald es soweit ist die entsprechenden Dokumentationen erweitern.
I can already enroll fido2 nk3 on my luks encrypted system
Do you use systemd-cryptenroll for this?
I do use systemd-enroll yeah and it's working like a charm with the nk3
now that I got a 3a mini - I tried to enroll it with systemd-cryptenroll and unfortunately none of my two 3a mini were able to be enrolled - it just hangs during enrollment - it works just fine with 3a NFC tho - any difference between the two?
Not in terms of the fido2 implementation, have you tried `nitropy nk3 test` ? Anyways, for support/help related topics, please use support.nitrokey.com for a wider audience...
I’ve actually went ahead and reported the bug and reproducer on GitHub Nitrokey/nitrokey-3-firmware/issues/94 - the mini do work correctly, it’s just this scenario that doesn’t work and it might just be a firmware issue since the nfc just works too (also the reproducer is just with libfido2)
Wann wirde es eine App geben für den Nitrokey 3
Das wird noch ein wenig dauern, eine erste Version, die aber in Ihrer Funktionalität stark eingeschränkt sein wird (wahrscheinlich nur updaten) wird aber bald verfügbar sein (~paar Wochen).
I dont have an NK3x yet, but is it correct that when I hold the NK3x close to a smartphone with Bluetooth, the Nitrokey website opens? Is it possible to change the website at a later date? For example, to my own?
Looks like there is a misconception. This functionality does not depend on Bluetooth, but on NFC, which also means that the Nitrokey 3 has to be very close, i.e., touching the smartphone. The function triggered is called NDEF, which your smartphone will understand and send you to a advertised website and no currently there are no plans to make this website changeable as this feature is meant to identify the device, thus the nitrokey.com website.
What's state of Android support for NK3? Google's FIDO2 security key implementation doesn't seem to prompt for the PIN, which results in authentication failure. Other security keys (like Yubico's) seem to have the PIN as little more than a paper wall, because I was told the FIDO2 on them can work without entering the PIN.
The FIDO2 functionality of the NK3 is compatible with Android, whether a PIN is required during an NFC operation is to be defined by the Webauthn Server itself (the website). As far as I know the FIDO2 Specification defines a "user presence" as the required confirmation for the NFC operation (in contrast to entering the PIN), which is the fact that one has to place the NK3 near the NFC sensor of a smartphone and not necessarily the PIN entry.
(original commenter) I'm using GrapheneOS which to my knowledge has support for this, the problem is that every attempt to authenticate fails due to user presence not being confirmed. When I first tried using the NK3 for FIDO2 with Windows it prompted me to create a PIN, which I did, any further attempts to use FIDO2 require me to enter this PIN. This works fine on Windows (The Hello API or whatever they're using), but not so much on Linux (Firefox doesn't support CTAP2 yet, so I'm not prompted for the PIN at all and the authentication freezes then fails, Chromium works though) and on Android I get the same story of being able to use the key but not being able to enter a PIN. Is this something I could've messed up?

Yes, you are right GrapheneOS generally should work. But in detail as far as I understand this depends on the chosen Webauthn-verification-type. So for instance webauthn.io requires a pin to be entered for (NFC) registration as it will create a RK, which requires a PIN (e.g., this won't work for me). On the other side webauthn.coffee.bin works perfectly fine with (NFC) (create credential, get assertion) as both do not require a PIN, just user presence.

Generally speaking I have to admit that I do not know if PIN entry during NFC usage is a thing anyways. From a usability perspective this would be extremely painful to hold your Nitrokey3 at the right spot, then input the PIN (while not moving the Nitrokey). So I would suspect that PIN entry is either way not supported via NFC/Webauthn, frankly I personally have never seen this and I am using NFC for logins regularly.

Anyways, this is getting very technical. Maybe the forums would be a better place to discuss this, together with the experience of other users, would you like to move it there?

(original commenter) Yes, that'd be great, I'd like to have a more organized discussion to figure out if this is something I messed up or an issue affecting others.
GrapheneOS doesn't come with play services so that might be part of the issue. MircoG (the FOSS reimplementation of the play services) just implemented FIDO2 support but PIN support seems to be generally lacking on Android. (I can't link to it but my source would be issue #849 in the "GsmCore"-Project on GitHub.)
Well, yes, I was assuming the play services are installed, like described here or within our docs. Please be aware that MicroG is (from what we know) not working together with GrapheneOS.
(original commenter) I've gone ahead and reset the key entirely and re-enrolled Bitwarden. It appears the issue isn't with the PIN per-se, as I get pretty much the exact same thing without it. Any third-party implementation of Webauthn or FIDO2 works (For example the "FIDO / WebAuthn test" app on Play Store), however, authentication for apps and services most often revolves around Google's FIDO library (Firefox, Vanadium/Chromium use it), which fails to authenticate with various errors, also causing Google play services to crash. If you have a Pixel with GrapheneOS available, could you give it a try?
I am very interested in purchasing a NK3, because i like with Nitrokey everything is open source and a german company. But i miss a roadmap on the missing features. When do you plan to have the key finished, meaning every feature implemented that is advertised on the comparison table and product description? TBH i am not very eager that this will ever be the case. I have read some forum posts that are now almost a year old complaining that there is basically only FIDO2 support. Sadly, there doesnt seem much progress since then. Please address my concerns.
Hey, generally we see the Nitrokey 3 as a platform, so development on it will very likely only end, when there is a successor available - thus I do expect a continuous development. Nevertheless, I understand your point and can also report progress. As you might know there already is an alpha firmware available with OpenPGPCard, which is widely (despite RSA support) functionally complete and a next version is already in the pipeline. *OTP and Password Safe features are being actively worked on. Generally, we are fully committed to deliver what was promised - although this is still a security product so our focus is always quality, in contrast to pushing out features as fast as possible, for hopefully understandable reasons.
I have seen the alpha firmware but of course that is not ready for production yet and i am more interested in the OTP feature anyway. I also understand your point that security should be the main focus and that you don't want to rush features. However, the thing is, if you would provide a roadmap, anyone could assess if the NK3 is worth the wait. Speaking for me, i would be willing to wait up to 6 month, otherwise i would sadly buy something else now and revisit the NK3 maybe a year later.
Ah ok, I see. Well, OTP will be one of the next things to arrive, I would even say that this should be realistic within the next 6 months, but frankly I cannot promise that, hope you understand.
Hallo, gibt es Neuigkeiten zur Auslieferung des Nitrokey 3C NFC? Hab vor über einem Jahr bestellt und nichts mehr von euch gehört. Viele Grüße
Der Nitrokey 3C NFC ist leider momentan die einzige Variante, die wir noch nicht vollständig ausliefern konnten. Die nächste Woche gibt es wieder ein Status-Update wie dieses hier. Da werden wir hoffentlich genauere Angaben machen können, mehr kann ich momentan nicht sagen, sorry.
Danke! :)

Add new comment

Fill in the blank.