Nitrokey 3A is Available; OpenPGP Card and One-Time Passwords as Test Versions

Nitrokey 3A NFC, Nitrokey 3A Mini

Due to the global electronics shortage, the Nitrokey 3 was unfortunately only available in limited quantities. This has finally come to an end! In the last few months we have been able to ship all pre-orders of the Nitrokey 3A NFC and Nitrokey 3A Mini and have built up a stock of these models. So these Nitrokeys can be ordered here and will be shipped immediately from stock.

Nitrokey 3C NFC

We have significantly improved the case of the Nitrokey 3C NFC, the one with the USB-C connector, compared to the first batch shipped. Therefore, its production has been further delayed compared to the other models. Now, production of the Nitrokey 3C NFC has started and we plan to begin shipping it at the end of the year. It is expected that the Nitrokey 3C NFC will be in stock in early 2023.

OpenPGP Card

Many users are eagerly awaiting the OpenPGP Card feature for the Nitrokey 3, and its development has progressed well in recent months. We have now published a test version of the OpenPGP Card for the Nitrokey 3. The OpenPGP Card was developed in the memory-safe programming language Rust and is available in a test firmware version for the Nitrokey 3.

What is an OpenPGP Card?

OpenPGP is an open standard for encrypting, decrypting and signing documents, files and emails, mainly used with GnuPG. Storing cryptographic keys on a smart card such as the OpenPGP Card allows the same key to be used securely and conveniently on multiple devices. If the device is lost, the cryptographic keys remain securely stored in the Nitrokey and cannot be extracted. The OpenPGP Card can be used for email encryption, SSH authentication and many other cryptographic use cases.

One-Time Passwords (OTP)

One-time passwords (OTP) belong to the first generation of two-factor authentication and are very common. Our test firmware supports the two popular methods HOTP (HMAC-Based One-Time Password, RFC4226) and TOTP (Time-Based One-Time Password, RFC6238). Currently, several dozen OTP entries can be stored and used. In a later version more than one thousand entries should be possible. Currently, only the command line software pynitrokey is available for use. In the future, we will support one-time passwords in the graphical Nitrokey App 2.


All essential features of the OpenPGP Card and one-time passwords are already implemented. We are still missing support for the Secure Element and some internal improvements and refactorings. We plan to implement this in the first half of 2023 and then release it as a stable firmware version.


We recently started running a blog in which we report on our development progress and technical topics in more detail. In the blog we cover topics that are too technical or too marginal for the readers of the general news section. If the news section is not enough for you and you want to read more from us, feel free to follow our blog.



Maybe it's time to update the product overview?
Nearly, will do once the features make it into the stable firmware
Excuse german... Ich habe 2 Fragen: (1) Wird das neue Gehäuse wasserdicht sein? Weil ich bin manchmal mit dem Fahrrad im Regen unterwegs... (2) Ist es möglich den Nitrokey für SSH *ohne* OpenPGP zu verwenden? Die YKs sollen das wohl unter dem Namen "PIV" können, aber leider nur mit den NIST-Algorithmen...
zu (1) es wird keine IP Zertifizierung geben, also technisch gesehen ist der NK3 nicht wasserdicht. (2) Ja, das geht bereits heute mit Hilfe von FIDO2 mit Resident Keys und ssh. Siehe hier zB (das ist für den Nitrokey FIDO2, ist aber identisch für den NK3):
Danke für die Antwort. Leider erfordert das ein recht modernes OpenSSH 8.1 :( Ich würde mir wünschen, wenn der NK für vorsintflutliche Systeme RSA beherrschen würde, und für nachsintflutliche Systeme ED25519 :)
Ich würde 8.1 nicht so wirklich als "modern" bezeichnen, aber wie so oft ist das bestimmt relativ. Generell sind RKs nicht für RSA spezifiziert (so wie ich das sehe wegen der vergleichsweise großen private keys) - da kann man also leider nichts machen, außer openssh updaten.
Hi, once requirements are met, are you considering applying for a FIDO Certified Authenticator Level? For now Nitrokey is unusable to access my state's e-gov facilities because of missing L1 certification.
Yes, this is the plan. Already looking into the options there.
Is the stable firmware going to give support for Heads hardware verification? Is there an ETA on this feature?
The current alpha OTP implementation already comes equipped with the needed feature (reverse hotp), but the HEADS firmware will also need an update to properly talk to the Nitrokey 3. Hard to predict a ETA, first step is to have the functionality inside the stable firmware, then we'll directly approach HEADS functionality.

Add new comment

Fill in the blank.

Nitrokey - Made in Germany