Nitrokey 3A is Available; OpenPGP Card and One-Time Passwords as Test Versions

Nitrokey 3A NFC, Nitrokey 3A Mini

Due to the global electronics shortage, the Nitrokey 3 was unfortunately only available in limited quantities. This has finally come to an end! In the last few months we have been able to ship all pre-orders of the Nitrokey 3A NFC and Nitrokey 3A Mini and have built up a stock of these models. So these Nitrokeys can be ordered here and will be shipped immediately from stock.

Nitrokey 3C NFC

We have significantly improved the case of the Nitrokey 3C NFC, the one with the USB-C connector, compared to the first batch shipped. Therefore, its production has been further delayed compared to the other models. Now, production of the Nitrokey 3C NFC has started and we plan to begin shipping it at the end of the year. It is expected that the Nitrokey 3C NFC will be in stock in early 2023.

OpenPGP Card

Many users are eagerly awaiting the OpenPGP Card feature for the Nitrokey 3, and its development has progressed well in recent months. We have now published a test version of the OpenPGP Card for the Nitrokey 3. The OpenPGP Card was developed in the memory-safe programming language Rust and is available in a test firmware version for the Nitrokey 3.

What is an OpenPGP Card?

OpenPGP is an open standard for encrypting, decrypting and signing documents, files and emails, mainly used with GnuPG. Storing cryptographic keys on a smart card such as the OpenPGP Card allows the same key to be used securely and conveniently on multiple devices. If the device is lost, the cryptographic keys remain securely stored in the Nitrokey and cannot be extracted. The OpenPGP Card can be used for email encryption, SSH authentication and many other cryptographic use cases.

One-Time Passwords (OTP)

One-time passwords (OTP) belong to the first generation of two-factor authentication and are very common. Our test firmware supports the two popular methods HOTP (HMAC-Based One-Time Password, RFC4226) and TOTP (Time-Based One-Time Password, RFC6238). Currently, several dozen OTP entries can be stored and used. In a later version more than one thousand entries should be possible. Currently, only the command line software pynitrokey is available for use. In the future, we will support one-time passwords in the graphical Nitrokey App 2.


All essential features of the OpenPGP Card and one-time passwords are already implemented. We are still missing support for the Secure Element and some internal improvements and refactorings. We plan to implement this in the first half of 2023 and then release it as a stable firmware version.


We recently started running a blog in which we report on our development progress and technical topics in more detail. In the blog we cover topics that are too technical or too marginal for the readers of the general news section. If the news section is not enough for you and you want to read more from us, feel free to follow our blog.



Maybe it's time to update the product overview?
Nearly, will do once the features make it into the stable firmware
Excuse german... Ich habe 2 Fragen: (1) Wird das neue Gehäuse wasserdicht sein? Weil ich bin manchmal mit dem Fahrrad im Regen unterwegs... (2) Ist es möglich den Nitrokey für SSH *ohne* OpenPGP zu verwenden? Die YKs sollen das wohl unter dem Namen "PIV" können, aber leider nur mit den NIST-Algorithmen...
zu (1) es wird keine IP Zertifizierung geben, also technisch gesehen ist der NK3 nicht wasserdicht. (2) Ja, das geht bereits heute mit Hilfe von FIDO2 mit Resident Keys und ssh. Siehe hier zB (das ist für den Nitrokey FIDO2, ist aber identisch für den NK3):
Danke für die Antwort. Leider erfordert das ein recht modernes OpenSSH 8.1 :( Ich würde mir wünschen, wenn der NK für vorsintflutliche Systeme RSA beherrschen würde, und für nachsintflutliche Systeme ED25519 :)
Ich würde 8.1 nicht so wirklich als "modern" bezeichnen, aber wie so oft ist das bestimmt relativ. Generell sind RKs nicht für RSA spezifiziert (so wie ich das sehe wegen der vergleichsweise großen private keys) - da kann man also leider nichts machen, außer openssh updaten.
Hi, once requirements are met, are you considering applying for a FIDO Certified Authenticator Level? For now Nitrokey is unusable to access my state's e-gov facilities because of missing L1 certification.
Yes, this is the plan. Already looking into the options there.
Is the stable firmware going to give support for Heads hardware verification? Is there an ETA on this feature?
The current alpha OTP implementation already comes equipped with the needed feature (reverse hotp), but the HEADS firmware will also need an update to properly talk to the Nitrokey 3. Hard to predict a ETA, first step is to have the functionality inside the stable firmware, then we'll directly approach HEADS functionality.
Hi! Wann kommen die neuen Modelle der Nitropads zum Verkauf?
Hey Kai, dazu können wir leider noch nicht offizielles sagen. Aber es könnte gut sein, dass es dazu bald eine Ankündigung gibt...
wann kommt ungefähr die Ankündigung?
Guter Versuch :D Kann ich leider nicht sagen, sonst hätte ich das schon gemacht. Ein wenig Geduld bitte noch
Hallo, welche Güteklasse hat der RNG in den Nitrokey 3-Modellen? Danke
Hey, also der Mini enthält einen nrf52840, dessen RNG basiert auf thermal noise. Die NFC Varianten laufen auf einem LPC55s, der enthält ein TRNG Hardware Modul (siehe Datasheet 7.31.4 ). Darüber hinaus enthalten alle Modelle einen SE050, dieses Secure Element kommt mit einem TRNG nach NIST SP800-90B, welcher aber noch nicht in die Firmware integriert ist. Das wird im Zuge der SE050 integration passieren und die MCU (T)RNGs ersetzen, ausser für NFC, weil NFC nicht genügend Energie liefert um den SE050 zu benutzen.
On the plus-side, at least there seems to be some updates. However, it's sporadic and confusing - either update on the blog or News section, not on the blog one month and 3 months later post it in the News section. On the negative-side, and not counting CoVID-related issues, there seems to be a lack of a contingency plan. At a most basic business level, there should have been a plan at every stage of development - what if manufacturer can't meet demand (find another manufacturer, or add more machinery), what if there is a problem with the initial chip (what other chip will meet posted specs), what if shipping out exceeds 6 months (refund everyone and try again at a point that's manageable, or have faith of understanding customers), etc. This should have been a Kickstarter project - there are people selling small electronic devices out of their home that are able to meet demand within 1-3 months. Showing "Planned" on the product page seems like a company giving itself a "way out" should something fail. Who would buy a car if it showed "Planned" on the transmission or steering? Either it will or it won't. From the delays to manufacturing to minimal transparency/infrequent updates, there seems to be a lack of direction/focus and I'm surprised people aren't more upset.
Can you use Nitrokey 3A over NFC for FIDO2 authentication? I'm not sure what does it mean that SE050 isn't supported over NFC? Will keys for FIDO2 be stored securely?
From functionality point of view: yes, you can use the NK3 via NFC for FIDO2 (and U2F). The former has at least no proper support on Android, while U2F should work on all platforms. For more details you can check this blog post. Any FIDO2 (U2F) keys are stored securely on the MCU internal flash, which is to our best knowledge secure. The SE050 is a secure element (another microchip), which needs too much energy so that it can be started during an NFC operation, this is why the FIDO2 secrets have to stay inside the internal flash to be available through NFC.

Add new comment

Fill in the blank.