Debian 13 "trixie" issues with Nitrokey 3 A Mini

niklas · August 11, 2025, 5:45am

Hi,
just after the distribution update to Debian 13 the Nitrokey stopped working:
“gpg2 --card-status
gpg: selecting card failed: Kein passendes Gerät gefunden
gpg: OpenPGP Karte ist nicht vorhanden: Kein passendes Gerät gefunden”

This workaround here: “Nitrokey 3A Mini: GPG, firmware v1.4.0, Nitrokey App 3, Kein passendes Gerät gefunden - #6 by bguser” with
“sudo systemctl restart pcscd pcscd.socket”
fixes the situation temporarily but the HMACSLOTS don’t work.

Is it pcscd 2.3.3.1, libccid 1.6.2.1 again?
Any ideas?
Niklas

robin-nitrokey · August 12, 2025, 1:35pm

Please have a look at this FAQ section: GnuPG: OpenPGP Card Not Available.

Probably the update changed the order in which services are started and pcscd gets exclusive access to the device. By restarting pcscd, the lock is released and GnuPG can access it.

niklas · August 12, 2025, 2:17pm

Hi Robin,
thanks, I tried that.
Neither the " gpg-connect-agent "SCD KILLSCD" /bye"-option nor the deletion of pcscd do the trick for me.
But the “pcsc_scan -r” command gives me: “0: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00”
with libccid (1.6.2-1) so at least pcscd works here. And with “sudo systemctl restart pcscd pcscd.socket” it can run a gpg-card-command on trixie.
The HMACSLOTS for KeepassXC do not work with any configuration above (Flatpak or DEB), maybe the error lies within Keepass.

Niklas

robin-nitrokey · August 12, 2025, 2:46pm

Did you try the disable-ccid option?

niklas · August 13, 2025, 12:12pm

Hi,
yes, that didn’t work.
But today (after fiddeling around with all those options, restarting …) it works.
Don’t know why.
So: I can confirm Nitrokey 3 A Mini works with Debian 13 “trixie” including gpg-card-commands and the (deb-package) of Keepassxc (with HMAC).
Thanks.

ben · August 22, 2025, 9:23pm

For me it helped to enable pcsc-shared, too.

cat <<EOF > ~/.gnupg/scdaemon.conf
disable-ccid
pcsc-shared
EOF

mad.behaviorus · March 25, 2026, 4:02pm

I can confirm that it works great.

One addition:
If you would like to enable the configs directly without an reboot:

gpg-connect-agent "SCD KILLSCD" /bye

also was needed.

If you use xfce also, it can run into problems with pam login issues.
Use xfce4-screenlocker instead default lightlocker:

  apt install xfce4-screenlocker
  apt purge light-locker

and reboot now.

In conclusion:

# scdaemon.conf
    cat <<EOF > ~/.gnupg/scdaemon.conf
    disable-ccid
    pcsc-shared
    loglevel basic
    log-file ~/.gnupg/scdaemon.log
    EOF
# restart gpg
    gpg-connect-agent "SCD KILLSCD" /bye
# using xfce4 => need also:
    apt install xfce4-screenlocker
    apt purge light-locker