Does NitroKey Storage support HMAC-SHA1 Challenge Response

Out of my depth here but I am trying to understand if I can use Nitrokey Storage device in same manner as YubiKey as described in KeePassXC Documentation and FAQ to secure my KeePassXC database?

Advice from KeePassXC is;- “Yes I read the spec sheet, it does not support HMAC challenge response, therefore not capable of doing what we use a yubikey for.”

Is this correct?


We have discussed it here: nitrokey-pro-firmware#51. Briefly, even when the Nitrokey Storage has already containing the implementation for HMAC-SHA1 (which is a HOTP/TOTP internal), we decided to not support it to not give users a false security feeling. Instead we opted for leveraging the smart cards through PKCS#11, which would give real protection: keepassxc#255.

Hi and many thanks for the reply. I am not sufficiently familiar with this subject to comment further but support NitroKey in principle so will go along with your advice. My problems are with the user experience rather than underlying workings. You refer to “smart cards,” does this mean the NitroKey device and which or all?

If I use NitroKey Storage for holding files securely can it also be used as key for KeePassXC.

Can I use the NitroKey Storage as a key for opening keepassxc database now instead of passphrase and if so how can I set this up?

Just briefly:

  • by this I meant all devices supporting PKCS#11, e.g. OpenPGP and HSM smart cards - this includes all Nitrokey products, besides Nitrokey FIDO U2F.
  • indeed you can use Nitrokey Storage for keeping either the whole password database, or a key file;
  • you can use Password Safe to store the Keepass password as well.

AFAIR it turned out the challenge-response asks for a static response, without ever changing the challenge, which actually makes it a static secret, like an additional password, or a key file.
Ideally the encryption would be done by the smart card.

Hi and many thanks for your reply. I have now read a substantial thread which is above my pay grade but it is clear that the KeePassXC and NitroKey folk are at least discussing the issue.

What I seek is to be able to use NitroKey device to open securely my KeePassXC database by plugging it in. From what I have read KeePassXC does not yet implement PKCS#11 but it is being worked on. There were other issues about NitroKey performing two functions at once which again were above my head but I shall wait for a solution eagerly. Many thanks again.

Budgie2, in the meanwhile you can use a simpler feature from KeePass, which is, (in addition to the normal password) requiring a specific file to be available before allowing the database to open : just place that file on the Nitrokey storage, and without it being plugged Keepass will refuse to unlock the base.
Incidentally, you also can store the Keepass database entirely on the key (but then, don’t loose it :wink: )

1 Like

Hi and many thanks for the reply.

If I may please stray from my OP I am starting first by trying to use the NitroKey Storage key to log into my computer. Unfortunately the application notes refer to libpam-poldi but this is not obtainable on Tumbleweed.

I do have pam_P11 installed but have no idea what to do next as this is not mentioned in the instructions. For example how do I generate keys on the NitroKey? Do I have to log into the NitroKey using the App or do I just work on the device in terminal. Where can I find some more complete instructions which give me the whole process please?

Did you see our documentation? This is where all our instructions are collected.

Hi Jan,
The link you sent gave me the following:-

The requested page “/en/taxonomy/term/43” could not be found.

I am aware of the instructions and installation notes and I have
followed these where I can. I ran into difficulties recently with
computer login. My OS does not offer poldi but pam_p11 and there is no
detailed help for this. If there are instructions elsewhere please
could you show me.

The link is corrected now to: documentation.

The manual for pam_p11 seems very capable: pam_pkcs11/doc. I got the link from the main project’s page - OpenSC/pam_pkcs11.

@Budgie2 In case this would not answer your question, could you create a new topic please? It seems we are wandering too far from the original problem.

I have it now. Many thanks. Will study and start a new thread if
necessary. Many thanks for your help.

1 Like

Thank you for correcting the link you provided. It was unfortunately only partly helpful because the Application instruction given on the NitroKey site refer to Pam_p11 but the link suggested gives instructions for pam_pkcs11 which concentrate on CS Certificates.

Your installation instructions also suggest that the NitroKey App is at version 1.4 but when I go to the openSUSE link on your site it advises I uses the opensuse repo site. Unfortunately this only offers nitrokey-app version 1.3.2-1.61.

I mention this because I have had problems when logging into my computer when, even when no key is in the machine I get two NitroKey App windows opening and a log warning from a watchinf application.

I am willing to try and build the up to date version of NitroKey App if you could give me the link although I may have some problems. It would be better if you arranged for OBS to update their module. Would this be possible please?

Hi @Budgie2

As the initial question is solved, to keep the forum tidy please create new topics for each new issue. Thank you!