GREAT NEWS: Nitrokey Pro is supported by OpenKeyChain on Android now!


I have just successfully tested my Nitrokey Pro stick with

  • a OnePlus 3T mobile phone
  • using an USB OTG adapter cable
  • running LineageOS14.1 (Android 7.1.x)
  • K-9 Mail 5.203
  • OpenKeychain 4.2.4.

I can decrypt emails received with the K-9 email client.

The key problem to solve was to import a reference to the private key into OpenKeychain:

Solution: Export the “secret key” (that contains only a reference to the Nitrokey but
does not contain the private key) from a desktop computer where I have already installed
the NitrokeyPro and import that “secret key” file after plugging the Nitrokey Pro into the mobile phone.

Use “Manage my keys > Use security token > Import key file” to do this once.

A port of the Nitrokey App to Android is therefore not required - at least not for email decryption (as indicated in the wiki
“OpenKeychain is an GPG-like Android app which works with Yubikey NFC already. It should be relatively easy to extend it to work with the Nitrokey via USB.”).


Indeed that is great news. Thank you for the feedback.

Thank you, this nearly worked for me, I have Motorola Moto G3 - Nitrokey Storage - USB OTG Cable. Unfortionally the Power Supply of the phone does not seem to be enough to power the Nitrokey Storage, so this setup only works for me with a powered USB hub. I opened a new Thread at Nitrokey Storage and Open Keychain => Lack of power supply? to see if someone has an Idea to fix that.


I now added the instructions to the website. Thank you very much again.

Kind regards

Hello again,

I realized with version 4.5 it is not necessary anymore to extract the keys from another keychain. It is sufficient to have the public key at hand or uploaded on a keyserver. This make thinks much more easy. Please have a look at the instructions on our website.

Kind regards

I confirm that Nitrokey does work with an up-to-date OpenKeychain by only importing the public key into OpenKeychain.

For more background see this comment:

The most important precondition is to have the encryption and signature sub key on the Nitrokey!

You can check this by connecting the Nitrokey to your computer and entering into a terminal/console:

gpg --card-status

The output must looks like this:

Signature key ....: A0FE 12BB 3F9A D1F9 ...
      created ....: 2017-01-01 10:04:22
Encryption key....: FFEE AABB 0001 CCDD ...
      created ....: 2017-01-01 10:04:22
Authentication key: [none]

If the output for the signature key looks like this

Signature key ....: [none]

You can only decrypt but not encrypt or sign (note that encryption requires also signing in K9 - encryption without signing is no longer supported).

1 Like

Hey @jaltfeld,

thanks a lot for retesting! I am happy that this works for you as well now. So this workflow should generally work.

I think about putting a note about the signature key on the website, but as the signature subkey should be included anyway (e.g. for using NK for E-Mail and other use cases), it may would be more confusing than helpful? We’ll see.

But thank you for your detailed analysis, as this could surely help other users!

Kind regards