Hi there,
i have successfully coupled the Nitrokey 3 together with Keepass XC.
For unlocking the database, password is required, but no touch is required (just plugged-in Nitrokey is necessary).
Double check: unplugged Nitrokey leads to error in opening password database.
I am not able to enable the touch (for Keepass XC unlocking) using the Nitrokey App 2 nether the command line pynitrokey tool. I am using the latest Firmware 1.7.2.
The HMAC status is passive, i think this means without touching the button. Does anyone know to activate this?
You can toggle touch with something like nitropy nk3 secrets update --touch-button 1 HmacSlot2
but I tried it with KeepassXC and it did not change behaviour. It does toggle touch when you access the slot with nitropy directly. I’m not sure if it’s a bug (besides the NK I used is still on an old firmware, try with yours).
I may be wrong, but think the “passive” mode refers to how the HMAC is used by KeepassXC. Basically, it enhances the database master password, so it does not salt an individual password entry and as long as the database is open (decrypted), all entries are transparent. The HMAC challenge changes every time you save the database only and in the meantime the passive/static challenge-response can theoretically be sniffed and fed to keypassxc again later. So, if the notion is to require a presence (touch) instead of an additional password, this is not very safe for a master password (e.g. also compared to a fido2 resident key requiring touch). An alternative is to use a lower database closing timeout and keep the HMAC as second-factor.
