Hi there,
i have successfully coupled the Nitrokey 3 together with Keepass XC.
For unlocking the database, password is required, but no touch is required (just plugged-in Nitrokey is necessary).
Double check: unplugged Nitrokey leads to error in opening password database.
I am not able to enable the touch (for Keepass XC unlocking) using the Nitrokey App 2 nether the command line pynitrokey tool. I am using the latest Firmware 1.7.2.
The HMAC status is passive, i think this means without touching the button. Does anyone know to activate this?
You can toggle touch with something like nitropy nk3 secrets update --touch-button 1 HmacSlot2
but I tried it with KeepassXC and it did not change behaviour. It does toggle touch when you access the slot with nitropy directly. I’m not sure if it’s a bug (besides the NK I used is still on an old firmware, try with yours).
I may be wrong, but think the “passive” mode refers to how the HMAC is used by KeepassXC. Basically, it enhances the database master password, so it does not salt an individual password entry and as long as the database is open (decrypted), all entries are transparent. The HMAC challenge changes every time you save the database only and in the meantime the passive/static challenge-response can theoretically be sniffed and fed to keypassxc again later. So, if the notion is to require a presence (touch) instead of an additional password, this is not very safe for a master password (e.g. also compared to a fido2 resident key requiring touch). An alternative is to use a lower database closing timeout and keep the HMAC as second-factor.
nitropy nk3 secrets list
Command line tool to interact with Nitrokey devices 0.7.3
Please provide PIN to show PIN-protected entries (if any), or press ENTER to skip
Please touch the device if it blinks
Current PIN (8 attempts left):
Please touch the device if it blinks
01. HmacSlot2 Hmac/Sha1 touch required
Still, the Nirokey is shown as “passive” device in KeePassXC and I am able to unlock the database without touching the button. I also tend to consider this a bug as “touch required” should require it to be touched before delivering the HMAC response, shouldn’t it?
I restarted pcscdand KeePassXC after turning touch on. Firmware version is 1.8.1.
Yes, I after more reading I agree keepassxc would not use the touch event, afaik since it relies on the old yubikey challenge-response so far. This keepassxc issue seeks to implement fido2 hmac-secret, which would then bring options for touch/pin.
Reading the issue I see someone contributed a python script, filevault, to work around missing support meanwhile - including a nifty option to add an important backup key. That should work with Nitrokeys, if someone wants to venture trying it.
Hi @ion , @kevin , yes, I looks you are right. The nitropy CLI pretends that touch is required, but Nitrokey2 App does not show PIN or touch for HMAC, so probably it is not supported. If so, I guess KeePassXC behaves correctly in consequence, showing the Nitrokey as “passive”.
It requires touch for my Yubikey with HMAC challenge/response.
Let’s hope that the FIOD2 authentication for KeePassXC solves this issue soon and let’s see what the future brings. Thanks for contributing!
