How to set up Nitrokey 3 with KeepassXC on (K)Ubuntu

Hi all,

Where can I find instructions to set up the challenge response from KeePassXC together with the Nitrokey? Can someone tell me exactly what steps I need to do?

Many thanks in advance!

KeePassXC doesnt use FIDO. YK chalresp equivalent and HMAC arent available on 3C as far as I can tell.

You can put a keyfile in a USB (or Nitro storage) and have a security key dongle that way. Or buy a different key for chalresp (standard Yubikey for instance).

---->Ok, I see you have already tried this. NK 3C can HMAC? Were you successful with this yet?

Command line tool to interact with Nitrokey devices 0.4.39
Usage: nitropy nk3 secrets add-challenge-response [OPTIONS] {1|2} SECRET

hexinput.txt requires (which?) Yubikey. Can you generate a new hex just for a Nitrokey?

In certain circumstances my Nitrokey is recognized by KeepPassXC on Manjaro Linux, details of the problem can be found in an other topic. The whole thing is not stable yet. On two devices with Manjaro Linux I have the same behavior as in the linked topic. So I want to test my luck on a Kubuntu system to understand what the problem is with Manjaro/Arch.

What are the minimum required software versions for the Nitrokey to be recognized by KeePassXC?

Currently I have installed / are used:

  • Nitrokey Virmware: v1.5.0
  • gpg 2.2.27
  • pcscd 1.9.5
  • libccid 1.5.0

With the previously mentioned versions, the Nitrokey is recognized by KeePassXC.

It’s important that the Nitrokey is plugged into the computer before starting KeePassXC (as reported here).

Additional customizations/comments:

  • The scdaemon.conf file in the ~/.gnupg directory is not required.
  • udev-rules are set up

It’s not a solution for Qubes.

Is there a command needed to mnt the Nitrokey because I started KeePassXC after I had the USB key attached to the VM (vault) and “Hardware Key” says “No Hardware Keys Detected.”

But Nitro LED flashes when refresh button is pushed so there is software/hardware interaction.

Nitrokey 3 is no storage device lsblk will only show block devices that are passed through to the domU.
what does lsusb show or dmesg?

qubes-usb-proxy should work fine for attaching Nitrokey devices to domU.

vault VM is also intended to be “air-gapped” and would not be used with devices except usb storage to transfer files into the domU.

Also keep in mind the HMAC setup for slot 2 needs to be complete. Without it keepassxc will prompt “no hw key detected” regardless.

I think your question should moved to an separate topic, because the headline of this topic is for (K)Ubuntu. In my opinion topics should not mixed up, linking to other similar problems is ok.

Ok maybe I will move discussion here as per @mepii0011 wishes. I wouldn’t think security keys would be infectious because, as you said, its not storage so no data transfer vector. Vault still doesn’t have internet access, so it is a semipermeable vault.