Hey there,
I am new to 2FA keys and recently bought a few Nitrokey 3.
I am currently using PopOS and tried the AppImage and Flatpak versions of KeepassXC for the challenge response but it did not work.
I checked out several forum topics here but could not find a clear path to get it working.
I installed nitropy
I set the udev rules
Firmware update was not necessary. The key already has 1.5.0
I did “nitropy nk3 test” and everything looks fine.
KeepassXC has version 2.7.6
The Key also works for my E-mail clients
I then followed this instruction:
I got a confirmation that the secret is stored correctly with that command: “nitropy nk3 secrets list”.
I also started the pcsd service with this command:
“sudo systemctl start pcscd.service”
I also did the following command “pcsc_scan -r” and the key is visible in the output.
I restarted the device, closed the tools, plugged the stick in before opening keepassxc, etc.
I can not get it working. Any idea why?
Do I need to change some settings in KeepassXC?
I read something about the “gpg --card-status”, not sure if thats necessary?
We figured in the forum that Keepassxc has a number of issues regarding a stable recognition of hardware keys, both the flatpak and other/regular installs.
Try the following:
start/enable the pcscd.service
Plug in the key with started and wait a few seconds after the LED turns off
Only then start keepassxc and navigate to what you want to do (either create a new database or open the existing one)
Is the Nitrokey key listed in the field to select a hardware key? If not, press the refresh button. If it is not listed, try again with patience between 2 and 3 after a reboot.
What happens?
Another point with the KeepassXC mechanism is, that it will only list the hardware key, if it finds a suitable HMAC secret. Does nitropy show yours in slot2?
Yes, that output looks just right.
I’ve also tried it with Keepassxc 2.7.6, same as yours, in the past and another user tested it on Ubuntu 22.04 (which may be the base of your PopOS), but as a regular apt install.
I wonder if problems come from USB. Perhaps you can test like this:
open the keepassxc wizard to create a new database
plug-in any regular USB storage device
In keepassxc advanced settings, select “add key file” and see if you can browse to the USB storage device
cancel
If you can browse to the USB key, my guess would be your Nitrokey should be recognised too.
Double-check USB enumeration: start a sudo dmesg --follow terminal and plug in the Nitrokey. It should be recognised as a “USB HID v1.11 Device [Nitrokey Nitrokey 3] on usb-0 …” device
I tried the first recommended option with a new database and I could enter a normal USB stick and see its content with the key-file option.
I also tried the command you mentioned and got the following output: (I added “x’s” in some outputs, was not sure if I can share the data public on here).
[xxx] usb 1-4: New USB device found, idVendor=xxxx, idProduct=xxxx, bcdDevice= 1.05
[xxx] usb 1-4: New USB device strings: Mfr=xx, Product=xx, SerialNumber=xx
[xxx] usb 1-4: Product: Nitrokey 3
[xxx] usb 1-4: Manufacturer: Nitrokey
[xxx] hid-generic xxx: hiddev3,hidraw5: USB HID v1.11 Device [Nitrokey Nitrokey 3] on usb-xxx/input1
[xxx] cdc_acm xx:xx: ttyACM0: USB ACM device
So it seems that everything is correct. Not sure where the issue is.
Yes, that looks perfectly fine.
Perhaps you create a new user in the system and try if that changes anything.
Other than that I see that keepassxc closed an issue because the PopOS flatpak is not maintained by them.
The beginning of each line is the system timestamp. It will start from zero at the next boot. idVendor/idProduct are the public numbers in the worldwide USB database. What’s sensitive is the Serialnumber of your key. Just so you know.
Hey , following on with this thread. I am facing the same problem. The nk3A is detected by keepassxc on windows system but it does not detect on the linux OS like debian or fedora
I have tried things mentioned in this thread and other posts but still no success yet. ( On linux mint lmde)
The steps i have tried so far
Provided that the udev rules have been set as described here and the pcscd service has been started with sudo systemctl start pcscd.service.
Install the latest version of KeePassXC (2.7.8) with flatpak flatpak install flathub org.keepassxc.KeePassXC and it should work on Linux like Debian-based systems and Fedora.
wooh ! that just worked. Thanks for the suggestion.
I had tried the flatpak version earlier (maybe didn’t try other things like udev rules, pcscd service) but uninstalled it as many issues in keepassxc github seemed to indicate the flatpak version had the problems itself . So had been relying on the appimage since then for testing.
Also to make a note for anybody in the future , setting the udev rules may not be necessary if your OS is already having udev version 244 or above as stated in this guide.
Though the pcscd service would be important to its functioning along with some other dependencies relating to smart card.
