Nitrokey 3 / Keepass XC can not find Nitrokey

Hey there,
I am new to 2FA keys and recently bought a few Nitrokey 3.

I am currently using PopOS and tried the AppImage and Flatpak versions of KeepassXC for the challenge response but it did not work.
I checked out several forum topics here but could not find a clear path to get it working.

  • I installed nitropy
  • I set the udev rules
  • Firmware update was not necessary. The key already has 1.5.0
  • I did “nitropy nk3 test” and everything looks fine.
  • KeepassXC has version 2.7.6
  • The Key also works for my E-mail clients

I then followed this instruction:

I got a confirmation that the secret is stored correctly with that command: “nitropy nk3 secrets list”.

I also started the pcsd service with this command:
“sudo systemctl start pcscd.service”

I also did the following command “pcsc_scan -r” and the key is visible in the output.

I restarted the device, closed the tools, plugged the stick in before opening keepassxc, etc.

I can not get it working. Any idea why?
Do I need to change some settings in KeepassXC?

I read something about the “gpg --card-status”, not sure if thats necessary?


A “gpg --card-status” is not related.

We figured in the forum that Keepassxc has a number of issues regarding a stable recognition of hardware keys, both the flatpak and other/regular installs.

Try the following:

  1. start/enable the pcscd.service
  2. Plug in the key with started and wait a few seconds after the LED turns off
  3. Only then start keepassxc and navigate to what you want to do (either create a new database or open the existing one)
  4. Is the Nitrokey key listed in the field to select a hardware key? If not, press the refresh button. If it is not listed, try again with patience between 2 and 3 after a reboot.
    What happens?


thank you for the reply and the suggestion.

I tried the recommended process a few times but KeepassXC does not detect the key. I tried the AppImage and the Flathub version.

Any other idea?

Another point with the KeepassXC mechanism is, that it will only list the hardware key, if it finds a suitable HMAC secret. Does nitropy show yours in slot2?

I used the following command:

  • nitropy nk3 secrets list

Got his output:

  • “Command line tool to interact with Nitrokey devices 0.4.41”
    “01. HmacSlot2 Hmac/Sha1”

Should be correct, right?

Yes, that output looks just right.
I’ve also tried it with Keepassxc 2.7.6, same as yours, in the past and another user tested it on Ubuntu 22.04 (which may be the base of your PopOS), but as a regular apt install.

I wonder if problems come from USB. Perhaps you can test like this:

  1. open the keepassxc wizard to create a new database

  2. plug-in any regular USB storage device

  3. In keepassxc advanced settings, select “add key file” and see if you can browse to the USB storage device

  4. cancel
    If you can browse to the USB key, my guess would be your Nitrokey should be recognised too.

  5. Double-check USB enumeration: start a sudo dmesg --follow terminal and plug in the Nitrokey. It should be recognised as a “USB HID v1.11 Device [Nitrokey Nitrokey 3] on usb-0 …” device

Not sure what to try next though.

I tried the first recommended option with a new database and I could enter a normal USB stick and see its content with the key-file option.

I also tried the command you mentioned and got the following output: (I added “x’s” in some outputs, was not sure if I can share the data public on here).

[xxx] usb 1-4: New USB device found, idVendor=xxxx, idProduct=xxxx, bcdDevice= 1.05
[xxx] usb 1-4: New USB device strings: Mfr=xx, Product=xx, SerialNumber=xx
[xxx] usb 1-4: Product: Nitrokey 3
[xxx] usb 1-4: Manufacturer: Nitrokey
[xxx] hid-generic xxx: hiddev3,hidraw5: USB HID v1.11 Device [Nitrokey Nitrokey 3] on usb-xxx/input1
[xxx] cdc_acm xx:xx: ttyACM0: USB ACM device

So it seems that everything is correct. Not sure where the issue is.

Yes, that looks perfectly fine.
Perhaps you create a new user in the system and try if that changes anything.

Other than that I see that keepassxc closed an issue because the PopOS flatpak is not maintained by them.

The beginning of each line is the system timestamp. It will start from zero at the next boot. idVendor/idProduct are the public numbers in the worldwide USB database. What’s sensitive is the Serialnumber of your key. Just so you know.