Nitrokey 3 RSA4096 private keys are not recognized by gpg on windows

Dear all,

When I’ve generated the RSA4096 key pair and imported it on my Nitrokey 3, I’m unable to decrypt files on windows.
I get an error something like “invalid ID”. This is probably because the gpg recognizes only the public key which is still on computer, but does not try to use the keys from Nitrokey 3. Even though Kleopatra states that keys are stored on a security card.
It worked on Android with OpenKeyChain. I just needed to import the public key separately, but it worked all fine then.

I’ve tried with RSA2048 keys generated on the key itself, and these work. Both RSA3072 and RSA4096 are unable to be generated on device.
I have yet to try if imported RSA2048 works.

Can someone help me please with this?
If it comes out that even imported RSA2048 isn’t working, is there a way to export private keys? Or at least to clone them on another Nitrokey?

Thank you all for help.
Best wishes.

The opcard-rs is under development and larger RSA Key sizes have been added but might need compile flags (which might not be enabled for the currently provided firmware) or allow import and not key generation on the card.

Elliptic Curves support is still implemented better.

You can see the features here:

@sosthene-nitrokey should the keygen for RSA 4096 already work on the firmware in the field?

It worked on Android with OpenKeyChain. I just needed to import the public key separately, but it worked all fine then.

How were you able to make the Nitrokey 3 work with OpenKeyChain? There is ongoing work to add support to it, but it’s still not released.

Both RSA3072 and RSA4096 are unable to be generated on device.

Only key import is supported for RSA 3072 bits and higher.
We are working on lifting this restriction.

I did this first by generating a key pair (it worked even with RSA4096) on my computer with gpg. Then, when transferred to a Nitrokey 3 (firmware version 1.6.0), both private key and authentication key are not present on the device anymore. Still, public key remains.

I took the public key (for the one on the Nitrokey 3) and transferred it to my phone. In OpenKeyChain choose “Import from file”, then find the public key and import it. This should work with no issues with anyone. After this, I added private key from Nitrokey 3 through option “Manage my keys → Use Security Token”. The trick was, I didn’t do it via NFC, but through usb port (it asks for a OpenPGP PIN). Mine was USB-A type and it still worked with an USB-C to USB-A adapter. Retried it few times, and it worked. Please look at finding No. 3. below.

With NFC it had some initialization error. But this could be due to my phone. I use microG as Google Framework spoof and it’s not able to utilize FIDO2 from security keys neither through NFC or USB port. On classic google Android it works but only through USB port, for both OpenPGP and FIDO2.

I tinkered with it a lot and came to following conclusions:

  1. My older google Android phone (Android 9) always shows some NFC read error. On my newer degoogled phone though (Android 14) it opens when no challenges are there. Currently I have no working example of NFC in any form on Android. I doubt that laptops have NFC capabilities.
  2. If I try to use FIDO2 through NFC on older phone I get “NFC read error” on newer it just vibrates and nothing happens. No error message or similar. If I do it through USB port, on older it just works and on newer I get prompted “Allow microG Services to access Nitrokey 3?”. When pressed “OK” it blinks and lands basically in the same position as with NFC, just with no vibration. It’s probaby because of some incmpatibility with microG Services, which you cannot address.
  3. When decrypting a file with OpenKeyChain, the key has to already be plugged in to a USB port in order for it to work. If I start decryption and insert it later, OpenKeyChain still looks for key through NFC. And every other action involving OpenPGP keys from Nitrokey 3 has to be done so, otherwise it won’t work. So I think this and presence of already imported public key are crucial to reproduce my findings.
  4. And as I said, OpenPGP through NFC throws me “initialization error”. Unfortunately, I cannot provide you more information on that. Maybe there’s a way, please tell me how, if any.
  5. If I would try to import keys from Nitrokey 3 without prior existance of public key, It doesn’t find it somehow. Probably an app issue. It tries to fetch the (public) key from Public Key Server URL (which was non existant in my case). Maybe it would work the same way as was mine with manual import. But still, you’d have to import your public key online.
  6. Now I added new IDs to the key with Kleopatra but I cannot revoke them or change the primary ID (from the last generated one). Kleopatra just remains unresponsive when doing any of these two things.

By the way:

Actually decryption with RSA2048 generated on a computer and then imported to Nitrokey 3 works perfectly. I was able to use two different Nitrokeys 3 and both could decrypt the same data (it also worked under conditions from 3.)

Hopefully you find my findings helpful in improving Nitrokeys. Sorry for posting all of them in single topic, but I think it’s better to share what I found out, then to keep it for myself.

If you have any further questions or would like for me to test something, please ask me. I’d be glad to help.

You’re doing amazing job by making such range of features within one Security Key. Nitrokey 3 is basically “The Swiss Army Knife of Security keys” and is additionally open-source and open hardware.

I wish you all the best in improving the Nitrokeys.
Best regards.

OpenPGP over NFC is not supported at all, and is not planned.

open-keychain over USB has some compatibility issues and is being worked on.

Have you been able to resolve the initial issue you had with RSA 4096 bits on windows?


Unfortunately not. It seems that the key types that Nitrokey 3 cannot generate natively also cannot be used for OpenPGP encryption. At least this happens with me on windows. I also have RSA4096 keys on device and they work perfectly.

Good to know that NFC isn’t supposed to be working with OpenPGP. Still, OpenKeyChain thinks this is the default way. As for android, I cannot remember if I used RSA4096 from Nitrokey there.

If I can help anymore, please let me know. I wish you all the best and a lot of success in the future.