My Nitrokey 3C NFC stopped being detected by KeepassXC after upgrading to the latest flatpak (commit 3f6ba9832930f879ff7f80521b8d122e60dd933a9bd00098154c844c0fb6b138); I’m running ubuntu 2024.04. The release notes say Update pcsc-lite to 2.3.3, so I wondered whether this is an issue on the KeepassXC (the KeepassXC version didn’t change) side or with the pcsc libraries.
Anyone else experiencing this issue? Any suggestion where I could look to track down the cause of this issue is greatly appreciated!
For now the issue could be solved for me by downgrading to the previous flatpak (commit e201537efbbeace519534bf535c83dc51dba4392a44042dcee0b4599106cd31e). But long term I’d like to use the latest flatpak.
Same here with a Nitrokey 3A Mini under Linux Mint 22.1 and KeepassXC(up to date version via Flatpak as recommended).
The key works with other programs like firefox and is displayed correctly in the Nitrokey App. So I suspect it’s an issue with the latest KeepassXC update. Have you checked their forum yet?
Please let me know when it works for you again.
I’ve had a look at the keepassXC github page. Couldn’t find any reported issues there. So it seems that other hardware keys under Linux are not affected.
Under Windows 10 no issues. The key is detected. Same keepassXC version 2.7.10 on both OS.
Screenshot Linux attached.
Run flatpak remote-info --log flathub org.keepassxc.KeePassXC to see the available version. The final version that is causing the issues for me seems to not be a KeepassXC update but just an update of libraries bundled in the flatpak.
The newest flatpak that works for me is e201537efbbeace519534bf535c83dc51dba4392a44042dcee0b4599106cd31e, which is the update to 2.7.10. Run flatpak update --commit=e201537efbbeace519534bf535c83dc51dba4392a44042dcee0b4599106cd31e org.keepassxc.KeePassXC to downgrade. So you need to sudo or log in as root.
But this isn’t a long-term fix; but at least I can access my password database again for now.
I’ve opened a github issue; let’s see if we get some further ideas over there.
I went back to Windows, removed the challenge-response and added a key file. So this has to work until the issue is resolved.
Would be really unlucky if we couldn’t use the Nitrokey with keepassXC anymore. That was the only reason I bought it. Actually I bought two 3A Minis, one as a backup.
Ich habe jetzt mal den Nirokey-Support direkt per Email angeschrieben, da hier ja offensichtlich nicht so viel “los ist”.
Ich melde mich, sobald die antworten.
Sorry, forgot to use English:
“I’ve now contacted Nirokey support directly via email, as there’s obviously not much going on here.
I’ll get back to you as soon as they respond.”
Indeed. I definitely need a key that works with KeepassXC for both, Linux and Windows. So I might have to switch to a key that is directly supported by KeepassXC, if this issue can’t be resolved.
For others who might follow this, here ist the latest response from KeepassXC. They speculate that the Nitrokeys are emulated as an NFC-Device, as there ist no special hardware support from them. See attached screenshot.
@geoW Thanks! True, KeePassXC ist distributed in many other formats (snaps, AppImage as well as disto-specific packages). I’ve tried the former two and finally settled with flatpak as best (for me at least) solution. Trying a different format is certainly much better than buying new hardware keys or going back to keyfiles… @Marco1 Have you considered that? I’ll continue looking for a solution using flatpak … at least for now.
Both, KeePassXC and Nitrokey recommend flatpak as the most reliable way to run their apps with automatic updates.
I could use the system package as well, but in the repository the KeepassXC version is 2.7.6. On Flatpak/Windows/Mac it’s 2.7.10.
I need it up to date and cross-platform for Linux, Windows and probably soon for Mac as well. And I have to make it as safe as possible, as I have to store customer passwords temporarily sometimes.
So if all goes wrong, I might have to talk to the guys from KeePassXC to recommend a hardware key that works best with their app.
So you are complaining about nitrokey, do you have another working key say yubikey working with your setup?
As I understand this discussion it is the changing flatpak which does the trouble.
Yes, we need the version 2.7.10, so we have the choice running a rolling release of our desktop distro, do try some vm’s or containerizations.
The promised solution of flatpak, snap and appimage works differently on various distros.
After reading yours comments I would say the flatpak maintainer should be the first address to complain.
I’m not complaining at all. I just think about my options. But I need KeepassXC. So if there is no other software option, I’ve to look for other hardware.
And yes, we opened an issue report at keepassXC github as well. Now both parties are discussing a solution. I would love to continue using my Nitrokeys. I paid a lot of money for them. I wanted a safe product - I like the philosophy of Nitrokey. And they are from my home country. I want to support that!
When I bought the keys there was a Tutorial how to use it with keepassXC. I’m confident the software developers will solve this issue, as KeepassXC is the most common Cross-platform password manager. I think there is only one, to be precise.
I don’t want containerization or VM’s for this use case. The plan is to enroll the keys to my customers as well. I need a solution that works out of the box cross platform.
And if that means, that I have to test other Hardware, I will of course do that. That’s how it works. Can’t see your issue here.
georg@ostw:~> LANG=C
georg@ostw:~> zypper info pcsc-lite
Loading repository data...
Reading installed packages...
Information for package pcsc-lite:
----------------------------------
Repository : Haupt-Repository (OSS)
Name : pcsc-lite
Version : 2.3.3-1.1
Arch : x86_64
Vendor : openSUSE
Installed Size : 139.6 KiB
Installed : Yes (automatically)
Status : up-to-date
Source package : pcsc-lite-2.3.3-1.1.src
Upstream URL : https://pcsclite.apdu.fr/
Summary : PC/SC Smart Cards Library
Description :
PC/SC Lite provides a Windows SCard interface in a small form factor
for communication with smart cards and readers.
Security aware people should read the SECURITY file for possible
vulnerabilities of pcsclite and how to fix them. For information on how
to install drivers please read the DRIVERS file.
Memory cards will be supported through the MCT specification, which is
an APDU like manner sent normally through the SCardTransmit() function.
This functionality is exercised in the driver.
georg@ostw:~> cat /etc/os-release
NAME="openSUSE Tumbleweed"
# VERSION="20250916"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20250916"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
# CPE 2.3 format, boo#1217921
CPE_NAME="cpe:2.3:o:opensuse:tumbleweed:20250916:*:*:*:*:*:*:*"
#CPE 2.2 format
#CPE_NAME="cpe:/o:opensuse:tumbleweed:20250916"
BUG_REPORT_URL="https://bugzilla.opensuse.org"
SUPPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed"
LOGO="distributor-logo-Tumbleweed"
@christian I have. And I personaly could live with that.
But: I’m actually looking for an easy to use, well integrated, up to date, cross platform, out of the box, cloud-free, open source password manager. And I’d like to secure it with a low profile hardware key with touch function like the Nitrokey 3A Mini.
The thought behind this is, that it has to be bullet proof for the average customer. I can find ways around these issues. My customers can’t. And I don’t want to support these issues. It’s hard enough to convince small businesses and private customers to use a decent password management that’s not the usual big players with their proprietary software and corporate cloud. Or try to convice people to try Ubunt/Mint instead of Win11(plus new Hardware) That’s what I’m competing with. If I go this way I have to make sure that things work out.
Thank you for all your effort so far! I think there will be a solution. I mean, both, Nirokey and KeePassXC advocate flatpak as their favorite update solution for their own apps. So would be kinda sad, if they won’t find a way
