There are some posts in this forum about problems using Nitrokey 3 as additional protection for KeePassXC because the key is not recognised.
I have the same problem on openSuSE Linux Leap 15.6. It looks like this:
I created a HMAC secret:
$ nitropy nk3 secrets list
Command line tool to interact with Nitrokey devices 0.7.3
01. HmacSlot2 Hmac/Sha1
Status of Nitrokey 3 looks good:
$ nitropy nk3 status
Command line tool to interact with Nitrokey devices 0.7.3
UUID: ....
Firmware version: v1.8.1
Init status: ok
Free blocks (int): 235
Free blocks (ext): 464
Variant: NRF52
udev rules are in place, NK3 shows up as /dev/hidraw1:
$ nitropy nk3 test
Command line tool to interact with Nitrokey devices 0.7.3
Found 1 NK3 device(s):
- Nitrokey 3 at /dev/hidraw1
Running tests for Nitrokey 3 at /dev/hidraw1
[1/5] uuid UUID query SUCCESS ....
[2/5] version Firmware version query SUCCESS v1.8.1
[3/5] status Device status SUCCESS Status(init_status=<InitStatus: 0>, ifs_blocks=235, efs_blocks=464, variant=<Variant.NRF52: 2>)
Running SE050 test: |
[4/5] se050 SE050 SUCCESS SE050 firmware version: 3.1.1 - 1.11, (persistent: (28512,), transient_deselect: (607,), transient_reset: (592,))
Please press the touch button on the device ...
Please press the touch button on the device ...
[5/5] fido2 FIDO2 SUCCESS
5 tests, 5 successful, 0 skipped, 0 failed
pcscd is running:
$ systemctl status pcscd
â—Ź pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: disabled)
Active: active (running) since Thu 2025-02-27 17:42:30 CET; 22min ago
TriggeredBy: â—Ź pcscd.socket
Docs: man:pcscd(8)
Main PID: 5897 (pcscd)
Tasks: 9 (limit: 4915)
CPU: 636ms
CGroup: /system.slice/pcscd.service
└─5897 /usr/sbin/pcscd --foreground
Feb 27 17:42:30 Astaldo systemd[1]: Started PC/SC Smart Card Daemon.
Feb 27 17:42:30 Astaldo pcscd[5897]: CYBERJACK: Started
There is no ccid package for openSuse, but a package called pcscd-ccid, which is installed.
KeePassXC version is 2.7.9 and it makes no difference whether I use the flatpak version or one installed from system packages.
Still, KeePassXC keeps saying “No hardware keys detected”. The NK3 has been plugged in before starting KeePassXC. Yubikey works fine.
Hi @ion , thanks for this hint. In fact, the HMAC secret has been created in base32-format following these instructions from the Nitrokey docs. I used the Nitrokey App 2 for this.
I have the same use case as in the post you pointed me to, using the Nitrokey as a backup for a Yubikey as hardware secret for KeePassXC (or vice versa, it doesn’t matter).
Do you think it would help to delete the secret and generate it again?
I am not at the point where I try to open my Yubikey-secured Keepass-Database with my Nitrokey. Trying to use the Nitrokey as a hardware secret for a new database still fails: “No hardware key detected”.
I had the same experience setting up a laptop with tumbleweed few weeks ago, if i remember right, I had to install some packages, and i wanted to use my reiner card reader.
After that KeepassXC worked as expected, first put the key in, than start KeepassXC. I have not installed nitropy, but NitrokeyApp2 from flathub, there I did some firmware upgrades.
georg@ostw:~> zypper search pcsc*
Repository-Daten werden geladen...
Installierte Pakete werden gelesen...
S | Name | Summary | Type
---+--------------------------+----------------------------------------------------------------------------+------
| pcsc-acr38 | PC/SC IFD Handler for the ACR38 Smart Card Reader | Paket
| pcsc-acr38-devel | PC/SC IFD Handler for the ACR38 Smart Card Reader | Paket
| pcsc-acsccid | PCSC Driver for ACS CCID Based Smart Card Readers | Paket
| pcsc-asedriveiiie-serial | ASEDrive IIIe Serial Smartcard Reader Driver | Paket
| pcsc-asedriveiiie-usb | ASEDrive IIIe USB Smart Card Reader Driver | Paket
| pcsc-asekey | ASEKey USB Token Driver | Paket
i+ | pcsc-ccid | PCSC Driver for CCID Based Smart Card Readers and GemPC Twin Serial Reader | Paket
i+ | pcsc-cyberjack | PC/SC IFD Handler for the Reiner SCT Cyberjack USB-SmartCard Readers | Paket
| pcsc-eco5000 | PC/SC IFD Handler for the ECO 5000 Serial Smart Card Reader | Paket
| pcsc-eco5000-devel | PC/SC IFD Handler for the ECO 5000 Serial Smart Card Reader | Paket
i | pcsc-lite | PC/SC Smart Cards Library | Paket
| pcsc-lite-devel | Development package for the MUSCLE project SmartCards library | Paket
| pcsc-lite-devel-32bit | Development package for the MUSCLE project SmartCards library | Paket
| pcsc-reflex60 | PCSC-Treiber für Schlumberger Reflex 60 Smartcard-Lesegeräte | Paket
i+ | pcsc-tools | Smart card tools | Paket
| pcsc-towitoko | PCSC driver for Towitoko Smart Card Readers | Paket
| pcsc-towitoko-devel | PCSC driver for Towitoko Smart Card Readers | Paket
georg@ostw:~>
This is guesswork, but your log shows a card reader. Try removing that and kill a running pcscd pid before inserting the Nitrokey. Perhaps it is an exclusivity problem, there are options for pcscd shared-access and maybe another package (see geoW’s case) installs them.
Thanks @geoW, but I think udev rules are not the issue, because the device seems to be set up properly and all tests and status from nitropy look good. The udev rules I use were installed by a distro package (libnitrokey-udev).
You need to use the flatpak version of keepassxc for the nitrokey to be detected by keepassxc.
I ran into a similar issue some months ago and tried everything including udev rules but couldn’t exactly figure out the problem.
Turned out using the flatpak version of keepassxc just worked for me. ( Tried on Mint)
Because I’m using LMDE 6, I only had an earlier, non-compatible version of KPXC available through my package manager, and for various reasons I really dislike using flat versions of things, which initially left me a bit stuck.
I ended up just downloading the latest tar and following the .md to build the 2.7.10 from source, then tested by running it from the terminal.
I’m using the 3c and it worked fine for me taking this route (obviously with a downside being the manual updates in future), so if all else fails maybe try the build from source, then reset the hmac as you suggested and see if that helps?
time to change the distro ? it probably could be udev rules issue.
Also when using flatpak version check with flatseal if keepassxc has appropriate permissions to usb devices.
the key challenge here is that the hmac-sha is passed through by ccid and pcscd into keypassxc. This already is for smartcards often painfully unreliable. We are taking this opportunity to improve the docs you are linking. In the meantime the “typical” troubleshooting methods are (trying to be distri-agnostic):
make sure your nk3 is plugged in
remove scdaemon package
make sure no gpg-* is running (means gpg or gpg-agent or whatever might bring them up “on-demand”)
restart pcscd (systemctl restart pcscd) right before starting keypassxc
You could also observe pcscd by starting it “by hand” in debug mode -d and see if it shows something interesting.
Can you tell which yubikey you are using - which you report as working…
now this is getting us somewhere. The solution is not directly in your post, but it pointed me in the right direction. The debug output from pcscd made me think and search, so I found that there is a support article on the Nitrokey website I have not been aware of.
The solution is readily there: “Support for the Nitrokey 3 was added in libccid 1.5.0.” I have ccid 1.4.36. And further: “If you cannot update libccid to a supported version, you have to manually update the device database.” In fact, it is sufficient to add two lines with a mapping from ifdProductID (0x42B2) to ifdFriendlyName (Nitrokey Nitrokey 3).
After that, my Nitrokey shows up with pcsc_scan -r and is available as HMAC secret in KeePassXC. Perfect! Thanks a lot!
