There are some posts in this forum about problems using Nitrokey 3 as additional protection for KeePassXC because the key is not recognised.
I have the same problem on openSuSE Linux Leap 15.6. It looks like this:
I created a HMAC secret:
$ nitropy nk3 secrets list
Command line tool to interact with Nitrokey devices 0.7.3
01. HmacSlot2 Hmac/Sha1
Status of Nitrokey 3 looks good:
$ nitropy nk3 status
Command line tool to interact with Nitrokey devices 0.7.3
UUID: ....
Firmware version: v1.8.1
Init status: ok
Free blocks (int): 235
Free blocks (ext): 464
Variant: NRF52
udev rules are in place, NK3 shows up as /dev/hidraw1:
$ nitropy nk3 test
Command line tool to interact with Nitrokey devices 0.7.3
Found 1 NK3 device(s):
- Nitrokey 3 at /dev/hidraw1
Running tests for Nitrokey 3 at /dev/hidraw1
[1/5] uuid UUID query SUCCESS ....
[2/5] version Firmware version query SUCCESS v1.8.1
[3/5] status Device status SUCCESS Status(init_status=<InitStatus: 0>, ifs_blocks=235, efs_blocks=464, variant=<Variant.NRF52: 2>)
Running SE050 test: |
[4/5] se050 SE050 SUCCESS SE050 firmware version: 3.1.1 - 1.11, (persistent: (28512,), transient_deselect: (607,), transient_reset: (592,))
Please press the touch button on the device ...
Please press the touch button on the device ...
[5/5] fido2 FIDO2 SUCCESS
5 tests, 5 successful, 0 skipped, 0 failed
pcscd is running:
$ systemctl status pcscd
â—Ź pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: disabled)
Active: active (running) since Thu 2025-02-27 17:42:30 CET; 22min ago
TriggeredBy: â—Ź pcscd.socket
Docs: man:pcscd(8)
Main PID: 5897 (pcscd)
Tasks: 9 (limit: 4915)
CPU: 636ms
CGroup: /system.slice/pcscd.service
└─5897 /usr/sbin/pcscd --foreground
Feb 27 17:42:30 Astaldo systemd[1]: Started PC/SC Smart Card Daemon.
Feb 27 17:42:30 Astaldo pcscd[5897]: CYBERJACK: Started
There is no ccid package for openSuse, but a package called pcscd-ccid, which is installed.
KeePassXC version is 2.7.9 and it makes no difference whether I use the flatpak version or one installed from system packages.
Still, KeePassXC keeps saying “No hardware keys detected”. The NK3 has been plugged in before starting KeePassXC. Yubikey works fine.
Hi @ion , thanks for this hint. In fact, the HMAC secret has been created in base32-format following these instructions from the Nitrokey docs. I used the Nitrokey App 2 for this.
I have the same use case as in the post you pointed me to, using the Nitrokey as a backup for a Yubikey as hardware secret for KeePassXC (or vice versa, it doesn’t matter).
Do you think it would help to delete the secret and generate it again?
I am not at the point where I try to open my Yubikey-secured Keepass-Database with my Nitrokey. Trying to use the Nitrokey as a hardware secret for a new database still fails: “No hardware key detected”.
I had the same experience setting up a laptop with tumbleweed few weeks ago, if i remember right, I had to install some packages, and i wanted to use my reiner card reader.
After that KeepassXC worked as expected, first put the key in, than start KeepassXC. I have not installed nitropy, but NitrokeyApp2 from flathub, there I did some firmware upgrades.
georg@ostw:~> zypper search pcsc*
Repository-Daten werden geladen...
Installierte Pakete werden gelesen...
S | Name | Summary | Type
---+--------------------------+----------------------------------------------------------------------------+------
| pcsc-acr38 | PC/SC IFD Handler for the ACR38 Smart Card Reader | Paket
| pcsc-acr38-devel | PC/SC IFD Handler for the ACR38 Smart Card Reader | Paket
| pcsc-acsccid | PCSC Driver for ACS CCID Based Smart Card Readers | Paket
| pcsc-asedriveiiie-serial | ASEDrive IIIe Serial Smartcard Reader Driver | Paket
| pcsc-asedriveiiie-usb | ASEDrive IIIe USB Smart Card Reader Driver | Paket
| pcsc-asekey | ASEKey USB Token Driver | Paket
i+ | pcsc-ccid | PCSC Driver for CCID Based Smart Card Readers and GemPC Twin Serial Reader | Paket
i+ | pcsc-cyberjack | PC/SC IFD Handler for the Reiner SCT Cyberjack USB-SmartCard Readers | Paket
| pcsc-eco5000 | PC/SC IFD Handler for the ECO 5000 Serial Smart Card Reader | Paket
| pcsc-eco5000-devel | PC/SC IFD Handler for the ECO 5000 Serial Smart Card Reader | Paket
i | pcsc-lite | PC/SC Smart Cards Library | Paket
| pcsc-lite-devel | Development package for the MUSCLE project SmartCards library | Paket
| pcsc-lite-devel-32bit | Development package for the MUSCLE project SmartCards library | Paket
| pcsc-reflex60 | PCSC-Treiber für Schlumberger Reflex 60 Smartcard-Lesegeräte | Paket
i+ | pcsc-tools | Smart card tools | Paket
| pcsc-towitoko | PCSC driver for Towitoko Smart Card Readers | Paket
| pcsc-towitoko-devel | PCSC driver for Towitoko Smart Card Readers | Paket
georg@ostw:~>
This is guesswork, but your log shows a card reader. Try removing that and kill a running pcscd pid before inserting the Nitrokey. Perhaps it is an exclusivity problem, there are options for pcscd shared-access and maybe another package (see geoW’s case) installs them.
Thanks @geoW, but I think udev rules are not the issue, because the device seems to be set up properly and all tests and status from nitropy look good. The udev rules I use were installed by a distro package (libnitrokey-udev).
You need to use the flatpak version of keepassxc for the nitrokey to be detected by keepassxc.
I ran into a similar issue some months ago and tried everything including udev rules but couldn’t exactly figure out the problem.
Turned out using the flatpak version of keepassxc just worked for me. ( Tried on Mint)
Because I’m using LMDE 6, I only had an earlier, non-compatible version of KPXC available through my package manager, and for various reasons I really dislike using flat versions of things, which initially left me a bit stuck.
I ended up just downloading the latest tar and following the .md to build the 2.7.10 from source, then tested by running it from the terminal.
I’m using the 3c and it worked fine for me taking this route (obviously with a downside being the manual updates in future), so if all else fails maybe try the build from source, then reset the hmac as you suggested and see if that helps?
