Nitrokey (Start|3A mini) and Android

OK, yes, I’ve already seen a few discussion threads here via the search function, but I don’t think anyone has really got any further yet.

So, what is it all about? I have several Nitrokeys running here. I generally use the Nitrokey Start and the Nitrokey 3A mini for email encryption, SSH access and Ansible Vault. So far so good, under different Linux distributions (CentOS, Fedora, LinuxMint, SUSE, Ubuntu) it’s no big deal.

But of course it would also be very nice if I could use the Nitrokeys together with my Android pad (Samsung Galaxy Tab S7+ 5G) with the latest software version (Android13).

I have installed TermBot, SSH Example and OpenKeychain on the pad for this purpose. In each case, of course, in the latest version currently available from the PlayStore.

So far so good, now to my findings so far:

Under Openkeychain I can select USEING SECURITY-TOKEN from the menu, but this is not successful with either the Nitrokey Start or the Nitrokey 3A mini. The app always shows “Collectiong Informations On Security Token…”, but it always says NO KEY FOUND!

Under TermBot itself, I cannot directly select or activate the Nitrokeys. Via the menu item “Managing Pubkeys” I am only offered “Get the Hardware Security SDK” at the bottom of the display and that’s it.

There are two different behaviors with the SSH Example app. I connect the Nitrokey 3A mini with an adapter cable to the USB-C port of the pad and enter the user name and host address in the SSH tab (SSHJ), then I can enter the user PIN but then I get a big fat red exclamation mark with the message "Internal error: Response Error UNKNOWN 80xa3f) and that’s it.

O.K. If I do the same now with the Nitrokey Start, it looks 1,000 times better. I am also asked for the user PIN and then asked to connect the stick to the pad. And lo and behold, I see the success message SSH connection successful! followed by the greeting banner and the system prompt. Hooray! Unfortunately not quite, because then I can’t enter anything else, and that’s it

I now conclude that the communication would basically work, but how do I get an “operable SSH connection”? If I follow the app’s advertising link to Get the SDK | Hardware Security SDK, I only find something like 30 Days Trial for developer, an Evaluation kit for 2.999 € or a Full License. But I don’t want to develop anything, I just want to use it …

Now I have the following questions:

  1. Have I done something wrong?
  2. Do I have to install anything else?
  3. or am I just stupid or
  4. just too old for the whole <-redacted->?

I am grateful for every tip, no matter how small! … and if the final result is “forget it, it won’t work” then at least I know that 3) and 4) don’t apply! :wink:

Hey @Django

the painful truth currently is: Nitrokey 3 OpenPGPCard + Android together with the Apps you tried will not work, it’s not your fault.

The state as of now is roughly this:

OpenKeychain seems to be in Maintainance-only mode, which means the developer is not planning to update it anytime soon. We have been working on a PR to add Nitrokey 3 support, but it essentially ended with: Without the main developers we can’t really do anything but forking OpenKeychain - which is simply something we cannot afford right now.

The same essentially is true for the other apps you mentioned, quick-checking them revealed that most don’t have any new commits since ~2-3years. Also K-9 seems to only work with open-keychain, which is also bad for Nitrokey 3 usage. As of today the state for OpenPGP Card (from Nitrokey 3) usage on Android is pretty bad.

I had some hopes with Mozilla jumping on K-9 as Thunderbird for Android, there seems to be a comment about native OpenPGP support, but the roadmap does not contain this item.

Obviously, we are also not happy with the current state and trying to solve this mid-term, but as of now I cannot give specific promises or dates.


Just tested: On GrapheneOS, OpenKeychain + OkcAgent + Termux (all from F-Droid store) works with a YK.

When I try to use my Nitrokey 3, the following message appears:

This Security Token is not yet supported by OpenKeychain