While trying to get keepassxc to encrypt a database with Challenge-Response Credentials from my Nitrokey3, I noticed that the database will automatically be unlocked without requesting the “secrets” PIN I set before I added the Challenge-Response Credentials.
When i run “nitropy nk3 secrets list” and I do not enter the pin but just continue, it will still list the secret slot:
Please touch the device if it blinks
Current PIN (8 attempts left):
No PIN provided
- HmacSlot1 Hmac/Sha1
How do I actually protect this slot with the pin and make sure it is stored securely on the Nitrokey smartcard and protected by the PIN?
My usecase here is to use the Nitrokey challenge-response secret to encrypt the keepassxc database, without using any additional passwords so that I only ever need to enter the Nitrokey PIN.