Securing external Passwordmanagers with Nitrokeys?

Keepass (2/XC/X) only works with the OTP-Feature, which I didn’t manage to use (on several accounts). The Nitrokey Start hasn’t that feature at all (but the ECC ;-)) so I was looking for a way to use the Nitrokey to secure a Passwordmanager:

Keepass (2/XC/X) doesn’t work with the GPG-Smartcard, at least I didn’t find any useable way -for example to use the Nitrokey to decrypt the password in an ciphertext an pipe it into Keepass via shell.

Other Passwordmanagers? PWSafe is secure but hasn’t this feature as well (only Yubikeys).

That leaves me with “Pass” the simple and standard Linux passwordmanager. It encrypts every login as an gpg-file and IS THE ONLY?! passwordmanager which can be used with gpg-smartcard. But it lacks a timeout-feature, which means, you have to kill the gpg-agent every time to lock the database … so they developed “pass tomb” which adds this feature to pass … and with two other addons you can even use it with Firefox … but is this secure in the end?

The only way I see right now for a usable Passwordmanager to use with ALL nitrokeys is a GPG-Addon for KeePass (XC?) or at least a workaround via the commandline, please, please?


1 Like


what do you need the timeout for? It sounds for me like everything is already there, besides this feature.

I often realize that people don’t like the Nitrokey (or any other smartcard) to stay unlocked. But I mostly don’t see why this is an issue at all. Either you trust the system or you should unplug the device after usage (as the PIN could get locked, so time-out is of no use here). I want my passwordmanager and screen locked when leaving the computer. In this case I will take the Nitrokey with me anyway…

Kind regards


For CLI functionality please follow issue libnitrokey#64.

It depends on the threat model, but as long as the passwords are not saved anywhere in cleartext (or sent via the addon to some other server) and your environment is not compromised, it should be safe.