Which password managers work with the nitrokey, that supports HOTP?

Yeah, which password managers has nitrokey support, or which are going to soon?
I’m using keepass2, but got locked out. I have the recovery seed so i can log in that way right now. Can i export the passwords and import them in a more stable password manager perhaps? I do not know why i can’t log in with the password and HOTP even… But the recovery seed do work in keepass right now. Does anyone got better solutions for me? It’s important that i get this to work stable in my life… An easier solution maybe… That just works.
Thank you very much!
edit: i can’t use hotp with this one right?

Why don’t keepassXC work and with HOTP, and what are my alternatives?
If i should try to restore keepass, do i export the passwords and import them again? All of the settings just seems to much in the guide with the nitrokey to me. It should be easier solutions out there, and less complicated. More stable if i get locked out also when i do have the right password and HOTP keys from the nitrokey.

Hi. You did not state which Nitrokey you use. I just tested with Nitrokey Storage v0.57 and Keepass2 v2.50 using OtpKeyProv. Works fine.

You need to configure a new Keepass2 database:

  1. Master Password
  2. Keyfile provider One-Time Passwords (OATH HOTP) base32
    2.1 Generate Secret as base32
    2.2 Set counter to 0
    2.3 Set Number of OTPs required to minimum of 4

In the Nitrokey App v1.4.0:

  1. Click OTP Slot configuration
  2. Select HOTP
  3. Select HOTP Slot 1
  4. Copy and paste your Base32 secret
  5. Set HOTP Length to 6 digits
  6. Sync Moving factor seed to 0 - This must match 2.2
1 Like

Hello. Thanks. Do i just export the database and import it again?
But the thing is… Why did it get scrambled and not working? Might happen again… Why can’t i just log in?
I will keep the recovery if it happens again, but still. Thank you.

Most likely it stops working when the counter on both sides get out of sync. After every OTP request, the counter gets incremented on the Nitrokey. On the password manager side you have to save it successfully.

Yes, import & export should be all thats needed to get your passwords in.

Out of curiosity, I also tested this with Qubes in a Fedora 35 VM.

  1. Install Nitrokey App and mono
    dnf install -y nitrokey-app mono-core
  2. Install udev rule
    sudo bash -c "cd /etc/udev/rules.d && wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules && udevadm control --reload-rules && udevadm trigger"
  3. Plug in your Nitrokey Storage and attach it to your VM
  4. Download Keepass and OptKeyProv plugin
  5. Start Keepass (mono keepass.exe) and Nitrokey App and follow above steps.

You best do this using an external monitor as the gui elements often have buttons outside the visible screen. As said before take extra care about all the settings (4 vs. 6 digits tokens, htop counter) so that the generated tokens are in sync and match the expected values.


I’m using 1Password and I like it. Your question just reminded me to check if 1Password supports 2FA (I admit I neglected to check that out when I signed up m( ). And it does. You seem to need to first add Google Authenticator-style 2FA and then reload the page to see the button to add a key. After that it’s easy.

1Password has a Linux client in development, and I just found a bug where it constantly opens new login windows in the browser. Quite annoying. Apart from that the Linux client works fine.

1 Like

Good you mentioned 1Password. Indeed a nice service with lots of options included even in the free plan!

We did a comparison of various password managers at work and I was quite puzzled to learn that some vendors like Lastpass offer 2FA/MFA and “Advanced MFA Options”. So if you would like to use FIDO2, you might need a more costly subscription. If not, you are stuck with an authentication app and are typing TOTP codes…

Yes… this again. Thank you! I will try this again see if it works now…

Did you install nitrokey-app mono-core in the fedora template and also the rules, or just in an appvm… don’t programs go away after you reboot in appvms?
It’s better for me to install the apps in the fedora template. But where do i put the rules?

I keep the templates pristine (as they are also updated over time) and have a configuration script to set them up when needed.

There are three types of VMs:

  1. Disposeable VMs will be cloned again from the template at each run and the state will be reset.
  2. In AppVMs the state is preserved across boots. So the setup only needs to be done once when data resides in your home directory or /usr/local.
  3. Template VMs. Everything is being persisted. Meant to be the base for future AppVMs

It makes sense to just have a dedicated AppVM with security focus. You could base this VM on a custom template that you prepare for your password manager. Or you use a script that prepares the VM when you restart it.

You could also use the vault VM for that. However this VM is meant to be for highest security related tasks and is supposed to be “air-gapped”. So it should not use Internet at all and all installed packages should be copied across from a Disposable VM. It is your system, though and you could use it as you wish. However, that was the original intention of that VM.

When you attach an USB device to a VM, it gets treated as if you insert it in a regular Linux system. Thus udev rules are being executed as usual. The config is done the same way and you should copy it to /etc/udev/rules.d as in the description above.

1 Like

Thanks. I’m gonna try to set it up…better to use one without internet i do agree!

THANKS!!! I GOT IT TO WORK NOW! :slight_smile: managed to import and restore it. I used zero on most and that worked. Thanks. Good to know in the future. But it’s weak encryption. Could be easily cracked i bet.

This counter is to synchronize your token with the software and to make sure that each code is indeed used only one-time. You can set it also to another integer on both sides so that you do not reuse the codes. But it should not matter when you change the secret instead.

The counter helps to detect whether codes have been intercepted, replayed or there are clones of the HTOP generator.

1 Like