nitrokey-3-firmware
nitrokey-3-firmware copied to clipboard
Nitrokey
NK3A doesn't connect in OpenKeychain on latest firmware
NK3A worked with OpenKeychain over NFC on alpha versions 1.3.0 when I tested it in March. I decided to try the same on 1.4.0, and it doesn't connect durin encryption, it says that I removed the token too early, although this is not the case. At the same time, a red light is on on the token.
OpenPGP is not supported over NFC. Does this happen with FIDO or is it limited to OpenPGP?
I have this issue too. I created three subkeys (for auth, signing, and encryption) from my primary key in the NC3 NFC, now I'm trying to import these keys in openkeychain but it says "token removed too early" no blinking light on my side.
I'm clicking "USE TOKEN" from the openkeychain user interface
I'm using NFC. If I click "use token" and then plug the device nothing happens.
I don't have the hardware to actually test it from a phone, but I was able to test it from waydroid. It doesn't appear that OpenKeychain even tries to connect to the device as no logs shown on the nitrokey side.
It looks like OpenKeychain has an allowlist for accepted devices (see here and here), so it looks like the Nitrokey 3 cannot be supported without patching it, and I don't know whether it will be merged since the project is in maintenance only.
I was not able to get it to recognise my device on Waydroid, but this may be caused by usb issues with waydroid and not the app itself?
@sosthene-nitrokey I was unable to initially connect it via USB, but I successfully used it via NFC until version 1.4.0.
@proninyaroslav Since the Nitrokey 3 v1.4.0 firmware the user data are mostly moved to the external flash chip, which is not activated in the NFC mode, thus this will not work anymore unfortunately.
@sosthene-nitrokey I believe in the settings you can allow all devices. Can you check again? I could not make Waydroid work either, even with other USB devices (some gamepads are reportedly somehow supported?).
Not by the current design. It was decided against it, to instead invest in the secure element-based storage security. The NFC chip gives not enough power for the additional storage and secure element use.
Perhaps in the distant future some user-selected data would be available in lower-security storage at user's choice, giving back the ability of NFC use.
believe in the settings you can allow all devices. Can you check again?
Which settings? the OpenKeyChain (OKC) settings? I confirm that I can't add my nitrokey to OKG neither by plugging it in the phone's usb-c I enabled "Settings -> experimental -> Allow untested usb devices" but nothing changes. If I plug the nitrokey, the led doesn't blink and if I tap "USE TOKEN" it is not recognized.
I don't quite understand what NFC will be useful for, if no user data is available in NFC mode..
Not by the current design. It was decided against it, to instead invest in the secure element-based storage security. The NFC chip gives not enough power for the additional storage and secure element use.
Perhaps in the distant future some user-selected data would be available in lower-security storage at user's choice, giving back the ability of NFC use.
Hmmm... this breaks my workflows again. I bought the nk3 to use it with openkeychain on my smartphone... and now it does not work via NFC neither via USB-C...
This is NOT good.
@sosthene-nitrokey first of all, thank you very much for working on this fantastic project. Nitrokey has been working really well for me so far. From what I gather OpenKeyChain doesn't work right now, but it worked before recent firmware updates. Are you still planning to add this functionality back at some point?
It would be really useful. Copying gpg private key into OpenKeyChain app really doesn't work for a lot of security-conscious users.
Just to confirm I tried now nitrokey 3a NFC and 3a mini over Usb C adapter and both said:
This Security Key is not yet supported by OpenKeychain
NFC didn't react at all.
Firmware version is v1.5.0
@sosthene-nitrokey What do you think?
We currently do not have plans to support OpenPGP over NFC due to power limitations. However we do want to support OpenKeychain over usb. There is currently an open PR that should add support for it in OpenKeychain: https://github.com/open-keychain/open-keychain/pull/2842
Thank you very much for the fast response, explaining the status and link to the pull request. Glad to see this work on USB support. I will keep fingers crossed that NFC support will arrive at some point in the future (maybe Nitrokey 4).
We currently do not have plans to support OpenPGP over NFC due to power limitations.
Small addition --- I would like to emphasize that "currently" this is not the plan. We see and hear that OpenPGPCard via NFC is something that people want, we simply did not expect this. Generally this is possible on the Nitrokey 3 hardware, but this will come with trade-offs in terms of functionality and added complexity on development side. Especially there will be some foundation work needed to make this possible. Feel free to :+1: this comment, if this is an important functionality for you...
I think that if this comes through NFC, it would be best, but also via usb-c is OK! I buyed this token for this reason mainly. I was thinking to import my gpg sub-keys in the openkeychain app through usb-c.
By now, I'm taking advantage of the "nk3 secrets" subcommand of nitropy that I find very useful too for TOTP and passwords.
@ciropom
By the way, would you use the nk3 secrets equivalent on a mobile too?
For sure. My biggest concern about otp stuff is that is everything on the phone: the secured app, the otp app.. You have the phone, you have everything. With an external secure storage for otp or passwords I will have a true second factor.
By the way, on desktop OTP passwords can be autofilled with browserpass - I haven't tried it on Android yet (because I can't access it without Nitrokey), but it may work. The idea is that even though OTP still resides on your phone it's always encrypted and only decrypted for a brief moment when you login with a key that resides on Nitrokey.
We currently do not have plans to support OpenPGP over NFC due to power limitations.
Small addition --- I would like to emphasize that "currently" this is not the plan. We see and hear that OpenPGPCard via NFC is something that people want, we simply did not expect this. Generally this is possible on the Nitrokey 3 hardware, but this will come with trade-offs in terms of functionality and added complexity on development side. Especially there will be some foundation work needed to make this possible. Feel free to 👍 this comment, if this is an important functionality for you...
I bought my nitrokey to use it for gpg/openkeychain to have my password-store secured on my phone with an extra hardware-token (i use pass, which encrypts passwords with gpg-keys) and i wanted to secure my ssh-connections using a hardware-token for the ssh-keys...
both is not working. both was promised, when i orderd the key... especially for exakt THIS...
Just having a FIDO-Key, there are cheaper tokens...
I bought my nitrokey to use it for gpg/openkeychain to have my password-store secured on my phone with an extra hardware-token (i use pass, which encrypts passwords with gpg-keys) and i wanted to secure my ssh-connections using a hardware-token for the ssh-keys...
both is not working. both was promised, when i orderd the key... especially for exakt THIS...
Were you trying to access the NitroKey via NFC or USB? I can't test NFC personally as I have the NitroKey 3A Mini which lacks NFC, but have USB working with OpenKeyChain.
USB access requires some patches, you can either build OpenKeyChain yourself (see https://github.com/open-keychain/open-keychain/pull/2842) or if you trust me, I provided a binary: https://github.com/open-keychain/open-keychain/files/12206299/openkeychain-nitrokey3-v5.8.2-7-g3404cd2f6.zip -- you'll need to uninstall any existing version first otherwise Android will squawk because it wasn't signed with the same private key as the F-Droid or Google Play store versions.
I'd appreciate feedback on those changes… both from users accessing the key via USB, and using NitroKeys for PGP via NFC (for keys that support this) -- if I accidentally broke NFC support for other keys, that probably needs fixing. Sadly, I don't have any NFC tokens for testing. (I did have a YubiKey 5 NFC, but it met an unfortunate demise -- I learned they do not bend!)
feedback on those changes
@sjlongland I don't suppose that there is any release on F-Droid to test this? I've been watching this feature progress for the past month, but I was hoping that it will be made available via some package (to be kept up to date with future updates).
feedback on those changes
@sjlongland I don't suppose that there is any release on F-Droid to test this?
Sadly no, I think the pull request would need to be merged first and a beta release cut by the upstream project before we saw anything in F-Droid. I don't have any control over this.