KeePassXC#
These instructions describe how to protect and encrypt a KeePassXC password database with Nitrokey 3.
Nota
KeePassXC version 2.7.6 or newer is required.
Nitrokey App 2 version 2.2.2 or newer is required.
First Step: Generate a HMAC Secret With the Nitrokey App 2#
Open Nitrokey App 2
Select the Nitrokey 3
Select the
PASSWORDStabClick on
ADDto create a new credentialSelect
HMACfrom the algorithm drop-down menuNota
The credential is automatically named in
HmacSlot2.No extra attributes can be saved for the HMAC credential.
The HMAC secret must be exactly 20 bytes long and in Base32 format. That is exactly 32 characters.
It is possible to save exactly one HMAC secret on a Nitrokey 3.
To generate a secret, there is a button in the field on the right-hand. It is also possible to enter your own secret, as long as it is compliant.
Aviso
The database can no longer be unlocked if the Nitrokey 3 is lost or unavailable! Thus, you may want to set up a second Nitrokey 3 with the same HMAC secret as a backup device.
Importante
The secret can only be seen before saving. If the KeePassXC database is to be used with another Nitrokey 3, the HMAC secret must be copied which is only possible before saving the credential.
Click on
SAVEto save the credential
First Option: Protect an Existing KeePassXC Database With a Nitrokey 3#
Open KeePassXC
Open the existing KeePassXC database that is to be protected with a Nitrokey 3.
Select
Database->Database Security...from the menu barSelect
Securityon the left sideClick on the
Add additional protection...button in theDatabase CredentialstabScroll down to
Challenge-Responseand click onAdd Challenge-ResponseNow if the Nitrokey 3 is plugged in and a HMAC was generated before, Nitrokey 3 should be displayed in the field.
Click on
OKto add the Nitrokey 3 to the existing KeePassXC database
Nota
By default the Nitrokey 3 is used as a second factor in addition to the passphrase. To protect the database by the Nitrokey 3 exclusively, delete the passphrase by clicking the button Remove Password.
Dica
If the Nirokey 3 is not recognized, close KeePassXC completely. Then connect the Nitrokey 3 to your computer before restarting KeePassXC.
Second Option: Creating a KeePassXC Database, Protected by Nitrokey 3#
Open KeePassXC
Select
Database->New Database...from the menu bar to create a new KeePassXC database.Fill in the display name and an optional description for your new database and click on
ContinueFurther database encryption settings can now be configured here or the default settings can be retained. The settings can also be changed later in the database settings.
Click on
Continueto confirm the settingsDatabase Credential
Here you can enter a password as a second factor to unlock the database. To connect the Nitrokey 3 (on which the HMAC secret was generated) to the new KeePassXC database, click on
Add additional protection...Scroll down to
Challenge-Responseand click onAdd Challenge-ResponseNow if the Nitrokey 3 is plugged in and a HMAC was generated before, Nitrokey 3 should be displayed in the field. Click on
Continueto complete the creation of the new KeePassXC database.
Nota
If the passphrase is left empty, the database will be protected by the Nitrokey 3 exclusively. If a passphrase is entered, the database will be protected by the passphrase and the Nitrokey 3.
Dica
If the Nitrokey 3 is not recognized, close KeePassXC completely. Then connect the Nitrokey 3 to your computer before restarting KeePassXC.
Troubleshooting for Linux#
If the Nirokey 3 device is not recognised by KeePassXC on a Linux system:
Provided that the udev rules have been set as described here.
Provided that the
pcscd serviceare has been started with:
sudo systemctl start pcscd.service
Install the latest version of KeePassXC with flatpak:
flatpak install flathub org.keepassxc.KeePassXC
Install
ccidon Arch Linux based systems. See also: Arch wiki: Nitrokey.