NK3A doesn't connect in OpenKeychain on latest firmware

[proninyaroslav]

NK3A worked with OpenKeychain over NFC on alpha versions 1.3.0 when I tested it in March. I decided to try the same on 1.4.0, and it doesn't connect durin encryption, it says that I removed the token too early, although this is not the case. At the same time, a red light is on on the token.

[szszszsz]

Connected: https://github.com/Nitrokey/opcard-rs/issues/157

[sosthene-nitrokey]

OpenPGP is not supported over NFC. Does this happen with FIDO or is it limited to OpenPGP?

[ciropom]

I have this issue too. I created three subkeys (for auth, signing, and encryption) from my primary key in the NC3 NFC, now I'm trying to import these keys in openkeychain but it says "token removed too early" no blinking light on my side.

I'm clicking "USE TOKEN" from the openkeychain user interface

[sosthene-nitrokey]

Are you using it by plugging it into your phone or over NFC?

[ciropom]

I'm using NFC. If I click "use token" and then plug the device nothing happens.

[ciropom]

I'm using /e/ OS on Fairphone 4.

[sosthene-nitrokey]

I don't have the hardware to actually test it from a phone, but I was able to test it from waydroid. It doesn't appear that OpenKeychain even tries to connect to the device as no logs shown on the nitrokey side.

It looks like OpenKeychain has an allowlist for accepted devices (see here and here), so it looks like the Nitrokey 3 cannot be supported without patching it, and I don't know whether it will be merged since the project is in maintenance only.

I was not able to get it to recognise my device on Waydroid, but this may be caused by usb issues with waydroid and not the app itself?

[proninyaroslav]

@sosthene-nitrokey I was unable to initially connect it via USB, but I successfully used it via NFC until version 1.4.0.

[szszszsz]

@proninyaroslav Since the Nitrokey 3 v1.4.0 firmware the user data are mostly moved to the external flash chip, which is not activated in the NFC mode, thus this will not work anymore unfortunately.

@sosthene-nitrokey I believe in the settings you can allow all devices. Can you check again? I could not make Waydroid work either, even with other USB devices (some gamepads are reportedly somehow supported?).

[proninyaroslav]

@szszszsz And there is no technical possibility to implement it?

[szszszsz]

Not by the current design. It was decided against it, to instead invest in the secure element-based storage security. The NFC chip gives not enough power for the additional storage and secure element use.

Perhaps in the distant future some user-selected data would be available in lower-security storage at user's choice, giving back the ability of NFC use.

[ciropom]

believe in the settings you can allow all devices. Can you check again?

Which settings? the OpenKeyChain (OKC) settings? I confirm that I can't add my nitrokey to OKG neither by plugging it in the phone's usb-c I enabled "Settings -> experimental -> Allow untested usb devices" but nothing changes. If I plug the nitrokey, the led doesn't blink and if I tap "USE TOKEN" it is not recognized.

[ciropom]

I don't quite understand what NFC will be useful for, if no user data is available in NFC mode..

[sosthene-nitrokey]

FIDO2 functionality is available over NFC

[xundeenergie]

Not by the current design. It was decided against it, to instead invest in the secure element-based storage security. The NFC chip gives not enough power for the additional storage and secure element use.

Perhaps in the distant future some user-selected data would be available in lower-security storage at user's choice, giving back the ability of NFC use.

Hmmm... this breaks my workflows again. I bought the nk3 to use it with openkeychain on my smartphone... and now it does not work via NFC neither via USB-C...

This is NOT good.

[ciropom]

I completely agree with xundeenergie

[shaohme]

And I agree with both of them :-D

[danielkrajnik]

@sosthene-nitrokey first of all, thank you very much for working on this fantastic project. Nitrokey has been working really well for me so far. From what I gather OpenKeyChain doesn't work right now, but it worked before recent firmware updates. Are you still planning to add this functionality back at some point?

It would be really useful. Copying gpg private key into OpenKeyChain app really doesn't work for a lot of security-conscious users.

[danielkrajnik]

Just to confirm I tried now nitrokey 3a NFC and 3a mini over Usb C adapter and both said:

This Security Key is not yet supported by OpenKeychain

NFC didn't react at all.

Firmware version is v1.5.0

@sosthene-nitrokey What do you think?

[sosthene-nitrokey]

We currently do not have plans to support OpenPGP over NFC due to power limitations.   However we do want to support OpenKeychain over usb. There is currently an open PR that should add support for it in OpenKeychain: https://github.com/open-keychain/open-keychain/pull/2842

[danielkrajnik]

Thank you very much for the fast response, explaining the status and link to the pull request. Glad to see this work on USB support. I will keep fingers crossed that NFC support will arrive at some point in the future (maybe Nitrokey 4).

[daringer]

We currently do not have plans to support OpenPGP over NFC due to power limitations.

Small addition --- I would like to emphasize that "currently" this is not the plan. We see and hear that OpenPGPCard via NFC is something that people want, we simply did not expect this. Generally this is possible on the Nitrokey 3 hardware, but this will come with trade-offs in terms of functionality and added complexity on development side. Especially there will be some foundation work needed to make this possible. Feel free to :+1: this comment, if this is an important functionality for you...

[ciropom]

I think that if this comes through NFC, it would be best, but also via usb-c is OK! I buyed this token for this reason mainly. I was thinking to import my gpg sub-keys in the openkeychain app through usb-c.

By now, I'm taking advantage of the "nk3 secrets" subcommand of nitropy that I find very useful too for TOTP and passwords.

[szszszsz]

@ciropom By the way, would you use the nk3 secrets equivalent on a mobile too?

[ciropom]

For sure. My biggest concern about otp stuff is that is everything on the phone: the secured app, the otp app.. You have the phone, you have everything. With an external secure storage for otp or passwords I will have a true second factor.

[danielkrajnik]

By the way, on desktop OTP passwords can be autofilled with browserpass - I haven't tried it on Android yet (because I can't access it without Nitrokey), but it may work. The idea is that even though OTP still resides on your phone it's always encrypted and only decrypted for a brief moment when you login with a key that resides on Nitrokey.

[xundeenergie]

We currently do not have plans to support OpenPGP over NFC due to power limitations.

Small addition --- I would like to emphasize that "currently" this is not the plan. We see and hear that OpenPGPCard via NFC is something that people want, we simply did not expect this. Generally this is possible on the Nitrokey 3 hardware, but this will come with trade-offs in terms of functionality and added complexity on development side. Especially there will be some foundation work needed to make this possible. Feel free to 👍 this comment, if this is an important functionality for you...

I bought my nitrokey to use it for gpg/openkeychain to have my password-store secured on my phone with an extra hardware-token (i use pass, which encrypts passwords with gpg-keys) and i wanted to secure my ssh-connections using a hardware-token for the ssh-keys...

both is not working. both was promised, when i orderd the key... especially for exakt THIS...

Just having a FIDO-Key, there are cheaper tokens...

[sjlongland]

I bought my nitrokey to use it for gpg/openkeychain to have my password-store secured on my phone with an extra hardware-token (i use pass, which encrypts passwords with gpg-keys) and i wanted to secure my ssh-connections using a hardware-token for the ssh-keys...

both is not working. both was promised, when i orderd the key... especially for exakt THIS...

Were you trying to access the NitroKey via NFC or USB? I can't test NFC personally as I have the NitroKey 3A Mini which lacks NFC, but have USB working with OpenKeyChain.

USB access requires some patches, you can either build OpenKeyChain yourself (see https://github.com/open-keychain/open-keychain/pull/2842) or if you trust me, I provided a binary: https://github.com/open-keychain/open-keychain/files/12206299/openkeychain-nitrokey3-v5.8.2-7-g3404cd2f6.zip -- you'll need to uninstall any existing version first otherwise Android will squawk because it wasn't signed with the same private key as the F-Droid or Google Play store versions.

I'd appreciate feedback on those changes… both from users accessing the key via USB, and using NitroKeys for PGP via NFC (for keys that support this) -- if I accidentally broke NFC support for other keys, that probably needs fixing. Sadly, I don't have any NFC tokens for testing. (I did have a YubiKey 5 NFC, but it met an unfortunate demise -- I learned they do not bend!)

[danielkrajnik]

feedback on those changes

@sjlongland I don't suppose that there is any release on F-Droid to test this? I've been watching this feature progress for the past month, but I was hoping that it will be made available via some package (to be kept up to date with future updates).

[sjlongland]

feedback on those changes

@sjlongland I don't suppose that there is any release on F-Droid to test this?

Sadly no, I think the pull request would need to be merged first and a beta release cut by the upstream project before we saw anything in F-Droid. I don't have any control over this.

[danielkrajnik]

No worries, fingers crossed then that it will be merged soon.

[ciropom]

Something changed since my last comment. I upgraded to firmware 1.6.0, and now openkeychain recognizes my key (if I insert it in the mini-usb slot) but I get this error now

[daringer]

yes, the most recent open-keychain release should now work with the nk3... the output I see should be good news, e.g., that open-keychain can use the token, I do not know exactly if this is enough .... are you able to use the key on your nk3 with open-keychain and k-9 or something ?

[ciropom]

The key is somehow recognized in openkeychain, but then fails to do everything except "search on keyservers" and doesn't view my GPG keys, even if they are there

Reader ...........: 20A0:42B2:X:0
Application ID ...: D276000124010304000F9B79DABF0000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: unknown
Serial number ....: 9B79DABF
Name of cardholder: Danilo Tomasoni
Language prefs ...: it
Salutation .......: 
URL of public key : keyserver.ubuntu.com
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 1
KDF setting ......: off
Signature key ....: ..................................
      created ....: 2024-04-02 21:19:13
Encryption key....: ..................................
      created ....: 2024-04-02 21:21:44
Authentication key: ..................................
      created ....: 2024-04-02 21:22:14
General key info..: sub  ed25519/.................................. 2024-04-02 Danilo Tomasoni (unitn) <danilo.tomasoni@studenti.unitn.it>
sec#  rsa2048/..................................  created: 2010-11-16  expires: never     
ssb>  ed25519/..................................  created: 2024-04-02  expires: never     
                                card-no: 000F 9B79DABF
ssb>  cv25519/..................................  created: 2024-04-02  expires: never     
                                card-no: 000F 9B79DABF
ssb>  ed25519/..................................  created: 2024-04-02  expires: never     
                                card-no: 000F 9B79DABF
ssb#  ed25519/.................................. created: 2023-08-29  expires: never     
ssb#  cv25519/..................................  created: 2023-08-29  expires: never     
ssb#  ed25519/..................................  created: 2023-08-29  expires: never     
ssb#  rsa2048/..................................  created: 2023-05-23  expires: never     
ssb#  rsa2048/..................................  created: 2023-05-23  expires: never     
ssb#  rsa2048/..................................  created: 2023-05-23  expires: never     
ssb#  rsa2048/..................................  created: 2010-12-23  expires: never     

[pjhfggij]

OpenPGP is not supported over NFC. Does this happen with FIDO or is it limited to OpenPGP?

@sosthene-nitrokey are there plans to add support for GPG over NFC for "Nitrokey 4"? As mentioned on the OpenKeyChain wiki page this is only available right now from the closed source products (yubikey and fidesmo).

[ciropom]

I understand it isn't working through NFC, but openkeychain is not supporting it neither by inserting the nitrokey 3 in the phone usb-c I'm using e /os/ with microg as google play services replacement, don't know if this is related..

[pjhfggij]

@ciropom hmm have you tried importing public gpg key as file?

[ciropom]

no I thought it will be searching for the public key on the keyservers.. I will try

[ciropom]

oh gosh that was the issue.. the public key was not loaded from keyservers. Once I imported it from file, then suddenly it was loaded.. I will try k9-mail and other stuff to confirm now..

[ciropom]

i confirm that it works both with openkeychain and with k9-mail through openkeychain

[pjhfggij]

Yep, I've done the exact same thing today as well (after having put OKC on hold for half a year confused why it didn't read the key from Nitrokey). Better late than never I guess. now if only there was some NFC to top it up :)