Librem Key with Nitrokey App

Jt0 · October 23, 2020, 1:45am

How can I use my Librem Key with the Nitrokey app? I’d like to generate one time passwords and it looks like the app is the most convenient way to do that.

According to this Arch Linux bug report, libnitrokey 3.6 should add support for the Librem Key. I downloaded and built the source for Nitrokey App 1.4.2, which also builds libnitrokey 3.6, but the Librem Key still isn’t recognized.

It looks like there’s a pull request on the libnitrokey repository that added support for the Librem Key in June:

About two weeks ago there was an issue opened on that repository saying the Librem Key’s udev rule was missing:

However, even with that udev rule added, the Librem Key isn’t recognized for me. Should it be working with the most recent versions of libnitrokey and the Nitrokey App?

Edit: I get this output when I run nitrokey-app: [DEBUG_L1] Throw: Device not initialized. It looks like a similar issue on the Nitrokey forum was caused by the key needing its firmware updated:

Could this be a similar issue with the Librem Key?

Jt0 · October 23, 2020, 2:23am

Fixed. I’ll mark this post as the solution:

The libnitrokey submodule in the Nitrokey App git repo is outdated and needs to be updated to 3.6.
Here’s the full setup process:

Clone and Initialize Nitrokey App Repository

git clone https://github.com/Nitrokey/nitrokey-app.git --branch=v1.4.2 --depth=1
cd nitrokey-app
git submodule init
git submodule update --recursive
cd libnitrokey
git checkout tags/v3.6
cd ..

Build Nitrokey App

Ensure hidapi-devel (or hidapi-dev, depending on your distribution) is installed
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release ..
make -j$(nproc) -l$(nproc)
sudo make install

This may be enough. I also created a symlink to /usr/local/lib/udev/rules.d/41-nitrokey.rules in /etc/udev/rules.d and added this line to /usr/local/lib/udev/rules.d/41-nitrokey.rules:

ATTR{idVendor}=="316d", ATTR{idProduct}=="4c4b", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="plugdev", TAG+="uaccess"

Now when I run nitrokey-app, it recognizes the Librem Key. Hopefully this is helpful to someone else if they need it before libnitrokey 3.6 makes it into their distro’s repositories.

joao.azevedo · October 23, 2020, 11:56am

Thanks for this nice howto. libnitrokey 3.6 has not yet entered the debian repos. Once it does this issue will be solved.

reC · October 23, 2020, 5:25pm

i open the terminal (Tilix) on my PureOS 9 (stable) on my Librem Mini and type

man apg
then after i am done reading i type (as an example)
apg -s -a 1 -m 63 -n 4
it generates a highly secure random password that anybody can use to secure their WiFi for example …
how is generating a password with the NitroKey App on the Librem Key any easier/secure ?
i hope you don’t mind me asking. i have a Librem Key but i’m not quite proficient at using it yet …

Jt0 · October 23, 2020, 6:06pm

Good question. More specifically, by “one time password” I mean a HOTP/TOTP password, not just a password that I need once. Since these algorithms have predictable passwords if an initial secret is shared between a server and your Librem Key, HOTP/TOTP passwords can be used for 2 factor authentication.

jeremiah · June 30, 2021, 9:09pm

Hello!

I have an update regarding the libnitrokey submodule in PureOS. I’ve updated the module to 3.6 and pushed it into PureOS 10. Byzantium is the PureOS 10 codename (with Amber being the codename for PureOS 9 which is our current release.) This means that if you’re running either version you should have a working Nitrokey app and libnitrokey available to you.

hmk · July 26, 2021, 10:37am

Great! This is probably obvious:
sudo apt install nitrokey-app