Nitrokey 3c cannot generate HOTP inside pureboot

Powerly · March 12, 2026, 8:03am

Long story short: My pureboot cannog generate new HOTP codes, even if I factory-reset/re-ownership Pureboot and Nitrokey.

when I plug-in the nitrokey 3c, pureboot says “device has no listeners, quitting”. However, the key still functions properly (mostly

If I choose to “refresh HOTP/TOTP”, it will properly generate a QR code, and promt me to enter my admin PIN then touch. However, it will return a error saying:

cat: can’t open ‘/boot/kexec_hotp_counter’: no such file or directory

If I attempt to regenerate HOTP/TOTP secret, it would say something strange:

DEBUG: Signature key was created at Wed Jan 1 xx:xx:xx UTC 2070

DEBUG: Admin PIN retry counter is 0

We are not on 2070 (this is a hwclock issue, I guess, not sure if it impacts something), and I just resetted the GPG smartcard. it’s Admin PIN retry counter can’t be 0

I will then got asked for the Admin passphrase, It will proceed, even if I don’t input correct code, and the key will blink. Touching the key will first say touch received , but then:

Error occurred, status code 32: touch was not recognized, or there was other problems with the authentication
ERROR: setting HOTP secret on Librem Key failed!

I don’t know if the detection mechanism is problematic, or is my key malfunctioning, or something else. This has been troubling me for months, and I have tried everything to fix this. Thanks in advance, I’ll provide as much info as I can.

The error messages are typed by hand, if there is minor typos or mismatches, it’s normal.

gondolyr · March 12, 2026, 2:39pm

I regularly use a 3C with my Librem 14 with PureBoot.

Could you tell us what operating system you are running? PureBoot requires an unencrypted boot partition to function.

Please do the following to set the hardware clock:

From the PureBoot Boot Menu, select Options > Exit to recovery shell
Type each of the following commands and press Enter:
- date -s “2026-03-12 00:00:00”
  - This sets an approximate date (the OS will set it exactly from network time later)
- hwclock -w
  - This updates the hardware clock (there is no output if successful)
Plug in the Nitrokey if it’s not already plugged in.
Reboot by running the following command: reboot.

I’ve found success following these steps after installing a new OS (I might be missing some parts as it’s been a while since I’ve done this):

In the PureBoot menu, navigate to Options → TPM/TOTP/HOTP Options → Reset the TPM
Re-sign the boot files.
In the PureBoot menu, choose the Refresh TOTP/HOTP option.

Powerly · March 13, 2026, 2:49am

I’m running the PureOS, I do use LUKS but only set it through Calamares (pureos live image’s installation program). I don’t think it encrypted the /boot partition, but that is only my assumption.

I will resign the boot files and try again.

gondolyr · March 13, 2026, 2:52pm

PureOS does provide an unencrypted boot partition so you’re good there.

If you have used up your Nitrokey’s retry counter limit, then you will need to unblock the PIN or perform a factory reset (not from PureBoot but from the smartcard with gpg --card-edit I think).

I will also note that PureBoot 30 (it may be supported on earlier versions) supports the Nitrokey’s touch confirmation (UIF) feature: https://docs.nitrokey.com/nitrokeys/features/openpgp-card/uif. It’s optional but I thought you’d like to know.

Powerly · March 14, 2026, 5:07pm

Bad news, guys. I changed the hwclock time without considering the gpg authentication issues. Now Pureboot locks me out due to the pubkey inside it does not match the system time, and my nitrokey cannot be accepted due to the key on it was created in the “future”.

For some reason, this “use your smartcard to confirm you are the owner” promt was not showing up properly in my previous tampering attempts. I thought Pureboot only detects tampering, but now it seems that it also prevent tampering in a sophisicated way.

It was midnight when I was doing this, and my mind wasn’t very clear, how dumb I am. I’m going to try to fully reset Pureboot, as well as pretending I’m a thief and try Pureboot’s defence.

TiX0 · March 16, 2026, 1:31am

Very interesting. I was going to try and test Nitrokey Pro 2 and 3c with PureBoot 30, but had not experimented yet when I saw your message. So you confirm being able to use NK3c on a Librem in the same way as using a Librem Key? And even better if indeed UIF touch confirmation works!
Did you have to change some UDEV rule for the device to be recongnized? And also, have you tried smartcard-key-luks script with the 3c?

gondolyr · March 16, 2026, 3:17am

Yes.

To clarify, when re-signing the boot files, after entering the PIN, it will blink and wait for the touch confirmation. It does not wait for a touch confirmation when verifying the integrity of the files.

I did not need to add an entry for the 3C for the PureBoot boot file integrity checks.

Edit: I don’t use the smartcard-key-luks script so I don’t know if it works. I presume it does because it is just another smartcard.

TiX0 · March 17, 2026, 12:59am

BTW: playing with the Nitrokey3c on my Librem currently running PureOS 10 (Byz), I saw that the Nitrokey App2 (for managing NK3 family dongles) was not up-to-date. Downloaded latest version 2.6.0 - but when trying to install, apt complained about a missing python3.10 library.
Looking a bit further into the problem, it appears the OS only support python3.9 - no way to install 3.10!
Yet another annoyance due to this extremely old debian (11.7) Byzantium is based on. Would be about time we have something newer which is not “veryveryoldstable”…
Lucky that my other laptop running Qubes, has Debian 12 and Debian 13 templates and I can manage the NK3 fine.

Powerly · March 17, 2026, 5:20am

you can get testing release of PureOS 11 (Crimson), by modifying the Byzantium’s download link, if you want.

just delete anything after the “byzantium”, leaving only https://downloads.puri.sm/

Then you click “wip”, then “crimson”, and you can see a list of available flavours for you to download. Click here for express access. These are the newest builds, but is not quite the same as mature releases.

also, check this:

j_s · March 17, 2026, 5:23pm

You should be able to install python3.10 in a python virtual environment.

gondolyr · March 17, 2026, 8:32pm

I would recommend using the nitropy CLI app to manage your Nitrokeys instead. Python 3.9 is one of the supported Python versions.

I think you could use uv to install the nitrokey-app package (instead of using their recommendation of pipx).

TiX0 · March 19, 2026, 12:43am

Yes, I know I could make the move to Crimson.
But: sound OPSEC mandates never to use any Beta software in a production stack.
So…stuck with what is now stable and eagerly waiting for Crimson to have a stable release.

TiX0 · March 19, 2026, 12:46am

…and how would you do that?

TiX0 · March 19, 2026, 12:53am

Thank you for the advice. I have used their cli app and don’t like it - it’s so much easier to have a GUI app for managing dongles.

j_s · March 19, 2026, 11:35pm

I am not a python person, but once or twice every year or three I have to do it (on a desktop or server) because of needs very like yours.

I have to look it up every time. (I’s just as well that I’ve never got around to keeping records of what I did since python keeps changing “the only one way to do something” more often than I need to redo the same thing).

I suggest doing a search on python venv and another on python virtualenv and try to figure out which of those is currently in favor. Beware of content farms with out of date and possibly faulty instructions. python.org and pypi.org should be most authoritative and up to date.