1% enc-storage for hidden volume

Setup: macOS with virtualization software, usb automount disabled.
Nitrokey Storage 2 64GB, App(Image) 1.4, FW 0.54, checksums firmware match. Not flashed. AppImage 1.3.2 doesnt work, AppImage 1.4 checksum matches.

I played around with that stick and configured it. I wanted to initiate the hidden volume.

  1. Created gpt partition table inside the encrypted area after unlocking
  2. Created unformated partition with gparted
  3. used LUKS and ext2 (FAT doesnt change the problem anymore).
  4. Tried some reformats and repartitioning.

AppImage 1.4 under debian Linux VM now says that I can configure a hidden volume between 49 and 50% (600MB only). There was no data written to the encrypted disk(s) except the file system/LUKS information.

Steps I tried to solve the problem:
AppImage Admin or normal mode
-reset to factory defaults
-reinit drive
-destroyed encrypted data (new AES key generation)
-filled drive multiple times with random data by AppImage fuction (special)
-gpg card erase like your website lists

Unecnrypted Storage doesnt get clean (not even if I choose factory defaults?!)
AppImage always says encrypted storage is full. Setting proper values not possible anymore (maybe wasnt possible anytime).
Stick is new, except filling with data/deletion not used the storage.

Any ideas what I can do? I want to use LUKS encrypted hidden volume in encrypted LUKS volume inside encrypted Nitrokey storage. I am not paranoid. Definitly not. I am not. Believe me.

Thank you for your support.

Best regards

Hi @NitrokeyTester!

The reported range of available space for hidden volume creation comes from analyzing the EV write access data and is only collected for the given power-cycle - the device reinsertion will allow you to create it whenever you want. The problem here only will be, that you might overwrite the Encrypted Volume (EV) data, while writing to Hidden Volume (HV).
As for why the reported range is so small is probably caused by the used file system (or perhaps rather LUKS full volume initialization). Some are making backups of the data in strategic places, like 50th percentage mark (NTFS) or even more frequent.
In case you have written the whole EV space, the available HV space which will destroy existing data is not existing by the calculation method of the device, hence this weird value of 1% or even less.
The information about statistics being only per power-cycle should be on this screen, sorry for missing that.

As for Unencrypted Volume, it is not key-managed, and the write goes raw to the underlying storage memory. This feature is on our roadmap though.

Regarding LUKS in LUKS, I assume you have initialized the whole EV with random data using LUKS, thus polluting the statistics. Device reinsertion will clear that. Please write the usable data first to the EV, to maintain plausible deniability for HV.

1 Like