(beginner) NK Storage, understanding the LEDs?

Sorry for such a simple question : I just got my first Nitrokey (Storage 32) and can’t find a comprehensive explanation of the blinking LEDs. I see the green one continuously on when a large write is performed, I have seen a red one blinking now and then, but indeed is there an explanation on these status LEDs? (is red a fault…?)

On the same line, I’d appreciate advice on the best typical sequence for, say, insert, write and unplug : is it correct and in the right order to plug, start the app, sign in to unlock the encrypted volume, use it, unmount (or at least try to? seems to refuse to disappear on Linux and windows?), eject?
Do I need to relock before ejecting, unmount before relocking…?
Similarly, a typical sequence for the hidden volumes or the key creation, as naive as it is, would be very welcome :wink:

(I had various difficulties on Linux, Ubuntu Mate 16.04, where I found myself in various states with e. g. two NK menus (none of which did detect the key), restarts needed…)

Last thing : it would be useful to indicate that the Windows app does not require admin passwords to run : that will be the case for almost all ‘company-provided-PC’ users…


Hey Hervé,

thanks for your questions!

Yes, this should indeed be explained in the docu. We will do that soon :smile:

The green LED indicates (as you already mentioned) disk usage. So it is blinking/on when you read/write data on the storage.

The red LED on the other hand indicates access to the internal smart card. You can interpret it as a general usage indication (to keep it low-level). In every case it is not a fault message :wink:

At first: it doesn’t matter so much, until you actually opened the encrypted volume (EV) or hidden volume (HV). So just plug in the Nitrokey whenever you like and wait for the App to detect it. After unlocking the EV or mounting it in your OS you should eject/lock it before actual physical unplugging as a precaution to prevent data loss. So the workflow would be to firstly unmount in the OS and then may lock within the App. Actually, locking the EV is not necessarily required if you plan to unplug the device anyway.

For the HV it would go like: 1) unlocking EV 2) unlocking HV and 3) mounting on system. After this again the most important thing is to unmount in OS. You then can either unplug or just lock the device via App.

Can you elaborate a bit more what happend exactly? Did you open the App multiple times? @szszszsz any idea?

Where would you like to have such an indication?

Kind regards

Doubled App menu might come from Window Manager features, like saving the opened applications on close and / or autostarting applications. Nitrokey App is not detecting, is it opened already, but hopefully this function will be implemented in the next version (registered as NitrokeyApp#367). Perhaps another App is opened, but without the Tray menu icon added. Only one App can access the device at given moment. In such case one can safely call killall nitrokey-app and open the App once again.

Another reason, where Storage is not detected by any of the Apps, is improved smart card handling in recent firmwares. However, when the smart card is accessed by the any other application, the MCU on Storage cannot access to it (and the App receives BUSY status from the device during that period), until the host-requested operation completes. Some applications do not release the smart card at the end of usage. Current timeout for smart card operation is set to 60 seconds to allow to generate 4096 bit RSA key. Effect of this setup is sometimes a need to wait 60 seconds for device to be free to work with the Nitrokey App. Issue is registered as Storage#66.

Thank you for this quick answer!
On Ubuntu I now better understand what happens :

  • indeed yesterday in my rather uncompetent search I did reboot the system, which in my settings does relaunch the previously running apps, of which the Nitrokey app -and most probably I tried to launch it a second time myself. So this solves the point on ‘two icons in the tray menu’. I didn’t get this since then.

  • Today, launching the app and pluging the key, the app reacts normally, and I can unlock the EV for instance. I also can see the two volumes appearing in the basic exploration windows, aside my two internal disks, but what happens is I cannot mount them from there (maybe a normal behavior), and they don’t automount elsewhere. I think that is similar to yesterday behavior, and that was when I tried to reboot :slight_smile: -I am not at ease with commands like sudo mount xxx…
    This issue is still open for me, while I do understand I am definitely not an expert!
    One last thing : it seems I cannot turn the small read-only volume to read/write but at the same time the number of remaining attempts for the user pass stays at 3 forever -I don’t know it this can help…
    Screenshot below : of the two NK volumes I correctly see one that is not mountable (because I didn’t unlock the EV) and the other one is mountable apparently, but when I select ‘mount’ (like in the picture) I get an error. I am a bit surprised that both volumes have the same name (in this view)…

    (the system is localized in french)

  • for what concerns mentioning the fact that windows app doesn’t require admin password, I think it should appear relatively early when a candidate user explores the main features.
    This may be on the front page in the panel that appears when one clicks on ‘Encrypted mobile storage’/‘Read more’ , at the end of the third § (the one that reads ‘Encrypted Storage - The Nitrokey Storage contains an encrypted mass storage space with a capacity of up to 64 GB. To unlock the drive, simply enter your PIN…’)
    In my case what I did was to try the app on my work PC, which appeared allowed, but knowing it from the website would be cooler for the user wannabee :wink:

yet some other info :

  • My kernel was initially 4.17.12 but then I upgraded to 4.18.5, no behavior change
  • after a reboot indeed the volumes do appear, both of them and the EV mounts when unlocked
  • same for the HV
  • even with this I still cannot switch the read-only small unencrypted one to RW (I wanted to add a small file with my name in it), this on the Linux machine, while it works on my work windows computer (which is quite frustrating!)

I’d say aside the rather erratic behavior of the Linux app relative to the PC one, the lack of possibly unlock the locked volume on Linux is the most frustrating point. But I’ll manage to counteract with the PC…


as described in the other post, please try to use the newest App first. The easiest way to do this, is to start the AppImage on the unencrypted volume iteself.

I am not sure about the other issue you described. Being honest, I didn’t understand all of them. But it sounds to me like the OS is showing disks which are not accessible anymore or something alike. I am not sure.

Did you change the Nitrokey in any way, something like factory-reset or alike?

Kind regards

Alex, thank you for your support!

Being at work now I can say

  • I didn’t change the key in any way, no reset etc.
  • contrary to the linux one the windows version of the app does allow me to unlock the read-only small volume, I just did it
  • the win version of the app correctly states that for doing this I need to input the admin password, while IIRC the Linux app asks for the “user PIN” only, too vaguely IMHO
  • I did try the admin pass on the Linux (but among others, and in this curious state where while refused I still keep 3 tries, all the time -just for this not the other changes)
  • On Linux I did not install the Appimage, not having the associated resources on my U. Mate (supplied as is by Tuxedo, but thoroughly updated by me)
  • instead, I did exactly as suggested in NK ‘start’ page, installing by hand the latest app you show on the site from your ppa for Ubuntu (and not the Ubuntu repo)
  • I’ll double-check the app version number when back home tonight anyway, but I definitely thing it’s the latest
  • all in all, I think it is clear the issue is on my Linux app not the key; if nothing else I’ll uninstall then reinstall it tonight…

The AppImage is an executable which does not need to be installed. This is probably newest version of the App while the ones coming with the several Linux distributions tend to be a bit outdated. So please try the AppImage (you may need to right-click on it, go to “Propriétés” and allow executing it).

Kind regards

Alex, you are right, I was confident because I added the nitro ppa instead of just using the Ubuntu one, but indeed inside the nitro ppa the app is also very old!
So, I’m down to using the appimage, which is a bit sad for me (among others I won’t benefit from the auto-updates allowed by apt)
So, you can consider my issue closed here. Thank you for your efficient support!

Just as a non urgent clarification : when depicting the various Nitrokey versions to a colleague, we noticed that the NK Storage factsheet mentions “Activity indicator: three-colored LED” while for instance the NK Pro factsheet only announces two (everything else seemingly indentical, safe storage obviously)
Just for discussing with candidate colleagues, is there a significant difference between these 3 LEDs here and the two in the pro? (fastest interested colleague is interested by the pro)

Hey Hervé,

we are using a two-colored LED in the Storage. As it is possible to use both functions at the same time (e.g. transferring data and accessing the internal smart card), there will be a color which is neither green nor red when both LED are on.

But there is no actual three-colored LED. Therefore, we are changing the factsheet, to make it more clear.

That is to say, the above statement about colour meaning is still valid for the Storage :smile:

Kind regards

1 Like