Keep a Secure Operating System With you at all Times. How?

Is there any guide on how to create and boot OS from Nitrokey Storage with encryption? How is that even possible to boot if it’s encrypted?

Keep a Secure Operating System With you at all

Securely boot Windows or Linux directly from Nitrokey
Storage. Nitrokey Storage encrypts and protects
the system against manipulation, such as the installation
of surveillance software via „Evil Maid“.

1 Like

Hi Rod,

please have a look here first.

I am afraid, that there is no ready-to-go instruction for this. There are different possibilities though. Especially on GNU/Linux I could explain some. But you may let me know first, what your use-case looks like. This would make it much more easy for me.

Kind regards


I think the idea is to have a modified bootloader (e.g. GRUB), which would unlock the device with the supplied user PIN. At the moment it is not implemented yet AFAIK.
However it is possible to make it by hand and unlock the device’s Encrypted Volume on any OS currently installed on given host (macOS, Windows, Linux; e.g. with using portable Nitrokey App from Unencrypted Volume), and reboot the host to boot from it (Encrypted Volume will be available until device is locked or removed from USB port).

Since the encrypted volume requires unlocking and mounting and not all computers keep USB power to the ports during a reboot this is very unlikely to work in any consistent fashion. Especially because to unlock a volume it usually requires keeping the keys in memory while it is unlocked, so rebooting will essentially lock the encrypted volume regardless.

One way this could be accomplished to at least have a chain of trust is using the read-only attribute of the unencrypted storage and storing a small LiveCD/LiveUSB image there behind a password protected grub entry (also stored in the read-only section) and then once booted you can unlock the encrypted portion to access your sensitive files.

1 Like