Nitrokey Stuck in read-only only in Linux

Hello, I currently Bought a Nitrokey and I am having an issue Opening the APPIMAGE on the unencrypted Partition. I am running this in Qubes OS using a fresh Debian 10 Template. I am running NitroKey APP version 1.4.0 using Firmware version 0.54. So to get this to open you have to go to properties on that APPIMAGE and click “allow executing file as program” But as soon as I do that it says it is read-only.

Reading up I have found that to fix this you have to type your admin password in to change it from read-only. So I downloaded the Nitrokey-APP from Github and checked signatures. I changing the properties on that APPIMAGE “allow executing file as program”. I opened the App and typed my admin password in and changed the unencrypted partition so its read-write.

Now when I try and eather copy that file I downloaded off Github onto the unencrypted partition or just change the original APPIMAGE that was on the Nitrokey to “allow executing file as program”, It simply changes itself back to read-only with no error or warning.

When I go to “About NitroKey” to check the status it says "Unencrypted Volume: READ/WRITE. But I still cant Edit anything or move a file in this partition. All this works fine using Windows 10 so I am not sure what is going on exactly.

Any Ideas on how to fix this?

er… From what you say I understand you have turned the unencrypted partition from read-only (normal status at delivery IIRC) to read-write with the windows app, and verified this is OK by e. g. copying an extra file from the windows machine on the unencrypted partition. Right?
Then, if this is so, I suggest you copy the app from the NK partition to your main Linux disk. When left on the key I did get the ‘allow executing file as a program’ issue exactly as you got, and my understanding is that this may be due to the program being located on the USB key. At least, here it works, once copied from the key to the main disk.
FWIW, I use app v1.2 on Debian, which works properly on the disk

As far as I remember this has something to do with FAT32 and executable rights on Linux, but I am not sure anymore and could not find any hint on that issue. I am quite confident that @szszszsz can tell you more about it, but not anytime soon (may end of next week), because he is not available right now. I am sorry.

Yes I have it running fine From my Linux Disk with executing permissions but as soon as I copy it over to the Nitrokey Disk It changes it back to read-only with no warning and cant run it.

I even tryed changing the permissions with version 1.3.1 instead of 1.4 with the same effect. I will try and do some more research on fat32 and executable rights on linux. Maybe its not meant to be run on Nitrokey USB just on there as storage/backup.

I would suggest to check your mount options ( noexec ) for the NK USB under LINUX.


AppImage does not need a writeable volume to run, only to have an executable attribute. The problem is with the FAT32, which on nowadays Linux is mounted with noexec option enabled by default to block the execution (which is good).

The idea for Linux support here is to copy the binary to local disk, and run it from there. FAT32 is handled on all OSes, hence it was chosen to keep the application. I agree it does not have great user experience because of that, but alternative would be to provide a separate partition for Linux binary, which could confuse users further.

You can fix the original problem by reformatting the partition to Linux supported, like ext4/ext3 etc., but it will stop working on Windows or macOS, unless they would support it (e.g. by installing additional drivers or software). Or by shrinking the FAT32 partition by 100 MB, and adding another with ext4, to just store Linux binary with proper attributes - best of two worlds.

That should not be the case. Each change of the Unencrypted Volume RW mode is confirmed with the Admin PIN, and if it does this on its own, we would have to check that. Are you sure you are not confusing ‘executable’ attribute with ‘writeable’ attribute (provided description suits it)?

szszszsz, I think the issue is more that this, is not documented enough within the key itself.
For new users it would be very welcome to have a readme line saying almost exactly the above ('for security purposes Linux prevents any Appimage to be run straight from this USB key : please copy the appimage on a disk, switch it to executable and run it from there’)…
Just my 2 cents…

1 Like

I agree. We actually do have a readme file distributed (start.txt/start.html), which redirects to online documentation, but perhaps adding a quick run description would be nice for offline users.

@nitroalex Can you compile such description from our documentation?

What do you mean exactly? I do not understand, being honest.

@nitroalex, for me the idea was just to add somewhere in the readme the sentence in italics above, or something alike, so that the new user on Linux won’t try launching the Appimage in vain from the key…

1 Like

Exactly as @Herve5 mentioned in Nitrokey Stuck in read-only only in Linux, optionally perhaps some from Nitrokey Stuck in read-only only in Linux.