I would like to create a bootable USB stick (so loaded with a given OS), that is read-only and badUSB proof (i.e. the stick has to verify if the firmware is signed). Is that possible with a Nitrokey, and if so, which one(s)? (so basically something equivalent to the Kanguru SS3 stick)
The goal is to have a key I can plug into any machine and have my OS run on it, without risking to have malware on the USB stick afterwards.
Exporting the firmware for verification won’t help, because if it is infected, the malicious firmware could just “replay” the good firmware. Also, the moment I plug it into somewhere, that risks getting infected too.
However, would the password protection of the firmware be robust to an attack and just as safe as using signed firmware?
Also, is it possible to make the memory of the stick “read-only” too? If so, I take it that would be software based - is that as safe as as sticks with hard-ware read-only switches?
On the NK Storage you have a (small!) part that is read-only by default while you can change it with the master password (I for instance added my photo in it to prove the key is mine, then turned it back to read-only)
Other than that, I’d recommend to analyze the potential use of an USG physical barrier . I own two (the small versions) and am perfectly happy with them…