Hi there.
So i have just purchased a new Nitrokey Storage 2 directly from nitrokey.com .
Im using it mostly on Windows 10 and 11. I updated with latest official firmware. I have first installed my own private PGP key an setup a encrypted volume.
Firmware: 0.57
That volumes i tested with exFat and FAT32.
I unlock the volume and add a few TXT files on it.
I do lock it and then remove the stick. Attaching the stick to a Macbook then, open the Nitrokey app and unlock the encrypted volume. I can access the stored data and interact with it.
I lock the volume again, remove the stick and attach it back to my windows machine.
Now i unlock the volume again, and everything is gone.
The encrypted volume is inaccessible. Looking at windows partitioning util, it shows the volumes is in RAW. All data on that volume is lost.
I was able to repeat this a few times. Sometimes with windows formatting the volume in exFat, and also tried with FAT32. Always same result, after access data via Macbook, volume is corrupted.
Is this expected? I hope not so.
Is there a way i can analyse/verify anything on the stick in a deeper level? Is that stick just faulty?
Shall i request a replacement?
Am i doing anything wrong here?
Im working in IT, so some skills i do believe i have, however with encryption and such secure sticks its my first expirience.
I believe this is a good indication that this combination (nk storage, win + mac) has a very limited user-base. Of course this is clearly not expected - we also know that it should generally work on Macbooks - but we do not test all updates/releases or extensively.
No you don’t. But could you try if this occurs to you if you don’t switch the OS, as you report its reproducible?
I think you already wrote support (at) nitrokey (dot) com - please try the hints passed there, so: firmware update, reset aes key, factory-reset. If all this doesn’t help we would replace it and see if that helps…
Hi, thanks for the feedback.
I had files a ticket with support already, but never got any response after 4 days, which is why i had just this morning filed a revocation of sale.
Any way;
I was really looking for get a secure storage stick and choose Nitrokey as one of the leading producer. However, seeing it completly corrupts entire storage just by accessing it from a different OS (which officially is supported), makes me very afraid of how secure my secured data is.
And yes, i was able to reproduce it multiple way on different MacBooks with recent to latest OS versions. Always with the official Nitrokey App.
Yes, i did already update firmware; i had also performed key reset and factory-reset. Nothing solve the issue sadly.
My hope at this point; its a faulty hardware and a replacement could help.
QQ: Assuming your are familiar with the Nitrokey products; is there maybe a better choice of hardware for our usecase?
We must be able to securly store data on a encrypted device which we can safly put into a physical vault and allow management to access when needed.
As we have a hybrid environment; myself but also my management uses Windows as well as Mac. So access from Mac as well as frequent access from Windows must be possible.
In case, an OS is not supported to access; it would be acceptable of the app states it and prevents access but for sure not making all data lost/corrupted.
Speedwise the Nitrokey Storage is not on par with other encrypted storages. It has always been the feature combination that made it attractive to me. Especially the Open Source hard and software (besides the smartcard).
I did not test the Nitrokey with ARM Macs (not allowed) but it was always helpful to just being able to compile the unlock App when something changes (like new MacOS release before - worked like a charm). That is the achilles heel with all Ironkeys or Data Travelers. Most only work with Windows or Linux now and older versions do not receive an update.
For hardware encryption without possibility to make mistakes for multiple OS, you would require one with pinpad code entry. They might introduce issues with passing the unlock key to the device. Youtube has some videos where this was defeated in the past) and some users might therefore prefer Nitrokey Storages.
Does this mean the issue also occurs without switching from one OS to another - so macOS only usage will break it?
yes, please try that and report back if this helps
If you would like to keep arbitrary data not just keys - this is not trivial to answer. On a professional level I would likely suggest an approach that utilizes encryption (like LUKS) in combination with hardware secured (nk3/nk-pro) decryption keys (actually it then would be an hybrid approach: asymmetric keys on the tokens secure the symmetric key used for actually encrypting the actual data). This way you can safely keep the (encrypted-)data-blob where you want and replicate it easily, same then applies for the security tokens. Nevertheless, the NK Storage is a good solution in between which reduces complexity for the end-user and has served well for many similar use-cases.
No discussion here, this should clearly not happen - I will also take with me that we will try to reproduce your issue and investigate what’s happening there…
I have not tried yet macOS <=> macOs . Will try possibly on monday.
I am fully new to such encrypted storage utils and honestly didnt understand half of this.
Thats the main reason we were looks for an end-user ready solution like the NitroKey Storage.
Our use case involved endusers on management level able to access encrypted data on that storage in case of “desaster”.
Another 2nd level goal would be, if it works “easy for enduser”, we planing to introduce such hardware for all upper level users for their daily secure credential and data storage. As a addition to 2FA.
Thanks for your reply.
I understand, this specific product might not intend to directly serve our usecase. We will see, how we can make compromisses. Meanwhile, i also got feedback from Shop support.
In case i got news on the actual topic here, i will update - until then, i guess not much more to do now.
Update:
I have not gotten a replacement device “Nitrokey Storage 2” and performed all the same initial basic steps. I was not able to reproduce my issue anymore.
Using the NK Storage 2 on 2 different windows 10/11 desktops as well on 2 different MacBooks was all successfull and as expected so far.
It seems, at this point, it was a faulty stick device (hardware).
I will perform a few more enduser testing with that key switching the devices etc and hope it stays intact before start using it productive.
this is honestly good to hear thanks for going the extra round and your patience.
Anyways please be sure to keep proper backups of your data anyways - you never know which “cosmic ray” hits you next …
Yeah, the backup strategy is a thing im very uncertain yet - as i just start touching base with encrypted storage etc.
Can you recommend a good common enduser backup strategy?
In best scenario, i can have a backup automatically performed, once the stick is connected and data changed. But the backup must obviously be encrypted as well and then where to store on?!
In best scenario, i can have a backup automatically performed, once the stick is connected and data changed. But the backup must obviously be encrypted as well and then where to store on?!
Although this sounds like a good idea initially, I wouldn’t suggest such an approach. There are many corner-cases which could lead to issues:
what if you would like to use your usb-stick directly after inserting it? who takes preference, and even worse: what happens if you change the contents. What should be backed-up then?
what if you pull out your usb-stick before the backup finished, this might leave the usb-stick in a bad state
most importantly: how do you save the backed up data? and where? is it encrypted?
Overall, so far I know, there is no solves-all-you-backup-dreams tool out there. Especially, if we are talking about security sensitive data. The easiest way to go is maybe replication: Have as many copies as possible with the same security. To increase reliability and decrease risks you might want to also use another device or even method (like described above).