When I want to remove the Nitrokey Storage on Windows 10 while the encrypted volume in unlocked is it sufficient to just chose Savely remove Hardware and Eject Media > Eject Nitrokey Storage? Will the encrypted volume automatically be locked? Or do I risk any security breach by not locking the Nitrokey before ejecting it?
the manual locking feature is mainly a way to prevent data loss. This means that the data is always encrypted on the device no matter if locked or unlocked. But you may want to lock the Nitrokey to make sure that the data is not accessible on the current session anymore while the Nitrokey is still inserted. And you should lock to make sure no data encryption process is still in progress (afaik, @szszszsz anything to add?).
Nitrokey Storage shares similar advantages and disadvantages with other USB devices. Let me explain this with usual USB disk analogy: locking the device (that is
Password Safe and the
Hidden volume) is as the same as disconnecting the usual pen-drive disk from the USB port (device hides its removable media), which means that all transfers in progress will be interrupted ‘physically’ (without waiting for OS confirmation). Ejecting / unmounting the drive serves as a protection from transfer interruption (by activating OS check for current files use from given drive) and from potentially inconsistent data.
From my experience with Windows 8.1 I had not needed it (transfer finish was in sync with shown progress window), but this is how you do it by the book with all USB drives and devices to make sure all data transfers have finished.
Device always starts when powered on in locked mode, whether or not it was locked in earlier session. It is better to do it though before disconnection to allow internal memory erase (especially cached AES key used to encrypt the volume). Whether it is possible to reclaim data from it in other case (not locked before disconnecting) depends on whether adversary has a physical access to the device to memory chip, how well he is equipped and how much time left since last device’s use (still rather unlikely in ‘usual’ case).
As Alex mentioned, ejecting the encrypted volume in Windows still leaves it unlocked in current use session, until it will be locked in the
To summarize, when finished please use both:
- Ejecting the drive, and
- Locking the whole device before disconnection
to prevent potential data transfer and security issues.