Hardware-enhanced security

Key to Security

Live DVDs and Sensitive Secrets

Modern operating systems are quite messy when it comes to handling secret files. When you open a file with a program, there is always the chance that the program will put pieces of the file in caches, temporary folders, or even the swap partition. When working with a secret file, this is problematic.

If you mount an encrypted volume in a directory and open one of its files (e.g., with LibreOffice) pieces of the file might end up in unencrypted places of the hard drive. At the very least, the path of the file would be added to the Recent Documents list, which is easily retrievable and therefore vulnerable.

Live DVDs are thus a great tool for working with sensitive files: You can load the Live operating system and mount the encrypted volume within it. Once you are finished working with the encrypted files, turning the computer off erases any trace of activity from the machine. Should the computer be stolen, the thief would not be able to retrieve the information.


Although encrypted storage worked well in the tests, it is arguably the most expensive feature the Nitrokey has to offer. The price difference between the Nitrokey Storage 2 and the Nitrokey Pro 2 is EUR60 (VAT excluded), and the only meaningful feature the latter lacks in comparison is encrypted storage. Software implementations that offer similar features, including hidden volumes, cost nothing.

The main advantage the Nitrokey Storage 2 has over software implementations is that the number of times an attacker can try a password is limited by the hardware chip, so in theory, the Nitrokey is much safer because it cannot be brute forced. However, the equivalent software implementations are considered unbreakable in practice, as long as good passphrases are used. The increase of security brought by the Nitrokey is significant, but whether a home user can justify the expense is a different question.

The Nitrokey Storage 2 works as advertised for the most part. Keeping a set of OpenPGP keys within a Nitrokey is just safer than storing them on your hard drive, as is the usual practice. The hardware-enhanced encrypted storage is a good upgrade from common software encryption tools, as long as the files to be protected are important enough to justify the expense.

Its password management capabilities, alongside its ability to function with 2FA, are quite handy, but they don't add much security when compared with software solutions.

The Nitrokey is a portable solution that might help you move files between a heterogeneous group of computers. A cool feature of the Nitrokey Storage 2 is that it includes a nonencrypted partition that can be set as read-only. Out of the factory, it comes with a version of the Nitrokey App for Windows, Linux, and macOs, which is convenient for using the Nitrokey on computers without an Internet connection or that don't make it easy to install third-party software.

Finally, the Nitrokey is partially supported under Android. The only feature that works on such a platform through the OpenKeyChain application is the smartcard functionality for managing OpenPGP keys, which means no encrypted data storage or password management on Android. However, email signing and encryption-decryption are available.

The list of functions Nitrokeys [8] can address is amazing. In addition to the features described in this article, the Nitrokey Storage 2 can be used as an SSH authentication token, perform certificate-based authentication with websites, or authenticate into virtual private networks (VPNs). The documentation is barely sufficient, though, and although hobbyists might benefit from using the Nitrokey, leveraging the full power of this device is only within the reach of power users and professionals.

The Author

Rubén Llorente is a mechanical engineer whose job is to ensure that the security measures of the IT infrastructure of a small clinic are both legally compliant and safe. He is also an OpenBSD enthusiast and a weapons collector.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Cryptographic key access in the cloud
    Cryptographic keys, usually available locally but not on remote computers, can be accessed for use in cloud environments.
  • Safe Files

    Encrypting your data is becoming increasingly important, but you don’t always have to use an encrypted filesystem. Sometimes just encrypting files is enough.

  • Efficient password management in distributed teams
    Team members often need certain information to authenticate against servers. You don't want to save this secret data in plain text, but you don't want to retype it every time, either. How can you share these secrets?
  • Password management with FreeIPA
    Passwords should be safe, but easy to remember – a contradiction that can be difficult to resolve. One remedy is a password manager that stores all passwords centrally. The open source tip this month shows a different approach: FreeIPA.
  • Posteo, Mailbox.org, Tutanota, and ProtonMail compared
    Encryption and server locations in Germany and Switzerland are sought-after attributes in the search for a more secure and reliable email service. We compare four providers who promise to protect your privacy.
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=