Hidden volumes allow hiding data inside of the encrypted volume. This data is protected by an additional passphrase. Without the passphrase, it is impossible to know whether hidden volumes are present. They are not configured with a default password so that their existence can be denied plausibly. The concept is similar to VeraCrypt’s/TrueCrypt’s hidden volume but with Nitrokey Storage the entire functionality of hidden volumes is implemented in hardware.
You can configure up to four hidden volumes. Once unlocked, hidden volumes behave like ordinary storage where you can create various partitions, filesystems and store files as you like.
If you chose to use hidden volumes, you must not write any data to the encrypted volume, or you risk loosing data in the hidden volume.
Hidden volumes are hidden within the free space of the encrypted volume, which will be overwritten when writing data to the encrypted volume. There are no mechanisms to prevent accidental overwritting of hidden data, as they would reveal the existence of hidden volumes. Data written to the encrypted volume before the creation of the hidden volume can still be read.
Configuring hidden volumes¶
Copy some files to the encrypted volume prior to creating the hidden volume.
Using a journaling filesystem may risk overwriting the hidden data. The encrypted filesystem is formated to FAT32 by default, and it is recommended to leave it that way when using hidden volumes.
Unlock the encrypted volume using the Nitrokey App.
In the menu, select “setup hidden volume”.
Enter a strong passphrase twice. Unlike the encrypted volume PIN, there are no limit to the number of attempts at opening hidden volumes, so the strength of the passphrase is extremely important.
Define the storage area to be used. Hidden volumes are stored in the free areas of the encrypted volume. When creating multiple hidden volume, you need to allocate a part of the free area for each volume, making sure they do not overlap.
Using hidden volumes¶
Unlock the encrypted volume.
Select “unlock hidden volume” and enter any of the hidden volume’s passwords.
If this is the first time you unlock the hidden volume, you may need to create a partition on the hidden volume. You will need to use Disk Utility. Make sure to create the partitions on the device that appeared when unlocking the hidden volume.
Make sure to unmount/eject all partitions on the hidden volumes before locking or disconnecting the Nitrokey.