I was looking into buying a NitroKey. To my surprise I found the following statement in the [brochure][1]:

Keep a Secure Operating System With you at all  Times

Securely boot Windows or Linux directly from Nitro

• key Storage. Nitrokey Storage encrypts and protects the system against manipulation, such as the installation of surveillance software via „Evil Maid“.

I am familiar with keeping a bootloader, kernel and initramfs with encryption keys on a USB stick to prevent tampering. But such a storage by itself is unencrypted, otherwise the bootloader + kernel cannot be loaded by the system.

But in this case I'm a bit confused how it works. Most sources I found regarding its encryption mechanism, is that an application on the host should ask you the device PIN to decrypt files on the storage. So unless it ships with some internal boot-loader logic, how is it bringing up a system in a state to can ask the PIN? Is the NitroKey really boot a system in a revolutionary new way?

I've tried looking for secondary sources to this claim, but no avail:

- [Nitrokey FAQ][2], does not say anything related to booting - [Firmware upgrade guide][3] tells to --suppress-bootloader-mem, which gives me the sensation there is a bootloader. (Google found me this link based on the word boot probably) - [Installation guide][4], nothing there. - Some [forum posts][5] from people who imagine that booting from a stick means running a complete OS from it, instead of offloading the OS to encrypted hard drive. No clear answer there either. - [More mentions][6] about a bootloader, but not what it does.

[1]: https://www.nitrokey.com/files/doc/Nitrokey_Storage_factsheet.pdf [2]: https://www.nitrokey.com/documentation/frequently-asked-questions [3]: https://www.nitrokey.com/en/documentation/firmware-update-storage [4]: https://www.nitrokey.com/documentation/installation [5]: https://support.nitrokey.com/t/is-it-possible-to-boot-from-nk-storage/475 [6]: https://support.nitrokey.com/t/nitrokey-storage-build-hex-file-firmware-from-source/366

I was looking into buying a NitroKey. To my surprise I found the following statement in the brochure:

Keep a Secure Operating System With you at all  Times

Securely boot Windows or Linux directly from Nitrokey Storage. Nitrokey Storage encrypts and protects the system against manipulation, such as the installation of surveillance software via „Evil Maid“.

I am familiar with keeping a bootloader, kernel and initramfs with encryption keys on a USB stick to prevent tampering. But such a storage by itself is unencrypted, otherwise the bootloader + kernel cannot be loaded by the system.

But in this case I'm a bit confused how it works. Most sources I found regarding its encryption mechanism, is that an application on the host should ask you the device PIN to decrypt files on the storage. So unless it ships with some internal boot-loader logic, how is it bringing up a system in a state to can ask the PIN? Is the NitroKey really boot a system in a revolutionary new way?

I've tried looking for secondary sources to this claim, but no avail:

• Nitrokey FAQ, does not say anything related to booting
• Firmware update guide tells to --suppress-bootloader-mem, which gives me the sensation there is a bootloader. (Google found me this link based on the word boot probably)
• Installation guide, nothing there.
• A forum thread from people who imagine that booting from a stick means running a complete OS from it, instead of offloading the OS to encrypted hard drive. No clear answer there either.
• More mentions about a bootloader, but not what it does.