Create Encrypted CD’s and DVD’s in Linux

Posted by admin on November 26, 2008 under Tech Tips | 7 Comments to Read

When backing up data to a CD or DVD, you may find it useful to encrypt the entire disc just in case the media falls into the wrong hands. Some people may advise compressing your files within tar/gzip archive and use PGP to encrypt the data, burning the resulting data to disc. The challenge, however, is how easy it is to work with the data after the burn process. You are typically required to decrypt and extract the archive to your hard disk if you wish to access the files within.

A much more flexible method for Linux users is to encrypt the entire CD or DVD with an AES symmetric key, and work with the data by simply mounting the disc. This means you don’t have to copy the files, they are simply presented to you as you would expect with an unencrypted disc.

Prerequisites

Prerequisites include loading the Cryptoloop kernel module and the installation of the Loop-AES toolset. Installing these packages in Ubuntu/Debian and loading the cryptoloop module is a snap.

sudo apt-get install aespipe loop-aes-utils
sudo modprobe cryptoloop

Verify that cryptoloop and AES kernel modules are loaded with lsmod.

lsmod | grep cryptoloop
cryptoloop             10880  0 
loop                   23180  1 cryptoloop

lsmod | grep aes
aes_i586               15744  2 
aes_generic            35880  1 aes_i586

If you had to load these modules by hand, make sure to add them to /etc/modules so that they are loaded on boot up.

Create, burn and mount encrypted images

To create a standard CD image, use genisofs (formally known as mkisofs), pipe the output to aespipe, and redirect the final output to an ISO file. Notice that we have specified that aespipe will use AES256 encryption, and it will has you to enter a password twice. Don’t lose it! 😉

genisoimage -quiet -r Documents/ | aespipe -T -e aes256 > documents.iso
Password: (enter password)
Retype password: (enter password)

Mount the image using the encryption option. The mounting process will ask you for the passphrase.

sudo mount -o loop,encryption=aes256 documents.iso /mnt
Password: (enter password)

Burn the disc image, replacing /dev/dvdrw with the appropriate value for your system. wodim was formerly known as cdrecord, so feel free to replace it with any command you are familiar with.

wodim dev=/dev/dvdrw documents.iso

Mount the CD/DVD using the same mount options as previously demonstrated.

sudo mount -o loop,encryption=aes256 /dev/dvdrw /mnt
Password: (enter password)

Work with your files as you would with any normal CD or DVD.

ls -l /mnt/
total 0
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile1.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile2.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile3.txt
-r--r--r-- 1 root root 0 2008-11-26 17:09 secretfile4.txt
Be Sociable, Share!

Comments

  • GDad said,

    You are, as they say in the old country, da man. Thank you for the well-written and easy-to-follow instructions.

  • gmendoza said,

    Cool! You’re welcome! :-)

  • chetanM said,

    Perfect !!

    Nice n simple blog-design too !!

  • chetanM said,

    Can i boot encrypted ISO from cd just asking passwd at boot time ?

  • gmendoza said,

    Thanks, glad to hear you enjoyed it. The contents of the disk are encrypted, therefore I do not know of a way to boot from it. But I’m sure where there’s a will, there’s a way.

  • Scifer said,

    How to auto-mount a disk like this? Does auto-mount detect its encryption type? How to mount this disk in Window$?

  • Leandro said,

    This article is a bit outdated as loop-aes-utils is not available in Debian any longer (loop-aes has been deprecated in favor of dm-crypt). I’ve put up some scripts that allow K3b to make encrypted CD/DVD/BD (Bluray) at https://gist.github.com/ladamson/6451510

Add A Comment