Contact
Impressum
Why this name?

HowTo setup encrypted CDs and DVDs with LUKS

LUKS has some great features for encoding iso images.
For example it stores details about the encryption on the device itself.
Unfortunately there is no mkisofs enabled for LUKS today nor a special tool converting a plain iso image (or any other filesystem) inplace to a LUKS encrypted.
This is howto setup a LUKS encrypted iso9660 filesystem if you do not want to store and copy the iso twice (especially for DVD images). This procedure should work for every other filesystem as well, and might help to convert unencrypted partitions to encrypted.
Create an empty container large enough for the iso image:
dd if=/dev/urandom of=image.iso bs=512 count=2048
dd if=/dev/urandom of=image.iso bs=512 count=1 seek=1m
(for CD images (or if your filesystem has problems with sparse files) use 1440k instead of 1m for seek)
take a free loop device (check with losetup /dev/loop2) and create a blockdevice from our image file:
losetup /dev/loop2 image.iso
Now format the loop device as luks container:
cryptsetup luksFormat /dev/loop2
(luksFormat is know as luksInit in versions prior 1.0)
Create a new mapping for the encrypted loopdevice:
cryptsetup luksOpen /dev/loop2 volume1
(This creates /dev/mapper/volume1)
Now create your iso filessystem using mkisofs and write it to the mapped device:
mkisofs -lots-of-options /my/data/ | dd of=/dev/mapper/volume1 bs=512
(The number dd reports is important for further calculations!)
Now calculate the overhead of the luks container:
echo $(( `blockdev --getsize /dev/loop2` - `blockdev --getsize /dev/mapper/volume1` ))
Now add the size dd reported and you know where to truncate (used as $SIZE later)
For safety reasons, remove mapping and loopdevice:
dmsetup remove volume1 ; losetup -d /dev/loop2
replace $SIZE with sum of size dd reported and the luks overhead:
dd if=image.iso of=image.iso bs=512 count=0 skip=$SIZE seek=$SIZE
Now you can map the iso image again to see if it really works (readonly this time):
losetup /dev/loop2 image.iso
cryptsetup -r luksOpen /dev/loop2 volume1
Now unmap again an burn the image with cdrecord any other tool you burn your isos.
Access the encrypted CDROM or encrypted DVD
With latest cryptsetup it is possible to access your CDROM or DVD without using a loop device
cryptsetup -r luksOpen /dev/cdrom cryptcd
Make sure that -r is given.
The box you try this has to support the selected encryption algorithms.
This script supports this procdure, make sure you change the variables.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        

NO to software patents