| View previous topic :: View next topic |
| Author |
Message |
ruben
Guru
Joined: 04 Jul 2003
Posts: 462
|
 Posted: Fri Jul 14, 2006 8:11 pm Post subject: Creating an encrypted cd/dvd with cryptsetup |
 |
|
This howto describes how to create encrypted cds/dvds using cryptsetup and
device mapper. (there is a thread in this forum on creating encrypted
cdroms using cryptoloop)
Kernel
First of all, there are a number of things that need to be enabled in
the kernel. I put the names of the modules in there for as far as I
could find them. Personally, I have everything built-in in the kernel.
If you use modules, make sure you have all of them loaded.
| Code: | Device drivers -> Block devices -> Loopback device support
Module is called "loop".
Creates /dev/loop0, /dev/loop1, ...
Device drivers -> Multi-device support (RAID and LVM)
-> Multiple devices driver support (RAID and LVM)
-> Device mapper support
-> Crypt target support
Module is called "dm-crypt".
Cryptographics options -> Cryptographic API
Select the ciphers you want.
e.g., AES cipher algorithms, module "cipher-aes" |
Scripts
I made a couple of small scripts to make it very straightforward
to encrypt existing isos.
encryptiso.sh
Script to do the encryption. Call it with the original iso as
argument. This script will encrypt the iso inplace. The obvious
advantage is that you don't need extra disk space to do the
encryption, the obvious disadvantage is that if the process is
interrupted you won't be able to recover the original iso.
| Code: | #!/bin/bash
MYISO=$1
echo "Encrypting $MYISO"
echo "Creating loop device for $MYISO"
losetup /dev/loop5 $MYISO
echo "Creating device mapper encryption target"
cryptsetup -y -c aes -h ripemd160 -s 256 create encryptmyiso /dev/loop5
echo "Inplace, destructive encryption of $MYISO"
echo "Interruption of this process will destroy $MYISO"
echo "To continue, type YES"
read ENCRYPTISO
if [ $ENCRYPTISO == "YES" ]
then
STAMP=`date`
echo "Encryption started at $STAMP"
cat $MYISO > /dev/mapper/encryptmyiso
STAMP=`date`
echo "Encryption finished at $STAMP"
else
echo "Aborting"
fi
echo "Cleanup"
dmsetup remove encryptmyiso
losetup -d /dev/loop5
if [ $ENCRYPTISO == "YES" ]
then
echo "Done. $MYISO is now encrypted."
fi |
makedvd.sh
Script to mount the encrypted cd/dvd. Replace "/dev/cdrom"
with the iso if you merely want to test the encrypted iso.
| Code: | #!/bin/bash
losetup /dev/loop7 /dev/cdrom
cryptsetup -c aes -h ripemd160 -s 256 create dvd /dev/loop7
mount /dev/mapper/dvd /mnt/cdrom |
destroydvd.sh
Script to unmount the encrypted cd/dvd and do a cleanup.
| Code: | #!/bin/bash
umount /mnt/cdrom
dmsetup remove dvd
losetup -d /dev/loop7 |
keepencryptiso.sh
Alternative script to make a separate encrypted iso (no inplace
encryption). First parameter is the original iso, second parameter is
the file name of the encrypted iso. I'd suggest placing the original
and encrypted isos on seperate harddisks if possible. (this method
relies on the capability of the file system to create sparse files)
| Code: | #!/bin/bash
SRCISO=$1
DSTISO=$2
echo "Encrypting $SRCISO as $DSTISO"
echo "Checking size of $SRCISO"
SIZE=`du -b $SRCISO`
SIZE=`echo $SIZE | sed -r -e 's/^([0-9]+)[^0-9].*$/\1/'`
echo "Creating $DSTISO with size $SIZE"
touch $DSTISO
SIZE=$(($(($SIZE))-1))
dd if=/dev/zero of=$DSTISO bs=1 count=1 seek=$SIZE
echo "Creating loop device for $DSTISO"
losetup /dev/loop5 $DSTISO
echo "Creating device mapper encryption target"
cryptsetup -y -c aes -h ripemd160 -s 256 create encryptmyiso /dev/loop5
STAMP=`date`
echo "Encryption started at $STAMP"
cat $SRCISO > /dev/mapper/encryptmyiso
STAMP=`date`
echo "Encryption finished at $STAMP"
echo "Cleanup"
dmsetup remove encryptmyiso
losetup -d /dev/loop5
echo "Done. $SRCISO is now encrypted as $DSTISO." |
Examples
Some small examples to illustrate usage. Probably not really
needed, but anyways. I assume an iso "test.iso" was created
earlier that now needs to be encrypted.
Inplace encryption
| Code: | beast dvdrip # ls -l
total 141416
-rw-r--r-- 1 root root 144660480 2006-07-14 21:43 test.iso
beast dvdrip # encryptiso.sh test.iso
Encrypting test.iso
Creating loop device for test.iso
Creating device mapper encryption target
Enter passphrase:
Verify passphrase:
Inplace, destructive encryption of test.iso
Interruption of this process will destroy test.iso
To continue, type YES
YES
Encryption started at Fri Jul 14 21:47:32 CEST 2006
Encryption finished at Fri Jul 14 21:47:41 CEST 2006
Cleanup
Done. test.iso is now encrypted.
beast dvdrip # ls -l
total 141416
-rw-r--r-- 1 root root 144660480 2006-07-14 21:43 test.iso |
Encryption to other iso
| Code: | beast dvdrip # ls -l
total 141416
-rw-r--r-- 1 root root 144660480 2006-07-14 21:43 test.iso
beast dvdrip # keepencryptdvd.sh test.iso crypt.iso
Encrypting test.iso as crypt.iso
Checking size of test.iso
Creating crypt.iso with size 144660480
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.001466 seconds, 0.7 kB/s
Creating loop device for crypt.iso
Creating device mapper encryption target
Enter passphrase:
Verify passphrase:
Encryption started at Fri Jul 14 21:49:43 CEST 2006
Encryption finished at Fri Jul 14 21:49:50 CEST 2006
Cleanup
Done. test.iso is now encrypted as crypt.iso.
beast dvdrip # ls -l
total 282832
-rw-r--r-- 1 root root 144660480 2006-07-14 21:49 crypt.iso
-rw-r--r-- 1 root root 144660480 2006-07-14 21:43 test.iso |
Mounting an encrypted dvd
| Code: | beast dvdrip # makedvd.sh
Enter passphrase:
mount: block device /dev/mapper/dvd is write-protected, mounting read-only
beast dvdrip # mount | grep /mnt/cdrom
/dev/mapper/dvd on /mnt/cdrom type iso9660 (ro)
beast dvdrip # dmsetup ls
dvd (254, 0)
beast dvdrip # losetup -a
/dev/loop/7: [000c]:7736 (/dev/cdrom) |
Unmounting
| Code: | beast dvdrip # destroydvd.sh
beast dvdrip # dmsetup ls
No devices found
beast dvdrip # losetup -a |
I share these scripts because I thought it might be useful
for someone. I didn't find much information on creating
encrypted cds/dvds and the information I found, was always
using cryptoloop. So, take the scripts and modify them to your
needs. Note that the scripts will probably break down when
you use file names that contain spaces. |
|
| Back to top |
|
 |
ryo-san
l33t
Joined: 17 Feb 2005
Posts: 729
|
| Posted: Fri Jul 14, 2006 9:38 pm Post subject: |
|
|
| nice one , many thx. |
|
| Back to top |
|
|
Philantrop
Retired Dev
Joined: 21 Dec 2004
Posts: 1130
Location: Germany
|
| Posted: Fri Jul 14, 2006 9:59 pm Post subject: |
|
|
| In your opinion, what's the advantage of using cryptsetup/DM instead of cryptoloop? |
|
| Back to top |
|
|
ruben
Guru
Joined: 04 Jul 2003
Posts: 462
|
| Posted: Sat Jul 15, 2006 4:44 pm Post subject: |
|
|
At the time when I started using encrypted hard disk partitions, cryptoloop was deprecated in the linux kernel and there was talk about removing it completely in the future (see this and this). I have no idea whether it is still considered deprecated. In any case, the linux kernel (2.6.17) still contains a warning that cryptoloop is not safe for use with journaled file systems. So, it cannot be used for harddisk encryption with ext3/reiserfs partitions.
Device mapper was fairly new back then, but the crypt target (dm-crypt) is said to be better with cleaner and faster code. In the mean time, the cryptsetup tool has been created, which makes it easier to set up encrypted block devices. The most important reason I started to use cryptsetup/DM was the fact that cryptoloop was deprecated and might be removed from the kernel in the future and that dm-crypt is included in the vanilla linux kernel.
I mention the latter because there is in fact a third option for encryption and that is loop-AES. loop-AES is a separate kernel module, which is not included in the vanilla kernel. However, it is said to be a bit faster than dmcrypt and a bit more secure. Well, at least that used to be the case, I don't know whether it still is the case (see the FAQ at the dmcrypt page). When the defaults are used, dm-crypt is more secure than cryptoloop. In this regard, the following links are also of interest: encryption on Debian and this.
So, there are 3 options: cryptoloop, dm-crypt and loop-AES.
But, in short, the advantages for me personally:
- included in the vanilla kernel
- actively maintained and supported, not deprecated
- fairly easy to setup and use with cryptsetup and some scripts
- usable for both hard disk partitions (journaled file system) and cd/dvd (the latter with a loopback device)
- faster and more secure by default than cryptoloop
|
|
| Back to top |
|
|
Sadako
Advocate
Joined: 05 Aug 2004
Posts: 3792
Location: sleeping in the bathtub
|
| Posted: Fri Jul 28, 2006 5:25 pm Post subject: |
|
|
I've been using my own version of this for a while, just stumbled yours now.
My scripts are not so user friendly, but that's easily fixed, and instead of encrypting an existing iso, it creates the iso from the arguments given (same file list you would pass to mkisofs). Also have a version that burns the iso, performs multiple md5sum checks, and cleans up properly, but that's kind of a mess.
Anyway, thought you'd like to see mine (more of a "scriptlet" really);
| Code: | #! /bin/bash
LOOPFILE=loopfile.iso
LOOPNAME=loopfile
LOOPDEV=/dev/loop0
MKISOOPTS='-iso-level 2 -r'
nice -n 3 dd if=/dev/zero of=$LOOPFILE bs=2k count=`mkisofs -print-size -quiet MKISOOPTS "$@"`
losetup $LOOPDEV $LOOPFILE
cryptsetup -c aes-cbc-plain -s 256 -y create $LOOPNAME $LOOPDEV
nice -n 3 mkisofs $MKISOOPTS "$@" > /dev/mapper/$LOOPNAME
cryptsetup remove $LOOPNAME
losetup -d $LOOPDEV
exit
|
The only real differences are the use of dd and mkisofs -print-size to set up the loopfile of the correct size, and then redirecting the mkisofs output instead of "cat"ing the iso.
Also, in your mount script, you don't actually need the loop device anymore, and adding --readonly to the cryptsetup options, and -r (or -o ro) to the mount opts suppresses the "mount: block device /dev/mapper/dvd is write-protected, mounting read-only" warning.
Here's mine;
| Code: | #! /bin/bash
CDRDEV=/dev/hdc
DMAP=cdrom
MOUNTPOINT=/mnt/cdrom
cryptsetup -c aes-cbc-plain -s 256 --readonly create $DMAP $CDRDEV
mount -r -t iso9660 /dev/mapper/$DMAP $MOUNTPOINT
exit
|
Just thought maybe if we put yours and mine togerther, we could improve both.
_________________
"You have to invite me in" |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Documentation, Tips & Tricks
