Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Creating an encrypted cd/dvd with cryptsetup
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
ruben
Guru
Guru


Joined: 04 Jul 2003
Posts: 462

PostPosted: Fri Jul 14, 2006 8:11 pm    Post subject: Creating an encrypted cd/dvd with cryptsetup Reply with quote

This howto describes how to create encrypted cds/dvds using cryptsetup and
device mapper. (there is a thread in this forum on creating encrypted
cdroms using cryptoloop)

Kernel
First of all, there are a number of things that need to be enabled in
the kernel. I put the names of the modules in there for as far as I
could find them. Personally, I have everything built-in in the kernel.
If you use modules, make sure you have all of them loaded.
Code:
Device drivers -> Block devices -> Loopback device support
  Module is called "loop".
  Creates /dev/loop0, /dev/loop1, ...
Device drivers -> Multi-device support (RAID and LVM)
  -> Multiple devices driver support (RAID and LVM)
   -> Device mapper support
    -> Crypt target support
  Module is called "dm-crypt".
Cryptographics options -> Cryptographic API
  Select the ciphers you want.
  e.g., AES cipher algorithms, module "cipher-aes"


Scripts
I made a couple of small scripts to make it very straightforward
to encrypt existing isos.

encryptiso.sh
Script to do the encryption. Call it with the original iso as
argument. This script will encrypt the iso inplace. The obvious
advantage is that you don't need extra disk space to do the
encryption, the obvious disadvantage is that if the process is
interrupted you won't be able to recover the original iso.
Code:
#!/bin/bash
MYISO=$1
echo "Encrypting $MYISO"
echo "Creating loop device for $MYISO"
losetup /dev/loop5 $MYISO
echo "Creating device mapper encryption target"
cryptsetup -y -c aes -h ripemd160 -s 256 create encryptmyiso /dev/loop5
echo "Inplace, destructive encryption of $MYISO"
echo "Interruption of this process will destroy $MYISO"
echo "To continue, type YES"
read ENCRYPTISO
if [ $ENCRYPTISO == "YES" ]
then
   STAMP=`date`
   echo "Encryption started at $STAMP"
   cat $MYISO > /dev/mapper/encryptmyiso
   STAMP=`date`
   echo "Encryption finished at $STAMP"
else
   echo "Aborting"
fi
echo "Cleanup"
dmsetup remove encryptmyiso
losetup -d /dev/loop5
if [ $ENCRYPTISO == "YES" ]
then
   echo "Done. $MYISO is now encrypted."
fi

makedvd.sh
Script to mount the encrypted cd/dvd. Replace "/dev/cdrom"
with the iso if you merely want to test the encrypted iso.
Code:
#!/bin/bash
losetup /dev/loop7 /dev/cdrom
cryptsetup -c aes -h ripemd160 -s 256 create dvd /dev/loop7
mount /dev/mapper/dvd /mnt/cdrom

destroydvd.sh
Script to unmount the encrypted cd/dvd and do a cleanup.
Code:
#!/bin/bash
umount /mnt/cdrom
dmsetup remove dvd
losetup -d /dev/loop7

keepencryptiso.sh
Alternative script to make a separate encrypted iso (no inplace
encryption). First parameter is the original iso, second parameter is
the file name of the encrypted iso. I'd suggest placing the original
and encrypted isos on seperate harddisks if possible. (this method
relies on the capability of the file system to create sparse files)
Code:
#!/bin/bash
SRCISO=$1
DSTISO=$2
echo "Encrypting $SRCISO as $DSTISO"
echo "Checking size of $SRCISO"
SIZE=`du -b $SRCISO`
SIZE=`echo $SIZE | sed -r -e 's/^([0-9]+)[^0-9].*$/\1/'`
echo "Creating $DSTISO with size $SIZE"
touch $DSTISO
SIZE=$(($(($SIZE))-1))
dd if=/dev/zero of=$DSTISO bs=1 count=1 seek=$SIZE
echo "Creating loop device for $DSTISO"
losetup /dev/loop5 $DSTISO
echo "Creating device mapper encryption target"
cryptsetup -y -c aes -h ripemd160 -s 256 create encryptmyiso /dev/loop5
STAMP=`date`
echo "Encryption started at $STAMP"
cat $SRCISO > /dev/mapper/encryptmyiso
STAMP=`date`
echo "Encryption finished at $STAMP"
echo "Cleanup"
dmsetup remove encryptmyiso
losetup -d /dev/loop5
echo "Done. $SRCISO is now encrypted as $DSTISO."


Examples
Some small examples to illustrate usage. Probably not really
needed, but anyways. I assume an iso "test.iso" was created
earlier that now needs to be encrypted.

Inplace encryption
Code:
beast dvdrip # ls -l
   total 141416
   -rw-r--r-- 1 root root 144660480 2006-07-14 21:43 test.iso
beast dvdrip # encryptiso.sh test.iso
   Encrypting test.iso
   Creating loop device for test.iso
   Creating device mapper encryption target
   Enter passphrase:
   Verify passphrase:
   Inplace, destructive encryption of test.iso
   Interruption of this process will destroy test.iso
   To continue, type YES
   YES
   Encryption started at Fri Jul 14 21:47:32 CEST 2006
   Encryption finished at Fri Jul 14 21:47:41 CEST 2006
   Cleanup
   Done. test.iso is now encrypted.
beast dvdrip # ls -l
   total 141416
   -rw-r--r-- 1 root root 144660480 2006-07-14 21:43 test.iso

Encryption to other iso
Code:
beast dvdrip # ls -l
   total 141416
   -rw-r--r-- 1 root root 144660480 2006-07-14 21:43 test.iso
beast dvdrip # keepencryptdvd.sh test.iso crypt.iso
   Encrypting test.iso as crypt.iso
   Checking size of test.iso
   Creating crypt.iso with size 144660480
   1+0 records in
   1+0 records out
   1 byte (1 B) copied, 0.001466 seconds, 0.7 kB/s
   Creating loop device for crypt.iso
   Creating device mapper encryption target
   Enter passphrase:
   Verify passphrase:
   Encryption started at Fri Jul 14 21:49:43 CEST 2006
   Encryption finished at Fri Jul 14 21:49:50 CEST 2006
   Cleanup
   Done. test.iso is now encrypted as crypt.iso.
beast dvdrip # ls -l
   total 282832
   -rw-r--r-- 1 root root 144660480 2006-07-14 21:49 crypt.iso
   -rw-r--r-- 1 root root 144660480 2006-07-14 21:43 test.iso

Mounting an encrypted dvd
Code:
beast dvdrip # makedvd.sh
   Enter passphrase:
   mount: block device /dev/mapper/dvd is write-protected, mounting read-only
beast dvdrip # mount | grep /mnt/cdrom
   /dev/mapper/dvd on /mnt/cdrom type iso9660 (ro)
beast dvdrip # dmsetup ls
   dvd   (254, 0)
beast dvdrip # losetup -a
   /dev/loop/7: [000c]:7736 (/dev/cdrom)

Unmounting
Code:
beast dvdrip # destroydvd.sh
beast dvdrip # dmsetup ls
   No devices found
beast dvdrip # losetup -a


I share these scripts because I thought it might be useful
for someone. I didn't find much information on creating
encrypted cds/dvds and the information I found, was always
using cryptoloop. So, take the scripts and modify them to your
needs. Note that the scripts will probably break down when
you use file names that contain spaces.
Back to top
View user's profile Send private message
ryo-san
l33t
l33t


Joined: 17 Feb 2005
Posts: 725

PostPosted: Fri Jul 14, 2006 9:38 pm    Post subject: Reply with quote

nice one , many thx.
Back to top
View user's profile Send private message
Philantrop
Retired Dev
Retired Dev


Joined: 21 Dec 2004
Posts: 1129
Location: Germany

PostPosted: Fri Jul 14, 2006 9:59 pm    Post subject: Reply with quote

In your opinion, what's the advantage of using cryptsetup/DM instead of cryptoloop?
Back to top
View user's profile Send private message
ruben
Guru
Guru


Joined: 04 Jul 2003
Posts: 462

PostPosted: Sat Jul 15, 2006 4:44 pm    Post subject: Reply with quote

At the time when I started using encrypted hard disk partitions, cryptoloop was deprecated in the linux kernel and there was talk about removing it completely in the future (see this and this). I have no idea whether it is still considered deprecated. In any case, the linux kernel (2.6.17) still contains a warning that cryptoloop is not safe for use with journaled file systems. So, it cannot be used for harddisk encryption with ext3/reiserfs partitions.
Device mapper was fairly new back then, but the crypt target (dm-crypt) is said to be better with cleaner and faster code. In the mean time, the cryptsetup tool has been created, which makes it easier to set up encrypted block devices. The most important reason I started to use cryptsetup/DM was the fact that cryptoloop was deprecated and might be removed from the kernel in the future and that dm-crypt is included in the vanilla linux kernel.
I mention the latter because there is in fact a third option for encryption and that is loop-AES. loop-AES is a separate kernel module, which is not included in the vanilla kernel. However, it is said to be a bit faster than dmcrypt and a bit more secure. Well, at least that used to be the case, I don't know whether it still is the case (see the FAQ at the dmcrypt page). When the defaults are used, dm-crypt is more secure than cryptoloop. In this regard, the following links are also of interest: encryption on Debian and this.
So, there are 3 options: cryptoloop, dm-crypt and loop-AES.

But, in short, the advantages for me personally:
  • included in the vanilla kernel
  • actively maintained and supported, not deprecated
  • fairly easy to setup and use with cryptsetup and some scripts
  • usable for both hard disk partitions (journaled file system) and cd/dvd (the latter with a loopback device)
  • faster and more secure by default than cryptoloop
Back to top
View user's profile Send private message
Sadako
Advocate
Advocate


Joined: 05 Aug 2004
Posts: 3753
Location: sleeping in the bathtub

PostPosted: Fri Jul 28, 2006 5:25 pm    Post subject: Reply with quote

I've been using my own version of this for a while, just stumbled yours now.

My scripts are not so user friendly, but that's easily fixed, and instead of encrypting an existing iso, it creates the iso from the arguments given (same file list you would pass to mkisofs). Also have a version that burns the iso, performs multiple md5sum checks, and cleans up properly, but that's kind of a mess.

Anyway, thought you'd like to see mine (more of a "scriptlet" really);
Code:
#! /bin/bash

LOOPFILE=loopfile.iso
LOOPNAME=loopfile
LOOPDEV=/dev/loop0
MKISOOPTS='-iso-level 2 -r'

nice -n 3 dd if=/dev/zero of=$LOOPFILE bs=2k count=`mkisofs -print-size -quiet MKISOOPTS "$@"`
losetup $LOOPDEV $LOOPFILE
cryptsetup -c aes-cbc-plain -s 256 -y create $LOOPNAME $LOOPDEV
nice -n 3 mkisofs $MKISOOPTS "$@" > /dev/mapper/$LOOPNAME
cryptsetup remove $LOOPNAME
losetup -d $LOOPDEV

exit


The only real differences are the use of dd and mkisofs -print-size to set up the loopfile of the correct size, and then redirecting the mkisofs output instead of "cat"ing the iso.

Also, in your mount script, you don't actually need the loop device anymore, and adding --readonly to the cryptsetup options, and -r (or -o ro) to the mount opts suppresses the "mount: block device /dev/mapper/dvd is write-protected, mounting read-only" warning.

Here's mine;
Code:
#! /bin/bash

CDRDEV=/dev/hdc
DMAP=cdrom
MOUNTPOINT=/mnt/cdrom

cryptsetup -c aes-cbc-plain -s 256 --readonly create $DMAP $CDRDEV

mount -r -t iso9660 /dev/mapper/$DMAP $MOUNTPOINT

exit


Just thought maybe if we put yours and mine togerther, we could improve both.
_________________
"You have to invite me in"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum