Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO Burn Encrypted Optical Media With Luks
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 731
Location: Brooklyn, New York

PostPosted: Thu Feb 01, 2007 11:51 am    Post subject: HOWTO Burn Encrypted Optical Media With Luks Reply with quote

my latest wiki on how to burn encrypted CD/DVD media using device-mapper and cryptsetup-luks.

http://gentoo-wiki.com/HOWTO_Burn_Encrypted_Optical_Media_With_Luks

enjoy it, any questions please post here this will be the support thread.
Back to top
View user's profile Send private message
d2_racing
Moderator
Moderator


Joined: 25 Apr 2005
Posts: 13046
Location: Ste-Foy,Canada

PostPosted: Thu Feb 01, 2007 1:54 pm    Post subject: Reply with quote

Thanks :)
_________________
Sysadmin of GentooQuébec.org
Wiki
Signature
IRC on Freenode : #gentoo-quebec
Back to top
View user's profile Send private message
batistuta
Veteran
Veteran


Joined: 29 Jul 2005
Posts: 1384
Location: Aachen

PostPosted: Thu Feb 01, 2007 2:34 pm    Post subject: Reply with quote

looks very nice likewhoa, thanks a lot. I find encryption an increasingly important Linux topic, under constant development. It is cool to see people keep it up to date
Back to top
View user's profile Send private message
RoundsToZero
Guru
Guru


Joined: 17 Nov 2003
Posts: 478
Location: New York, NY

PostPosted: Fri Feb 02, 2007 2:24 am    Post subject: Reply with quote

Could this be used with packet writing instead of creating an ISO image in advance?
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 731
Location: Brooklyn, New York

PostPosted: Fri Feb 02, 2007 3:05 pm    Post subject: Reply with quote

RoundsToZero wrote:
Could this be used with packet writing instead of creating an ISO image in advance?


I would have to look into packet writing as I've never done it before, but my guess is that it is possible.
Back to top
View user's profile Send private message
Sadako
Advocate
Advocate


Joined: 05 Aug 2004
Posts: 3753
Location: sleeping in the bathtub

PostPosted: Thu Feb 08, 2007 6:04 pm    Post subject: Reply with quote

Nice, but I have to question the point of using the luks extensions on read-only filesystems, which is what the howto appears to be dedicated to.

likewhoa wrote:
RoundsToZero wrote:
Could this be used with packet writing instead of creating an ISO image in advance?


I would have to look into packet writing as I've never done it before, but my guess is that it is possible.

It is, but not quite like this.

I used to do it with dvd+rw, using the following (to mount an existing encrypted filesystem on the media);
Code:
#! /bin/bash

CDRDEV=/dev/hdc
DMAP=dvdrw
MOUNTPOINT=/mnt/dvdrw

cryptsetup -c aes-cbc-plain -s 256 -y create ${DMAP} ${CDRDEV}

mount -t udf -o noatime,unhide,rw,user /dev/mapper/${DMAP} ${MOUNTPOINT}

chmod a+rw ${MOUNTPOINT}

exit

It's simple, and it worked, but writing to the disc was slow (although this was in the early days of packet writing, and I haven't tried it in over a year).

I can post more on this if anyone wants, but the info is on the forums already.

The biggest issue is the media could only be mounted writable ~1,000 times, but that's true of all dvd+rw, dvd-rw, and cdrw media anyway.

I just wish I had a dvd-ram drive, which would be perfect for this.
_________________
"You have to invite me in"
Back to top
View user's profile Send private message
jip
n00b
n00b


Joined: 05 Mar 2007
Posts: 2
Location: Vladivostok

PostPosted: Mon Mar 05, 2007 1:19 am    Post subject: Reply with quote

Thank you, likewhoa.

By the way, second symbol '|' is interpreted by wiki engine in
Code:
{{commandline|mkisofs -lots-of-options /my/data/ | dd of=/dev/mapper/cryptocd bs=512}}
It leads to the line cut. I can't fix it since wiki markup is quite new to me.
_________________
Simplex sigillum veri
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 731
Location: Brooklyn, New York

PostPosted: Mon Mar 05, 2007 7:07 am    Post subject: Reply with quote

changes made, thanks.
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 731
Location: Brooklyn, New York

PostPosted: Mon Mar 05, 2007 7:09 am    Post subject: Reply with quote

Hopeless wrote:
Nice, but I have to question the point of using the luks extensions on read-only filesystems, which is what the howto appears to be dedicated to.

likewhoa wrote:
RoundsToZero wrote:
Could this be used with packet writing instead of creating an ISO image in advance?


I would have to look into packet writing as I've never done it before, but my guess is that it is possible.

It is, but not quite like this.

I used to do it with dvd+rw, using the following (to mount an existing encrypted filesystem on the media);
Code:
#! /bin/bash

CDRDEV=/dev/hdc
DMAP=dvdrw
MOUNTPOINT=/mnt/dvdrw

cryptsetup -c aes-cbc-plain -s 256 -y create ${DMAP} ${CDRDEV}

mount -t udf -o noatime,unhide,rw,user /dev/mapper/${DMAP} ${MOUNTPOINT}

chmod a+rw ${MOUNTPOINT}

exit

It's simple, and it worked, but writing to the disc was slow (although this was in the early days of packet writing, and I haven't tried it in over a year).

I can post more on this if anyone wants, but the info is on the forums already.

The biggest issue is the media could only be mounted writable ~1,000 times, but that's true of all dvd+rw, dvd-rw, and cdrw media anyway.

I just wish I had a dvd-ram drive, which would be perfect for this.


my guide is the same way you're doing it but with the difference is that crypsetup is using luks instead.
Back to top
View user's profile Send private message
jip
n00b
n00b


Joined: 05 Mar 2007
Posts: 2
Location: Vladivostok

PostPosted: Mon Apr 16, 2007 6:07 am    Post subject: Reply with quote

One more LUKS automation script, fsLuks: http://www.linuxquestions.org/questions/showthread.php?t=545715

It was inspired by likewhoa's cryptocd.sh
_________________
Simplex sigillum veri
Back to top
View user's profile Send private message
metalfan
Apprentice
Apprentice


Joined: 09 Apr 2005
Posts: 260
Location: 127home0sweet0home1 .endofinternet.net

PostPosted: Tue May 29, 2007 7:36 pm    Post subject: Reply with quote

Hi,

below: Creating container


dd if=/dev/urandom of=cryptocd.iso bs=512 count=2048
dd if=/dev/urandom of=cryptocd.iso bs=512 count=1 seek=1m


1. Why does the first command create a 1mb container thats overwritten by the second command?
2. the m in seek=1m isn't working, its maybe a capital M?
3. How do you store dvd video data in a container thats 513MBb big? (second dd)?


greets
metalfan
_________________
please add [SOLVED] to the topic if you found the answer
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 731
Location: Brooklyn, New York

PostPosted: Wed May 30, 2007 11:47 pm    Post subject: Reply with quote

metalfan wrote:
Hi,

below: Creating container


dd if=/dev/urandom of=cryptocd.iso bs=512 count=2048
dd if=/dev/urandom of=cryptocd.iso bs=512 count=1 seek=1m


1. Why does the first command create a 1mb container thats overwritten by the second command?
to leave room for the luks header info
2. the m in seek=1m isn't working, its maybe a capital M?
I corrected the seek line to show a capital M. :) thanks for catching that typo.
3. How do you store dvd video data in a container thats 513MBb big? (second dd)?
the container will grow as data gets written into it, there is no size limit on it, the only
limit is above the size of your recordable media.


greets
metalfan
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 731
Location: Brooklyn, New York

PostPosted: Thu May 31, 2007 12:01 am    Post subject: Reply with quote

I updated the wiki with some additions scripts. cryptocd-{mount,umount}.sh which will automate the mounting and umounting process.
Back to top
View user's profile Send private message
ariel
n00b
n00b


Joined: 26 Jun 2007
Posts: 2

PostPosted: Tue Jun 26, 2007 6:16 am    Post subject: Reply with quote

Hi likewhoa,

I'm using your scripts and the whole thing works really fine. So thanks a bunch for posting this.

I can manually mount / umount the optical media using your helper scripts.

Now I'm using gnome 2.18.1. When I insert an encrypted CD, it gets detected (I think by gnome-mount), very much like the encrypted USB keys do. Then I get prompted for the password. After I type in the correct password, the gnome window gets frozen for about 4 minutes, then I get and error suggesting that the password was wrong. The CD won't get mounted by gnome, I have to do it manually. My encrypted USB HD partitions are mounted with no problems.

I was wondering if you ran into this problem and found the cause if this.

Thanks!
A
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 731
Location: Brooklyn, New York

PostPosted: Wed Jul 11, 2007 6:08 am    Post subject: Reply with quote

ariel wrote:
Hi likewhoa,

I'm using your scripts and the whole thing works really fine. So thanks a bunch for posting this.

I can manually mount / umount the optical media using your helper scripts.

Now I'm using gnome 2.18.1. When I insert an encrypted CD, it gets detected (I think by gnome-mount), very much like the encrypted USB keys do. Then I get prompted for the password. After I type in the correct password, the gnome window gets frozen for about 4 minutes, then I get and error suggesting that the password was wrong. The CD won't get mounted by gnome, I have to do it manually. My encrypted USB HD partitions are mounted with no problems.

I was wondering if you ran into this problem and found the cause if this.

Thanks!
A


gnome-mount uses gnome-keyring to retrieve and store that password phrases and you're trying to mount an encrypted optical media disc which gnome-mount has no way of knowing that's an encrypted medium. in otherwords,. gnome-mount and others will need to mount the optical medium the same way my helper scripts do.
Back to top
View user's profile Send private message
ariel
n00b
n00b


Joined: 26 Jun 2007
Posts: 2

PostPosted: Wed Jul 11, 2007 5:28 pm    Post subject: Reply with quote

likewhoa wrote:
ariel wrote:
Hi likewhoa,

I'm using your scripts and the whole thing works really fine. So thanks a bunch for posting this.

I can manually mount / umount the optical media using your helper scripts.

Now I'm using gnome 2.18.1. When I insert an encrypted CD, it gets detected (I think by gnome-mount), very much like the encrypted USB keys do. Then I get prompted for the password. After I type in the correct password, the gnome window gets frozen for about 4 minutes, then I get and error suggesting that the password was wrong. The CD won't get mounted by gnome, I have to do it manually. My encrypted USB HD partitions are mounted with no problems.

I was wondering if you ran into this problem and found the cause if this.

Thanks!
A


gnome-mount uses gnome-keyring to retrieve and store that password phrases and you're trying to mount an encrypted optical media disc which gnome-mount has no way of knowing that's an encrypted medium. in otherwords,. gnome-mount and others will need to mount the optical medium the same way my helper scripts do.


Actually it does detect that it is a LUKS volume, when I insert the CD, I get the "Encrypted Disk" password prompt, same as when you insert a LUKS encrypted USB key. but for some reason, after you put the password, it doesn't get mounted, anyways, it's no big deal.

I run into a problem when burning DVDs though. After following exactly the same process as for CDs (save for lowering the burning speed to 4X), and getting no errors in the console during/after the burn process, I can't LUKS-open the DVD (ergo, I can't mount it either). I seems like the data has been burned (I see the mark in the DVD surface) but something went wrong, it can't be opened like the CD could.

Did you run into problems burning DVDs?

Also: are you aware of K3b plugins for on-the-fly encryption? (that would make life so much easier :)

Thanks!
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 731
Location: Brooklyn, New York

PostPosted: Wed Jul 11, 2007 8:08 pm    Post subject: Reply with quote

ariel wrote:
likewhoa wrote:
ariel wrote:
Hi likewhoa,

I'm using your scripts and the whole thing works really fine. So thanks a bunch for posting this.

I can manually mount / umount the optical media using your helper scripts.

Now I'm using gnome 2.18.1. When I insert an encrypted CD, it gets detected (I think by gnome-mount), very much like the encrypted USB keys do. Then I get prompted for the password. After I type in the correct password, the gnome window gets frozen for about 4 minutes, then I get and error suggesting that the password was wrong. The CD won't get mounted by gnome, I have to do it manually. My encrypted USB HD partitions are mounted with no problems.

I was wondering if you ran into this problem and found the cause if this.

Thanks!
A


gnome-mount uses gnome-keyring to retrieve and store that password phrases and you're trying to mount an encrypted optical media disc which gnome-mount has no way of knowing that's an encrypted medium. in otherwords,. gnome-mount and others will need to mount the optical medium the same way my helper scripts do.


Actually it does detect that it is a LUKS volume, when I insert the CD, I get the "Encrypted Disk" password prompt, same as when you insert a LUKS encrypted USB key. but for some reason, after you put the password, it doesn't get mounted, anyways, it's no big deal.

I run into a problem when burning DVDs though. After following exactly the same process as for CDs (save for lowering the burning speed to 4X), and getting no errors in the console during/after the burn process, I can't LUKS-open the DVD (ergo, I can't mount it either). I seems like the data has been burned (I see the mark in the DVD surface) but something went wrong, it can't be opened like the CD could.

Did you run into problems burning DVDs?

Also: are you aware of K3b plugins for on-the-fly encryption? (that would make life so much easier :)

Thanks!


yes i'm aware that gnome-mount can mount luks encrypted devices but it's not aware of encrypted optical media. yea i know about the k3b on-the-fly encryption but i prefer to do it manually.
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 731
Location: Brooklyn, New York

PostPosted: Sun Sep 30, 2007 11:01 pm    Post subject: Reply with quote

cryptocd.sh has been updated to handle Dual Layer Media. Also scripts depends on app-cdr/dvd+rw-tools & app-cdr/cdrkit.
we need app-cdr/dvd+rw-tools's growisofs for burning the DVD Dual Layer media since cdrecord from cdrtools and wodim from cdrkit can't.
Back to top
View user's profile Send private message
miroR
Apprentice
Apprentice


Joined: 05 Mar 2008
Posts: 279

PostPosted: Tue Jul 22, 2008 3:02 am    Post subject: Luks optical disks to open on Windows with FreeOTFE Reply with quote

I searched on the following, but didn't find much:
burn encrypted optical media with Luks that, here it is, can be mounted and viewed in plain Windows M$ environment...
I can encrypt and view my disks on the few kind of Linuces that I use, but I need them to be viewed on these aforementioned ugly systems as well.
FreeOTFE for some reason can't see nor mount these Luks disks I made...
The author claims it can mount and read Luks-encrypted volumes or partitions, but the portable mode FreeOTFE doesn't show CD/DVD drives, not on an amd64 nor on an old Intel x86 based systems of mine.
I saw the Russian guy (the author of fsLuks) mentions FreeOTFE on his site as well (links are in the thread above).
Can FreeOTFE read optical disks encrypted with Luks. Did anyone get to read them Windows?
I tried to open in Windows Luks-encrypted disks made in different ways on Linux (the fine fsLuks script included), but I can't get it to work.
The only other mention of a similar try I found here:
http://blog.ofkaiser.com/2006/11/
but the guy really shouldn't hurl such offences at the author of FreeOTFE...
On my part I thank the author just the same. He tried to help, and is certainly helping the true poor of computing: the Windows-only users just fine...
Any ideas (pls. refer to the beginning of my post (sorry for the long digression)?
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 731
Location: Brooklyn, New York

PostPosted: Sun Aug 03, 2008 8:23 pm    Post subject: Re: Luks optical disks to open on Windows with FreeOTFE Reply with quote

miroR wrote:
I searched on the following, but didn't find much:
burn encrypted optical media with Luks that, here it is, can be mounted and viewed in plain Windows M$ environment...
I can encrypt and view my disks on the few kind of Linuces that I use, but I need them to be viewed on these aforementioned ugly systems as well.
FreeOTFE for some reason can't see nor mount these Luks disks I made...
The author claims it can mount and read Luks-encrypted volumes or partitions, but the portable mode FreeOTFE doesn't show CD/DVD drives, not on an amd64 nor on an old Intel x86 based systems of mine.
I saw the Russian guy (the author of fsLuks) mentions FreeOTFE on his site as well (links are in the thread above).
Can FreeOTFE read optical disks encrypted with Luks. Did anyone get to read them Windows?
I tried to open in Windows Luks-encrypted disks made in different ways on Linux (the fine fsLuks script included), but I can't get it to work.
The only other mention of a similar try I found here:
http://blog.ofkaiser.com/2006/11/
but the guy really shouldn't hurl such offences at the author of FreeOTFE...
On my part I thank the author just the same. He tried to help, and is certainly helping the true poor of computing: the Windows-only users just fine...
Any ideas (pls. refer to the beginning of my post (sorry for the long digression)?


I don't think FreeOTFE is aware of encrypted media on optical disc, what you can do is create an ISO of the encrypted dvd and see if FreeOTFE can see it.
I normally just nfs share my encrypted dvd/cds to other windows as I wouldn't want to enter my password phrase.
Back to top
View user's profile Send private message
miroR
Apprentice
Apprentice


Joined: 05 Mar 2008
Posts: 279

PostPosted: Thu Aug 14, 2008 1:24 pm    Post subject: Luks optical disks to open on Windows with FreeOTFE Reply with quote

Thanks, Likewhoa, for the reply (and, sure, for the tutorial),
and, sorry for my replying late, been busy...
Nfs share ok. But my point is: I want that stuff on my optical disks shared by others who are Linux-handicapped...
I might find more time and look further myself into the matter and report back. That might take time though...
Anyone else knows more, pls. post replies!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum