Making an encrypted DVD (lazy man’s version)

This post was written by eli on October 25, 2010
Posted Under: Linux

This is how to make an encrypted DVD, which is automatically mounted by Fedora 12 (and others, I suppose) when the DVD is inserted (prompting for the passphrase, of course). The truth is that I don’t use this automatic feature, because only seeing the suggestion to save my passphrase as an option makes me prefer going good old command line.

A word of caution: A lot of disk-related operations are done here as root. A slightest mistake, and you may very well trash your entire hard disk. If you don’t understand what the operations below mean, don’t do them. If you feel tired, do it later.

Looks like I’m going to make a script of this sooner or later.

Why lazy man? Mainly for two reasons: The real way to do with is to generate an ISO image, and then encrypt it, so it doesn’t get larger than necessary. The second reason is that having an almost-full sized ISO image anyhow, regardless of how much data I put in it, it’s pretty lazy not to fill it with random data before applying encrypted information. By using /dev/zero instead of /dev/urandom (or /dev/frandom if you want it faster) it’s possible to know how much of the DVD contains data. Also, the fact that it’s all random makes it impossible for an adversary to know for sure what region contains encrypted data, and where it’s just random. But frankly, all these extra safety measures are ridiculous given the fact that a human knows the passphrase, which is by far the weakest link.

Now to some action. First, generate an empty image file. I chose to make it slighly smaller than the maximum allowed. This should work with count=4480 as well, but I don’t want to push it (so I get 4.6 marketing-GB instead of the well-known 4.7).

$ dd if=/dev/zero of=disk.img bs=1M count=4400

As I said,  you may prefer /dev/frandom over /dev/zero. Now it’s time to become root, and go:

# losetup /dev/loop1 disk.img && cryptsetup luksFormat /dev/loop1 && cryptsetup luksOpen /dev/loop1 mybackupdisk && genisoimage -R -J -joliet-long -graft-points -V backup -o /dev/mapper/mybackupdisk directory-to-backup

You will be prompted to agree to erase /dev/loop1, and then for the passphrase three times: Twice for creating the encrypted device, and once for opening it.

I do this in a single line for one important reason: If losetup fails, the show must stop. One of the possible reasons is that /dev/loop1 (which could be any /dev/loopN, as long as it’s the same one along the line) is busy doing something completely different. If we ignore a failure to open a certain loop device, there is a good chance to erase something we didn’t intend to.

When that’s done, close the encrypted device and free /dev/loop1.

# cryptsetup luksClose /dev/mapper/mybackupdisk && losetup -d /dev/loop1

Now burn the image to a DVD. When inserting it, a GUI popup may appear and ask for the password. You can use that, or click Cancel in order to do this manually (and more safely, if you ask me). My DVD is at /dev/sr0, so I go:

# cryptsetup luksOpen /dev/sr0 mydvd
Enter passphrase for /dev/sr0:
# mount /dev/mapper/mydvd backmnt/
mount: block device /dev/mapper/mydvd is write-protected, mounting read-only

And finally, in order to eject the disk one can use the GUI option (if available) or do it manually:

# umount backmnt/
# cryptsetup luksClose /dev/mapper/mydvd

If you use the GUI eject, check /dev/mapper/ to verify that the encryption is indeed closed. On my system it was done properly, but I prefer to see that the door is locked.

Reader Comments

I am a bit confused. I’ve done everything up to where you say to burn the image to dvd. Are you referring to disk.img? I ask because I can’t seem to find an ISO anywhere and my burner programs do not support burning images from .img files.

Written By Trapper on July 25th, 2013 @ 14:43

In principle, the disk.img is the image to burn, so you can try renaming it to disk.iso for burning.

The thing is, that unlike almost all data images that are burned on DVDs, the data format of the image isn’t ISO, so a clever piece of burning software may warn you about it. Or refuse to burn the image altogether.

But the short answer is: Burn disk.img as if it was disk.iso.

Written By eli on July 25th, 2013 @ 16:37

Thanks, I used your tutorial to make encrypted udf blu-ray. Note that cryptsetup can now natively use files instead of devices for the container, replacing losetup and simplyfying things.

Written By timemaster on June 14th, 2015 @ 19:20

Add a Comment

required, use real name
required, will not be published
optional, your blog address