Help me burning encryped DVD with Luks
- Inicie sesión o regístrese para enviar comentarios
Hi
I'd like to do some encryped dvd back up and someone on the french trisquel forum suggested me this page :
http://www.niemueller.de/software/scripts/cryptodvd/
You can download the script here
http://www.niemueller.de/software/scripts/cryptodvd/gencryptodvd-0.2.sh.gz
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
But I'm wondering if this could work and how
It needs bash, sed, awk (we have original-awk), mkisofs (we have xorriso which is a ISO-9660 nanipulation tool) and wodim
Where should I put gencryptodvd-0.2.sh ?
Do I have to put it in /root/bin ?
The script has to be run as root.
What is the command to run it ?
If anyone have a easier solution, it would be nice as well, but Luks encryption can be found on any linux distro.
Thank you in advance for your help.
GNU Bash and GNU sed are in Trisquel by default. The version of AWK that comes by default should be OK. Unless the AWK program in the script uses GNU extensions. If so, the script would return an error that starts with "awk:", you would have to install 'gawk' (in Trisquel's repository) and choose it as the default AWK with 'update-alternatives' (or substitute every occurrence of "awk" by "gawk" in the script). Wodim should be installed by default in Trisquel (maybe not in Trisquel Mini). 'mkisofs' is not in Trisquel's repository but 'xorriso' (in Trisquel' repository) is supposed to emulate 'mkisofs'. Maybe you only need to substitute every occurrence of "mkisofs" by "xorriso". But I am not sure: xorriso's documentation should be read.
You can put the script wherever you want and call it with its (absolute or relative) path. Since it needs administrative privileges, 'sudo' must precede the command. For instance, opening a terminal in the folder where the script (I assume the script "gencryptodvd-0.2.sh" was renamed "gencryptodvd") you should write:
$ sudo ./gencryptodvd [options]
[options] should be replaced by the actual options you want to use.
If you want to run the script by simply writing 'sudo gencryptodvd [options]', then it must be put in one of the directories in the PATH variable ('echo $PATH' to display these directories). I suggest you to put it in /usr/local/bin, which is empty by default and precisely serves the purpose of installing your own programs (i.e., programs not installed with the package manager).
Whatever your choice (call by path or script in a directory in the PATH variable), the script must be executable. You can make it executable from the file manager (right click on the script, "Properties" and, in the "Permissions" tab, check the box that allow the execution) or from the terminal (I assume here the terminal was opened in the directory where the script is, or that you 'cd'ed to this directory):
$ chmod +x gencryptodvd
Hi,
(Sorry, i did not yet find out how to mark code with indentation in this forum.)
xorriso has its own command language but also offers an interpreter
for mkisofs options. It is either activated by command -as "mkisofs":
xorriso -as mkisofs ...mkisofs.options.and.pathspecs...
or by calling xorriso via its softlink name "xorrisofs":
xorrisofs ...mkisofs.options.and.pathspecs...
Not all options of mkisofs are supported. See "man xorrisofs" or
http://www.gnu.org/software/xorriso/man_1_xorrisofs.html
In case of the script gencryptodvd-0.2.sh.gz xorrisofs will not be able
to perform option -dvd-video, which seems to be used automatically if
a directory "VIDEO_TS" exists among the input files.
So i would propose the following changes in the script:
-------------------------------------------------------------------------
Introduce a new variable MKISOFS_PROG which holds the actual program
path, and a variable MKISOFS_EMUL_ARGS which holds the necessary emulation
commands. The following values would make sense:
MKISOFS_PROG=mkisofs
MKISOFS_EMUL_ARGS=
MKISOFS_PROG=genisoimage
MKISOFS_EMUL_ARGS=
MKISOFS_PROG=xorriso
MKISOFS_EMUL_ARGS=" -as mkisofs"
-------------------------------------------------------------------------
Replace the occurences of "mkisofs" by the new variables:
From
eval nice mkisofs $MKISOFS -o $TMPISO $GRAFTPOINTS
to
eval nice "$MKISOFS_PROG" $MKISOFS_EMUL_ARGS $MKISOFS -o $TMPISO $GRAFTPOINTS
(There is also an inactive code line
#SIZE=$(eval nice mkisofs ...
which should become
#SIZE=$(eval nice "$MKISOFS_PROG" $MKISOFS_EMUL_ARGS ...
I am in doubt what this line shall do. If it is about predicting the
size of the result, then mkisofs option -print-size would avoid the
full production run but rather end when normally writing would begin.
It the prints the number of blocks to stdout.)
-------------------------------------------------------------------------
Install a refusal in the case that directory "VIDEO_TS" is found:
From
echo "detected dvd-video data structure"
MKISOFS=$MKISOFS_ARGS_VIDEO
to
echo "detected dvd-video data structure"
if echo "$MKISOFS_PROG" | fgrep "xorriso" >/dev/null
then
echo "SORRY: xorriso does no UDF and thus no dvd-video"
exit
fi
MKISOFS=$MKISOFS_ARGS_VIDEO
(Actually i doubt that the automatic recognition of "VIDEO_TS" is
the right way. Such a directory may well be present in the input
data of a backup run.
I would rather introduce an option to the script which enables
production of UDF for DVD video.)
-------------------------------------------------------------------------
Have a nice day :)
Thomas
Why don't encrypt the files and after burn them ?
It's more easy. no ?
Thats a good point HKR ;-)
Substance check Tomb out
https://www.dyne.org/software/tomb/
&
the video is well worth visioning
+The key can also be hidden in an image, to be used as key later
Not to undermine scdbackup script or Magic Banana's explanations
Hi,
i could as well offer encryption on-the-fly by xorriso filters. :))
The directory tree would stay unencrypted and all data file content
would become encrypted by an external filter program of the user's
choice. (I advise to combine encryption with a compression program
and to leave the well-known compression header unencrypted.)
But i understood the original question more like "how can xorriso
substitute for mkisofs ?". Now i see that there is also a run of
cdrecord in the script. xorriso can interpret the used options:
xorriso -as cdrecord -v -dao dev=$CDRECORDER speed=$BURNSPEED $ISO
or
xorrecord -v -dao dev=$CDRECORDER speed=$BURNSPEED $ISO
Works with CD, DVD, and BD media. (wodim should get only CD media to burn.)
Have a nice day :)
Thomas
@scdbackup
> Sorry, i did not yet find out how to mark code with indentation in this forum.
Just simply use the tags <.code.> <./code.> between your commands (drop the . I have done in the tag to be displayed on the page).
Thank you all for your answers.
Of course HKR,
There is still the possibility of using GPG very easily to encrypt files and do a back up on a cd or dvd.
But when you have a whole folder filled with plenty of other folders or files, all you want to do is simply enter once a password and easily find the file you're looking for, or even open it from the software, just as you can do on a USB key or external HD encrypted with Luks.
GPG is ok for single files. But a folder needs to be zip compressed then encrypted with GPG.
That means you'll have to copy the zip file somewhere on you hard drive or wherever and decompress it .
You can't use it for a whole DVD-R or even a CD-R because it's just too long.
@MangyDog
Yes, I already knew Tomb.
But I'm surprised that Tomb is not in our repository. It sould be.
After reading the man pdf of Tomb wibsite, the « engrave » command makes an image, but an image of the key that can be printed on paper and phisically stored as backup.
I'm not sure Tomb could really read a optical disc written from an .iso file where a .tomb
This could be tested
I have tried to open the gencryptdvd script as described by Magic, but it doesn't want to open.
I've placed the .sh in /home and used the Root Terminal to check if nothing was wrong :
The ls command dispayed gencryptodvd-0.2.sh in green when I allowed the file in the propetities to be used as a program.
I haven't any « awk » warning,
I only have a « command not found »
adding a ./ before gencryptodvd makes an unexisting file warning.
I precise sudo package is already installed on my laptop.
I don't know if any of you succeed to make the script run.
There can be an alternative with this
http://ubuntuportal.blogspot.fr/2007/03/howto-encrypt-cddvds-in-ubuntu.html
there is an alternate version
http://www.upubuntu.com/2012/11/how-to-create-encrypted-cddvd-image.html
2 problems :
if you can find aespipe, you won't find loop-aes-utils, and mkisofs sould be remplaced by xorriso.
I tried this step :
As recommanded by scdbackup I did a
xorriso -as mkisofs
but only got this answer :
xorriso 1.3.2 : RockRidge filesystem manipulator, libburnia project.
I started a
$ xorriso -r backup | aespipe -e aes256 > backup.iso
an got :
xorriso 1.3.2 : RockRidge filesystem manipulator, libburnia project.
xorriso : FAILURE : Not a known command: '-r'
xorriso : FAILURE : Not a known command: 'backup'
xorriso : aborting : -abort_on 'FAILURE' encountered 'FAILURE'
Password:
Maybe the begining of an answer ?
Hi,
i updated my previous replies by "code" tags. Hopefully my proposals
for changing the encryption script are more readable now.
(I wonder how to avoid the double spacing between lines.)
> Maybe the begining of an answer ?
You are nearly there. Combine your two failed experiments:
xorriso -as mkisofs -r backup | aespipe -e aes256 > backup.iso
(I tested this with "cat" rather than "aespipe ...".)
Reasoning:
xorriso interprets commands. One of them is "-as". The first argument after
"-as" chooses the emulation mode. Either mode "mkisofs" or mode "cdrecord".
The further arguments up to the first "--" are then interpreted as
options of the emulated programs.
There is no xorriso command "-r". So without preceeding "-as" "mkisofs",
this yields the error message about "Not a known command".
Further, xorriso does not accept lonely words as input paths (unless
command -add_plainly enabled this). Such paths are rather submitted as
arguments of commands like -map or -add. So your path "backup" gets the
same complaint "Not a known command".
--------------------------------------------------------------------
If you run xorriso for backup purposes, consider to enable some extras
by -as mkisofs option --for_backup: MD5 checksums for superblock,
directory tree, overall ISO, and each data file in the ISO, recording
of ACL and xattr.
xorriso -as mkisofs --for_backup -r backup | aespipe -e aes256 > backup.iso
The checksums can be verified on the decrypted ISO (i guess
aespipe -d -e aes256 <backup.iso >backup_clear.iso
) by xorriso runs like:
xorriso -for_backup -indev backup_clear.iso -check_media --
(Note that the "-for_backup" used here is a xorriso command, not an
-as mkisofs option. To have an effect it must be executed before the
-indev command which loads the ISO tree and extra info.)
If verification errors or read errors are reported but the directory
tree is still ok, one can search for damaged data files by
xorriso -for_backup -indev backup_clear.iso -check_md5_r SORRY / --
Recorded ACL and xattr can be listed by xorriso in the input format
of programs setfacl(1) and setfattr(1). The can be restored together
with the file data by xorriso if enabled by command -osirrox "on".
Have a nice day :)
Thomas
With VeraCrypt (fork of TrueCrypt) you can create an encrypted partition in file. So you can create an file partition of 4.7 GB . (I think we can do the same thing with an ext4 encryted partition with LUKS)
And of course after burn it on cd/dvd
VeraCrypt's got the Apache License 2.0 but with portions subject to TrueCrypt License version 3.0 which are non-free
This license is nonfree for several reasons. It says that if you don't understand the license you may not use the program. It puts conditions on allowing others to run your copy. It puts conditions on separate programs that “depend on” Truecrypt. The trademark condition applies to “associated materials”.
There are other points in the license which seem perhaps unacceptable, and in our uncertainty about them we delayed in posting our evaluation. We have posted it now to explain why we do not mourn the demise of Truecrypt. There are free programs that do the same job.
https://www.gnu.org/licenses/license-list.en.html
name at domain, Xov 26 Mai 2016 22:45:07 CEST:
> VeraCrypt's got the Apache License 2.0 but with portions subject to
> TrueCrypt License version 3.0 which are non-free
>
> This license is nonfree for several reasons.
Ouch. Ouch. I love it when freedom and security go hand by
hand, which happens most of the time. I hate it when I have to choose
between one and the other.
------------------------------------------------------------------------
Ignacio Agulló · name at domain
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
I've been on Wikipedia to check it out without seeing that there was this link :
https://veracrypt.codeplex.com/license
Apache License 2.0 (Apache)...
So it is totally free software.
I was Microsoft Public License until June 29th of 2015. There is also a licence history.
My friend HKR was rigth, Wikipedia was wrong.
Sorry HKR !
The TrueCrypt's licence on wikipedia depends of page language. Sometime we have Apache 2, or Apache 2 and TrueCrypt Licence, or Apache 2 with some part under TrueCrypt Licence. Wikipedia is just not update.
CodePlex is Microsoft's free open source project hosting site. :-) (lol)
The TrueCrypt project was shut down supposedly because of security problems that could not be fixed, IIRC. Considering that, I see no reason to think that VeraCrypt is secure, let alone more secure than libre alternatives.
There is a french expression saying that you shouldn't put all the eggs in the same bag.
Of course, we'll advice to choose first a super strong passphrase for each one you have to use.
See this intresting discussion
https://trisquel.info/en/forum/what-are-your-favorite-encryption-programs-or-methods#comment-95716
The TrueCrypt story shouldn't let us forget that any encryption software can be hacked.
So, why not using this usb key encrypted with Tomb, this one with cryptkeeper, some of the files of your 2To with different methods like GPG...
This method can be ok if you're a journalist or an activist, but people first should be aware of what they are doing on the internet and the GAFA.
The NSA haven't got the exclusivity of what you want to hide.
Is it your family, your friends, your girlfriend, your wife... ???
Veracrypt exist for 3 years now, but no one proved (excepted the NSA that will keep it secret) that every TrueCrypt fork is hackable.
A doubt can be allowed upon those Truecrypt forks... You are right onpon4.
I simply notice by this question (how can i do an encrypted CD-R or DVD-R on Trisquel) that there is something missing we should answer.
Veracrypt is the first answer, and I'm hoping there will a second, then a third...
Certainely because we don't use CD-R, DVD or BR as a storage like we did before USB keys, bigger external HD and then the cloud to store our data, we have forgot this question.
This topic shouldn't be close.
name at domain, Ven 27 Mai 2016 00:59:41 CEST:
> The TrueCrypt project was shut down supposedly because of security
> problems that could not be fixed, IIRC. Considering that, I see no
> reason to think that VeraCrypt is secure.
I don't think so. As a matter of fact, an independent audit was
made and found TrueCrypt to be 100% clean.
You need to understand that when you're walking by the seaside,
and a seagull is running from you with a wing badly turned, the
seagull is in fact OK and will fly alright - it is simply luring the
predador away from its nest.
Now, the full truth about TrueCrypt is still unknown, but I
think the independent audit can be trusted.
As for VeraCrypt license, as pointed before by Substance2004, is
an Apache 2.0 license. I don't see any other license there.
------------------------------------------------------------------------
Ignacio Agulló · name at domain
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Somehow my most recent post offers no "edit" link. So i use the "reply" link:
mkisofs option -r alters ownership and access permissions of the file copies in the ISO.
Although this is beneficial for publishing or data transport, it is not really what a
good backup needs. So i advise to omit option -r.
Ownership, permissions, symbolic links, and unixly timestamps are recorded by Rock Ridge.
mkisofs and genisoimage produce Rock Ridge only if option -R or -r is given.
xorriso -as mkisofs produces it by default but also accepts an explicit option -R.
This tutorial explain how create an encrypted filesytem in file with dm-crypt in LUKS format.
I tried it and it worked well.
Hummmmmmm....
Intresting link !
Thank you HKR !
I'll have a try.
I haven't got any doubt that his works
But I'm wondering what happens if you burn this .img, put it in the trash and if this disc can work with a device file in /dev/mapper and a mount point file in ~/ as those files depends of the .img
I don't think this can work on another computer.
I'm going to install Tomb (i haven't done it yet) to see how a CD-R behaves with a .tomb file.
I hope it will woks fine.
I still haven't got any real solution yet.
- You create your empty file system on a file on your home (for example)
- You mount it and you copy on it your files
- You unmount it and burn it on CD/DVD
- You mount your file System from the file on your CD/DVD
So if you erase your .img on your HDD it's not important because you want mount it from CD/DVD. You must adapt the command line to use you it from a CD/DVD
I succeed to create the file and mount it.
The tutorial have errors. It creates a files named my-container.img at the beginning and call it mycontainer which gives an error in the terminal.
But I still have a problem to drag and drop the files or even copy and paste my file in the container once it's mounted.
The real proprietary of "my-mouth-point" if you follow all the steps is not your computer, it is "root".
I came into /dev/mapper so see if there was any secret-device file, and there wasn't.
-
Create an empty file with the size of your container (10 MB here)
dd if=/dev/zero bs=512 count=19532 of=myFile
-
Here we make an encrypted LUKS partition on myFile
sudo cryptsetup luksFormat myFile
-
Now we mount the file on an vitual device named mydevice
sudo cryptsetup luksOpen myFile myDevice
-
We create an ext4 file system on this device
sudo mkfs -t ext4 /dev/mapper/myDevice
-
Now we mount myDevice on an folder named here myMountPoint
mkdir myMountPoint
sudo mount /dev/mapper/myDevice myMountPoint/ -
Change the proprietary
sudo chown 'here your sesion name' myMountPoint
-
Now you can drag and drop from nautilus
Well, bad news
Veracrypy doesn't allow to make encryped cd-r.
You need the Traveler Disk Setup option in the Tool menu.
It seems this option only exist on Veracrypt for Windows.
https://www.reddit.com/r/VeraCrypt/comments/3rl794/what_happened_to_the_traveler_disk_setup_option/
I'm continuing the post #22 by HKR
I've corrected some commands
dd if=/dev/zero bs=1M count=665 of=my-container.iso
On this command, you will notice the use of .iso rather than .img used in this tutorial http://elephly.net/posts/2013-10-01-dm-crypt.html
Using a .iso file is better for Brasero, because it is a recognized format.
sudo cryptsetup luksFormat my-container.iso
sudo cryptsetup luksOpen ~/my-container.iso secret-device
sudo mkfs -t ext4 /dev/mapper/secret-device
mkdir ~/my-mount-point
sudo mount /dev/mapper/secret-device ~/my-mount-point
sudo umount ~/my-mount-point
sudo cryptsetup luksClose secret-device
sudo cryptsetup luksOpen ~/my-container.iso secret-device
sudo mount /dev/mapper/secret-device ~/my-mount-point
sudo chown [your name session] my-mount-point
After a my-container.iso burning, the things I feared in post #19 happened.
When you insert the encrypted cd-r and you try to open it in Nautilus, the usual window you can find with your external HD or USB key works very well.
But after have entering your password there is this warning :
Impossible to access to « 695 MB Volume»
Error mounting /dev/dm-3 at /media/[your session]/d2848ff6-7b28-44d0-91f3-8a454c84fb23: Command-line `mount -t "ext4" -o "uhelper=udisks2,nodev,nosuid" "/dev/dm-3" "/media/[your session]/d2848ff6-7b28-44d0-91f3-8a454c84fb23"' exited with non-zero exit status 32: mount: block device /dev/mapper/luks-e8d99aff-7c20-445b-9b1a-88d350197868 is write-protected, mounting read-only
mount: wrong fs type, bad option, bad superblock on /dev/mapper/luks-e8d99aff-7c20-445b-9b1a-88d350197868,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
There is the problem of the mounting point named "my-mount-point" and you can't acces to your files. It is also impossible to eject the CD-R without restart the machine.
Does anyone understand what really says this warning ?
Thank you.
- Inicie sesión o regístrese para enviar comentarios