Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] Easy ISO Image Encryption With LUKS
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message

Joined: 03 Sep 2006
Posts: 11

PostPosted: Mon Apr 14, 2008 8:21 pm    Post subject: [HOWTO] Easy ISO Image Encryption With LUKS Reply with quote

HOWTO: Easy ISO Image Encryption With LUKS And Burning To Optical Media

1. Introduction

If you are looking for articles dealing with optical media encryption, you will rarely find useful ones, but one of them definitely is "HOWTO Burn Encrypted Optical Media With Luks" from Gentoo-Wiki. Nevertheless I found some points which could be bettered:
  • The shell script at the end is inflexible: If you use exotical options for generating the ISO image, you have to do this via changing the script; it does also not follow the UNIX philosophy :wink:
  • Currently there is no possibility for users of K3b, GnomeBaker or other GUI-Burners to use LUKS - these people have to stick to the shell.

The main purpose of this HOWTO is to present two bash scripts which solve the problems mentioned above.

2. Preparations

This sections is nearly identical to the one in the Gentoo-Wiki. If you want to do encryption as user, you additionally need to configure sudo which is described in a section below.

2.1 Kernel Configuration

You need device mapper and crypt target support in your kernel:
cd /usr/src/linux && make menuconfig

Device Drivers  --->
        Multi-device support (RAID and LVM)  --->
               <*>   Device mapper support
               <*>     Crypt target support

Also choose the cryptographic algorithms you are going to use, for example the modules beneath for the popular cipher "aes-cbc-essiv:sha256":
Cryptographic options  --->
        <*>   SHA256 digest algorithm
        <*>   AES cipher algorithms

Note that it does not matter here whether you compile options as modules (do not forget to modprobe them) or as built-ins (do not forget to boot the newly built kernel).

2.2 Install And Configure Supplemantary Programs

Second step is to emerge cryptsetup (do not emerge cryptsetup-luks as said in the wiki, this package is deprecated):
emerge -va sys-fs/cryptsetup

If you want to encrypt as user, you need to emerge sudo (if not have not done this already)
emerge -va app-admin/sudo

2.3 Install The Isocrypt-Scripts

Download isocrypt here, unpack in a special directory and type:

Now you have got some new programs:
  • mkisofs/genisoimage which both points to genisoimage.isocrypt and
  • isocrypt

isocrypt does all the encryption related work, genisoimage.isocrypt is a simple wrapper script that makes it possible to use all the stuff in GUI programs (K3b, ...)

If you intend to use encryption as a user, you have to add these lines to your sudoers-file (type "visudo" to edit it):
User_Alias      ISOCRYPT_USERS = gnuke
Cmnd_Alias      ISOCRYPT_CMD   = /path/to/your/isocrypt


Make sure that the "Cmnd_Alias"-line points points to the isocrypt file you have extracted above.

2.4 OPTIONAL: Encrypt Swap

WARNING: Skip this section if you rely on hibernation - swap-encryption will break it !

It is possible that keys, passwords or other crucial data will be swapped (so that this data is clearly visible) - therefore it is better to encrypt your swap-partition before doing the actual encryption:
cryptsetup -c aes -h sha256 -d /dev/urandom create crypt-swap /dev/your-hdd
mkswap /dev/mapper/crypt-swap
swapon /dev/mapper/crypt-swap

This will hold swap encrypted until you do a restart of your computer; permanent swap-encryption is done if you add the following lines to your /etc/conf.d/dmcrypt:
options='-s 384 -d /dev/urandom -c aes-cbc-essiv:sha256 -h sha256'

The above options will encrypt with "aes-cbc-essiv:sha256" and a randomly generated key from /dev/urandom.

3. Encryption Of ISO Images

WARNING: Never burn encrypted images to CDs in TAO mode - this will break / slow down them due to the readahead bug (you may read a detailed description of the problem here: Burning encrypted ISO image to CD / readahead bug)

3.1 Encryption With Shell

Now that you have installed all the things, encryption under your favorite shell is fairly easy (I am using the cdrkit-utilities, but this works with cdrecord/mkisofs as well):
genisoimage -alotofoptions -o unencrypted.iso imagethis/
isocrypt --key-file "/savedir/mykey.file" -i unencrypted.iso -o encrypted.iso
wodim dev=/dev/burner encrypted.iso

or shorter with using pipes:
genisoimage -alotofoptions imagethis/ | isocrypt --key-file "/savedir/mykey.file" -o encrypted.iso
wodim dev=/dev/burner encrypted.iso

or even shorter with using more pipes:
genisoimage -alotofoptions imagethis/ | isocrypt --key-file "/savedir/mykey.file" | wodim dev=/dev/burner

3.2 Encryption With K3b

NOTE: This should similarly work with other GUI programs, but I have tested this with no programs except K3b 1.0.4

  • Go to "Settings -> Configure K3b... -> Programs -> Search Path" and add the path where you have installed the isocrypt files
  • Go to "User Parameters" and add an additional parameter for the mkisofs program:
    --key-file /path/to/your/key.file

  • Go to "Programs" and make sure that the custom genisoimage/mkisofs program is selected. If you do not see it, first click on the "Search"-button below

4. Use More Isocrypt Options And Verify Your Media

  • For a full list of options isocrypt supports type:
    isocrypt -h

  • If you are changing things in the script it is very useful to add the "--verify" option, which compares the encrypted and unencrypted image bitwise.
  • If you have successfully burned to disc, you can check it against the encrypted image with:
    dd if=/dev/burner bs=2048 | cmp - encrypted.iso

5. Finish

Try it and post what you think about it!
Back to top
View user's profile Send private message

Joined: 05 Aug 2004
Posts: 3789
Location: sleeping in the bathtub

PostPosted: Mon Apr 14, 2008 8:44 pm    Post subject: Reply with quote

Nice howto, but there's one thing I'd take issue with;

The usage of the LUKS extensions seems kinda pointless, it would be very useful with rewritable media, but with readonly iso images it doesn't really offer anything...
"You have to invite me in"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum