Encrypting CD

[Dr. Psy]

Well, this may not be exactly what you are looking for, and i dont know what OS you are using, but maybe it could be of some help.

In the Linux 2.6 kernel (I am using 2.6.12) you can compile in support for encryption in the kernel using cryptoloop (Dm-crypt is also available)

When you configure the kernel, check support for Device Drivers -> Block Devices -> Loopback device support
(and might as well enable dm-crypt while you are at it, since dm-crypt will be cryptoloop's successor)
Device Drivers --> Multi-device support (RAID and LVM) --> [*] Multiple devices driver support (RAID and LVM)
<*> Device mapper support
<*> Crypt target support

And then under Cryptographic options, you have the following choices

-- Cryptographic API
<*> HMAC support
< > Null algorithms
<*> MD4 digest algorithm
<*> MD5 digest algorithm
<*> SHA1 digest algorithm
<*> SHA256 digest algorithm
<*> SHA384 and SHA512 digest algorithms
<*> DES and Triple DES EDE cipher algorithms
<*> Blowfish cipher algorithm
<*> Twofish cipher algorithm
<*> Serpent cipher algorithm
<*> AES cipher algorithms
<*> CAST5 (CAST-128) cipher algorithm
<*> CAST6 (CAST-256) cipher algorithm
<*> Deflate compression algorithm
< > Testing module

You can either compile these into the kernel or load them as modules

Anyways, after you have configured this kernel and booted it, you can then make an encrypted iso image of your document directory.

First, create an iso large enough to hold your documents

[root@localhost]#dd if=/dev/urandom of=crypt.iso bs=1k count=100000

next, you will need to use losetup with your encryption algorithm selection

[root@localhost]#losetup -e blowfish /dev/loop1 crypt.iso

You will be asked for your password. Make sure you enter it correctly, because it wont ask a second time for verification

note:if you compiled the encryption algorithms as modules, you will first need to load the module
[root@localhost]#modprobe blowfish

if you compiled them into the kernel, then you can skip that step.

next, you need to run mkisofs through the loop device using your documents folder

[root@localhost]#mkisofs -r -o /dev/loop1 /documents

next, create a mounpoint for the iso

[root@localhost]#mkdir /mnt/crypto

And then mount the encrypted iso

[root@localhost]#mount crypt.iso /mnt/crypto -t iso9660 -o loop=/dev/loop1,encryption=blowfish
password:
[root@localhost]#

[root@localhost]#cd /mnt/crypto
[root@localhost]#ls
doc1
doc2
etc

All your documents should now be listed in unencrypted form.

unmount the iso and unset the loop device
[root@localhost]#umount /mnt/crypto
root@localhost]#losetup -d /dev/loop1

and make sure that you have the correct password before burning the iso
[root@localhost]#mount crypt.iso /mnt/crypto -t iso9660 -o loop=/dev/loop1,encryption=blowfish
password:
[root@localhost]#

if you have the correct password, then you are ready to burn

[root@localhost]#cdrecord -v -dev=/dev/hdc -data crypt.iso

Now, after you have burned the encrypted iso to a disk, it will be stored in encrypted form. When you want access to the documents, you will be asked for the passphrase on mount, before it will be either mounted into the filesystem or decrypted.

[root@localhost]mount /dev/hdc
password:
[root@localhost]#

The only downside to this, is that you will not be able to gain access to your documents on any other system, unless it has the same support compiled into the kernel. However, this is a really nice way to store documents onto a CD. The cd will not even be mountable unless you have the password. hence, your files cannot be accessed, copied or decrypted.

Hope that helps you a little anyways.

[Dr. Psy]

Woops. I'm sorry. I screwed up. Trying to mount the encrypted ISO image on the CD with 'mount /dev/hdc' does not work. I don't know why I said that.

You have to use

mount /dev/hdc /mnt/crypto -t iso9660 -o loop=/dev/loop1,encryption=blowfish

In order to mount the encrypted CD. Sorry about that!