Results 1 to 8 of 8

Thread: Disk encryption question

  1. #1
    Will Honea NNTP User

    Default Disk encryption question

    I was asked today if it was possible to encrypt a CDROM just as you would a
    disk - and I drew a blank. The question came up discussing a database we
    maintain with a lot of the organizations financial info plus personal
    membership data.

    Can I create and mount an encrypted CD?

    What are the performance effects?

    Is it a viable one to two year archive medium?

    The plan is to store period off-site backups and I can't get a grasp on the
    feasibility. Any opinions?

    --
    Will Honea

  2. #2
    Join Date
    Jun 2008
    Location
    West Yorkshire, UK
    Posts
    3,448

    Default Re: Disk encryption question

    You can create a data CD which only consists of encrypted files. The delay in reading it will be the additional time needed to decrypt the data which will depend on the software you are using. You can presumably choose to give the files and folders pseudo-random names as long as you have a way of remembering what they mean.

  3. #3
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Disk encryption question

    On 2011-02-17 06:45, Will Honea wrote:
    > I was asked today if it was possible to encrypt a CDROM just as you would a
    > disk - and I drew a blank. The question came up discussing a database we
    > maintain with a lot of the organizations financial info plus personal
    > membership data.


    Yes, you can. Not as easily, not an ISO CD, but it is possible. I do them
    routinely.

    > Can I create and mount an encrypted CD?


    Yes.

    > What are the performance effects?


    None, but the procedure is different. You can not use k3b, for instance.

    > Is it a viable one to two year archive medium?


    [Failure to process this question. ERRR....]

    > The plan is to store period off-site backups and I can't get a grasp on the
    > feasibility. Any opinions?


    I can explain the procedure to create encripted DVDs or CDs if you want.
    How you use them to create your archive, is up to you.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" at Telcontar)

  4. #4
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,050

    Default Re: Disk encryption question

    On Thu, 17 Feb 2011 05:45:00 +0000, Will Honea wrote:

    > Can I create and mount an encrypted CD?


    Yes. The way I do it (and I'm sure there are others) is to use encfs to
    create an encrypted set of files, and then burn that to disc. There are
    most certainly other ways to do this.

    > What are the performance effects?


    Take whatever overhead you would have for decrypting the files on a hard
    drive and add that to the time to access the files on the CD/DVD.

    > Is it a viable one to two year archive medium?


    That depends on the media used, not whether encryption is used or not.
    I've got some discs that I've had archives on for a decade and I can
    still read. I've got others that after a few years, I get read errors on.

    Read errors + encrypted filesystem is an additional risk, because if you
    get a read error in the part of the system that tells the system how to
    decrypt the files, you're sunk.

    It also depends on how you store the discs. I've got some photo archives
    that I burned onto discs (making multiple copies) that I store in a fire
    safe. It's not climate controlled, but it is dark inside, so any
    degredation in the dye from any kind of photosensitivity is drastically
    reduced (since the sun can't penetrate the safe).

    Jim

    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  5. #5
    Will Honea NNTP User

    Default Re: Disk encryption question

    Carlos E. R. wrote:

    > On 2011-02-17 06:45, Will Honea wrote:
    >> I was asked today if it was possible to encrypt a CDROM just as you would
    >> a
    >> disk - and I drew a blank. The question came up discussing a database we
    >> maintain with a lot of the organizations financial info plus personal
    >> membership data.

    >
    > Yes, you can. Not as easily, not an ISO CD, but it is possible. I do them
    > routinely.
    >
    >> Can I create and mount an encrypted CD?

    >
    > Yes.
    >
    >> What are the performance effects?

    >
    > None, but the procedure is different. You can not use k3b, for instance.
    >
    >> Is it a viable one to two year archive medium?

    >
    > [Failure to process this question. ERRR....]
    >
    >> The plan is to store period off-site backups and I can't get a grasp on
    >> the
    >> feasibility. Any opinions?

    >
    > I can explain the procedure to create encripted DVDs or CDs if you want.
    > How you use them to create your archive, is up to you.


    A short tutorial would be appreciated, Carlos. The "archive" reference is
    to having a point-in-time snapshot of key data in a bank box to be refreshed
    at something like annual end-of-year processing, not necessarily a full
    system recovery.

    I'm not married to CDROM as a medium - that was just a first shot. USB flash
    drives would probably more functional but the question of encryption still
    applies.

    The whole question came up after a break-in where some of the office stuff
    disappeared and we were considering options to cover both restoration of a
    working system and potential compromise of any sensitive data. I keep daily
    backups on a spare machine at home and the office manager maintains a backup
    to a 500GB USB drive (frequency there is spotty) so system recovery is not
    too much of a concern right now but a realistic look says we need a system
    less dependent on a couple of individuals. That got me to looking at the
    whole setup and I'm not happy with what I see - too much dependence on
    someone doing something reliably and no provision for the possibility of
    recovery if key individuals are no longer available. Not a good setup for a
    volunteer organization so encryption is just part of a larger effort.

    --
    Will Honea

  6. #6
    Join Date
    Jun 2008
    Location
    Berlin
    Posts
    2,061

    Default Re: Disk encryption question

    Simply burning the encrypted encFS folder (as suggested by hendersj) is a very feasible way; if you are looking for a platform independent solution I'd suggest Truecrypt. Simply create a container as big as the size of a DVD / CD (or maybe a few MB less), you can burn it easily and decrypt it on any system that runs Truecrypt.

  7. #7
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Disk encryption question - how to create encrypted DVDs

    On 2011-02-17 19:26, Will Honea wrote:
    > Carlos E. R. wrote:


    > A short tutorial would be appreciated, Carlos. The "archive" reference is
    > to having a point-in-time snapshot of key data in a bank box to be refreshed
    > at something like annual end-of-year processing, not necessarily a full
    > system recovery.


    Ok, I'll explain my procedure. It just creates encrypted DVDs (or CDs if
    you change the size and the media). How you use them to create backups is a
    different subject :-)

    Last time I wrote this up I did it in Spanish, so now I'll translate.

    It is a procedure to created encripted images that can be burnt directly to
    a DVD and thus obtain media that can be mounted directly by Linux. We are
    using LUKS. The image will not be an ISO 9660, but a FAT, XFS, Reiserfs,
    ext2/3/4... whatever you prefer. I like XFS best, but XFS was affected till
    recently (mid 11.2) that crashed the entire system badly, so I had to use
    reiserfs for more than a year - so this procedure was written for reiserfs.


    Assume we create the image in /imgs.

    cd /imgs
    dd if=/dev/zero of=crypta_f1_dvd.r bs=32K count=143433

    This creates an empty file of about 4 GB, the exact size of a DVD.

    losetup /dev/loop1 crypta_f1_dvd.r

    This creates a virtual device for the system, like a virtual disk of that
    size, in en /dev/loop1

    time dd if=/dev/urandom of=/dev/loop1 bs=1M count=500

    This fills the first 500 MB with random data. It is optional and slow.
    we can use "random" instead of urandom, which is really more random
    and much slower (not cpu intensive, read man something about it).

    cryptsetup -v --key-size 256 luksFormat /dev/loop1

    This encodes the virtual device. It asks for a passphrase twice:
    It'd better be long and unguessable. Keep it safe, but keep it:
    you can lose all your data if not.

    cryptsetup luksDump /dev/loop1

    That's a check.

    cryptsetup luksOpen /dev/loop1 cr_dvd_f1r

    We map the virtual, encoded, device to another that is readable
    (un-encripted). The name "cr_dvd_f1r" is arbitrary, just make sure
    that it doesn't exist yet. To see those in use, type: "dmsetup ls".

    cryptsetup status /dev/mapper/cr_dvd_f1r

    That's another check.

    mkfs.reiserfs -l CR_DVD_on_F1 /dev/mapper/cr_dvd_f1r

    We create a filesystem on it, reiserfs this time. We can use
    whichever we like, but: ext3 wastes space in the journal and
    metastructure - and space is needed on a DVD. FAT works alright,
    but it doesn't record linux permissions. XFS is ideal, but it
    had a bug that crashed the system. An updated 11.2 oS or later
    should be fine with XFS loop mounted.

    And no, we can not use the ISO 9660 (CD/DVD standard) because
    it is read-only.

    For XFS we would do:

    mkfs -V -t xfs -L CR_DVD_on_F2 /dev/mapper/cr_dvd_f1x

    and I would name the image file "crypta_f1_dvd.x". That's the only thing
    different.


    file -s /dev/mapper/cr_dvd_f1r

    We check that the filesystem has been created.


    cryptsetup status cr_dvd_f1r

    We test its status.

    cryptsetup remove cr_dvd_f1r

    We delete the un-encripted virtual device

    losetup -d /dev/loop1

    We delete the encripted virtual device





    The image has been created; now we need to prepare for normal usage.
    In "/etc/crypttab" we add this line:a:

    cr_dvd_f1r /imgs/crypta_f1_dvd.r none noauto


    And this other in fstab:

    /dev/mapper/cr_dvd_f1r /mnt/crypta.dvd1.r \
    reiserfs noatime,noauto,nofail 1 5

    (one line, no end "\")


    Obviously, change what you want, as long as it matches. Nofail is
    required or boot process will abort if the mapped device does not exist
    during boot - and it doesn't. We also need to create the mount point. For
    xfs we would write instead:

    cr_dvd_f1x /imgs/crypta_f1_dvd.x none noauto

    /dev/mapper/cr_dvd_f1x /mnt/crypta.dvd1.x \
    xfs noatime,noauto,nofail 1 5


    From now on, to mount the looped device we only need to issue this
    command - all what we did above is preparation:

    rccrypto start cr_dvd_f1r

    or

    rccrypto start /mnt/crypta.dvd1.r


    We use "stop" instead to umount it. We can also use "status".
    Before version 11.2 the script is /etc/init.d/boot.crypto
    (/sbin/rccrypto is a symbolic link I suggested be added, and
    they did so ;-) ).

    If when we do "start" it fails, look in the log, the terminal
    messages are confussing, perhaps intentionally. If the log says
    that the device is already mapped, it could be true, check with
    "dmsetup ls", and delete with "dmsetup remove". Remember that
    both gnome and kde would like to mount the devices on their
    own, and if they do, the script will fail.


    There is (was?) a bug in 11.2, after one of the updates, that
    makes the script report failure, even if it worked. Check with
    "... status".


    Once the image is mounted, we simply copy data to it, using
    whatever we prefer: in /mnt/crypta.dvd1.r we have a 4 GB
    filesystem for our use :-)



    To burn the image to the DVD:

    wodim -eject -v dev=/dev/dvd /imgs/crypta_f1_dvd.r

    or k3b, brasero, whatever you like, as if it were an ISO image.
    It will probably complain that it is not an ISO, just ignore
    the warning. Make sure the image is not mounted, or the DVD
    image will be created "opened", and it will attempt an fsck
    on mount which will fail (the DVD is not writable) and abort.

    I also test the result of the burning in my burn script (after
    ejecting and closing the drive, or it will fail):


    cmp --bytes=$(wc -c </imgs/crypta_f1_dvd.r) /dev/dvd /imgs/crypta_f1_dvd.r



    For mounting the DVD, it is enough to insert it, gnome will
    ask for the password automatically. KDE should do the same
    thing. Notice that you can not have the image and the DVD
    mounted simultaneously, there is, or maybe, an UUID conflict.


    You can also mount the DVD manually. In /etc/crypttab:

    cr_dvd.l /dev/dvd.l none noauto,loop

    where /dev/dvd.l is a symbolic link to /dev/dvd you have
    to create on each boot (boot.local). It is a trick to help
    the rccrypto script to distinguish what you want to mount
    (a plain dvd or the encripted one.


    In /etc/fstab:

    /dev/mapper/cr_dvd.l /mnt/dvd.crypta.l auto \
    ro,noauto,user,noatime,nodiratime 0 0

    (one line, no end "\")


    And then we can mount the dvd with "rccrypto start cr_dvd.l" or
    "rccrypto start /mnt/dvd.crypta.l).


    And that is all, if I did not make mistakes 8-)



    Warning: if the DVD develops errors, it might be unrecoverable. Create two
    at least if your data is important. I know of a procedure to add forward
    recovery data to plain ISO 9660 DVDs, but not for the type I have described.


    > I'm not married to CDROM as a medium - that was just a first shot. USB flash
    > drives would probably more functional but the question of encryption still
    > applies.


    It is possible, I also use encrypted USB hard disks.



    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" at Telcontar)

  8. #8
    Will Honea NNTP User

    Default Re: Disk encryption question - how to create encrypted DVDs

    Carlos E. R. wrote:

    > Warning: if the DVD develops errors, it might be unrecoverable. Create two
    > at least if your data is important. I know of a procedure to add forward
    > recovery data to plain ISO 9660 DVDs, but not for the type I have
    > described.
    >
    >
    >> I'm not married to CDROM as a medium - that was just a first shot. USB
    >> flash drives would probably more functional but the question of
    >> encryption still applies.

    >
    > It is possible, I also use encrypted USB hard disks.


    Thanks, Carlos. Copied and saved - my poor old brain would miss at least
    two steps ;-) I especially appreciate the check/test steps.

    I'll probably end up with USB drives as well - I saw them on Amazon.com for
    $105 for 1TB - even our graphics people would have trouble filling that up.

    Now off to modify some storage on the server to provide an encrypted place
    to store live runtime files. A quick stop at the local pawn shop turned up
    a decent HP box and UPS that I can tuck away in a secure/obscure room to
    hold it all so this may be less painful than I figured...

    --
    Will Honea

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •