On 2011-02-17 19:26, Will Honea wrote:
> Carlos E. R. wrote:
> A short tutorial would be appreciated, Carlos. The “archive” reference is
> to having a point-in-time snapshot of key data in a bank box to be refreshed
> at something like annual end-of-year processing, not necessarily a full
> system recovery.
Ok, I’ll explain my procedure. It just creates encrypted DVDs (or CDs if
you change the size and the media). How you use them to create backups is a
different subject 
Last time I wrote this up I did it in Spanish, so now I’ll translate.
It is a procedure to created encripted images that can be burnt directly to
a DVD and thus obtain media that can be mounted directly by Linux. We are
using LUKS. The image will not be an ISO 9660, but a FAT, XFS, Reiserfs,
ext2/3/4… whatever you prefer. I like XFS best, but XFS was affected till
recently (mid 11.2) that crashed the entire system badly, so I had to use
reiserfs for more than a year - so this procedure was written for reiserfs.
Assume we create the image in /imgs.
cd /imgs
dd if=/dev/zero of=crypta_f1_dvd.r bs=32K count=143433
This creates an empty file of about 4 GB, the exact size of a DVD.
losetup /dev/loop1 crypta_f1_dvd.r
This creates a virtual device for the system, like a virtual disk of that
size, in en /dev/loop1
time dd if=/dev/urandom of=/dev/loop1 bs=1M count=500
This fills the first 500 MB with random data. It is optional and slow.
we can use “random” instead of urandom, which is really more random
and much slower (not cpu intensive, read man something about it).
cryptsetup -v --key-size 256 luksFormat /dev/loop1
This encodes the virtual device. It asks for a passphrase twice:
It’d better be long and unguessable. Keep it safe, but keep it:
you can lose all your data if not.
cryptsetup luksDump /dev/loop1
That’s a check.
cryptsetup luksOpen /dev/loop1 cr_dvd_f1r
We map the virtual, encoded, device to another that is readable
(un-encripted). The name “cr_dvd_f1r” is arbitrary, just make sure
that it doesn’t exist yet. To see those in use, type: “dmsetup ls”.
cryptsetup status /dev/mapper/cr_dvd_f1r
That’s another check.
mkfs.reiserfs -l CR_DVD_on_F1 /dev/mapper/cr_dvd_f1r
We create a filesystem on it, reiserfs this time. We can use
whichever we like, but: ext3 wastes space in the journal and
metastructure - and space is needed on a DVD. FAT works alright,
but it doesn’t record linux permissions. XFS is ideal, but it
had a bug that crashed the system. An updated 11.2 oS or later
should be fine with XFS loop mounted.
And no, we can not use the ISO 9660 (CD/DVD standard) because
it is read-only.
For XFS we would do:
mkfs -V -t xfs -L CR_DVD_on_F2 /dev/mapper/cr_dvd_f1x
and I would name the image file “crypta_f1_dvd.x”. That’s the only thing
different.
file -s /dev/mapper/cr_dvd_f1r
We check that the filesystem has been created.
cryptsetup status cr_dvd_f1r
We test its status.
cryptsetup remove cr_dvd_f1r
We delete the un-encripted virtual device
losetup -d /dev/loop1
We delete the encripted virtual device
The image has been created; now we need to prepare for normal usage.
In “/etc/crypttab” we add this line:a:
cr_dvd_f1r /imgs/crypta_f1_dvd.r none noauto
And this other in fstab:
/dev/mapper/cr_dvd_f1r /mnt/crypta.dvd1.r
reiserfs noatime,noauto,nofail 1 5
(one line, no end “”)
Obviously, change what you want, as long as it matches. Nofail is
required or boot process will abort if the mapped device does not exist
during boot - and it doesn’t. We also need to create the mount point. For
xfs we would write instead:
cr_dvd_f1x /imgs/crypta_f1_dvd.x none noauto
/dev/mapper/cr_dvd_f1x /mnt/crypta.dvd1.x
xfs noatime,noauto,nofail 1 5
From now on, to mount the looped device we only need to issue this
command - all what we did above is preparation:
rccrypto start cr_dvd_f1r
or
rccrypto start /mnt/crypta.dvd1.r
We use “stop” instead to umount it. We can also use “status”.
Before version 11.2 the script is /etc/init.d/boot.crypto
(/sbin/rccrypto is a symbolic link I suggested be added, and
they did so
).
If when we do “start” it fails, look in the log, the terminal
messages are confussing, perhaps intentionally. If the log says
that the device is already mapped, it could be true, check with
“dmsetup ls”, and delete with “dmsetup remove”. Remember that
both gnome and kde would like to mount the devices on their
own, and if they do, the script will fail.
There is (was?) a bug in 11.2, after one of the updates, that
makes the script report failure, even if it worked. Check with
“… status”.
Once the image is mounted, we simply copy data to it, using
whatever we prefer: in /mnt/crypta.dvd1.r we have a 4 GB
filesystem for our use 
To burn the image to the DVD:
wodim -eject -v dev=/dev/dvd /imgs/crypta_f1_dvd.r
or k3b, brasero, whatever you like, as if it were an ISO image.
It will probably complain that it is not an ISO, just ignore
the warning. Make sure the image is not mounted, or the DVD
image will be created “opened”, and it will attempt an fsck
on mount which will fail (the DVD is not writable) and abort.
I also test the result of the burning in my burn script (after
ejecting and closing the drive, or it will fail):
cmp --bytes=$(wc -c </imgs/crypta_f1_dvd.r) /dev/dvd /imgs/crypta_f1_dvd.r
For mounting the DVD, it is enough to insert it, gnome will
ask for the password automatically. KDE should do the same
thing. Notice that you can not have the image and the DVD
mounted simultaneously, there is, or maybe, an UUID conflict.
You can also mount the DVD manually. In /etc/crypttab:
cr_dvd.l /dev/dvd.l none noauto,loop
where /dev/dvd.l is a symbolic link to /dev/dvd you have
to create on each boot (boot.local). It is a trick to help
the rccrypto script to distinguish what you want to mount
(a plain dvd or the encripted one.
In /etc/fstab:
/dev/mapper/cr_dvd.l /mnt/dvd.crypta.l auto
ro,noauto,user,noatime,nodiratime 0 0
(one line, no end “”)
And then we can mount the dvd with “rccrypto start cr_dvd.l” or
"rccrypto start /mnt/dvd.crypta.l).
And that is all, if I did not make mistakes 
Warning: if the DVD develops errors, it might be unrecoverable. Create two
at least if your data is important. I know of a procedure to add forward
recovery data to plain ISO 9660 DVDs, but not for the type I have described.
> I’m not married to CDROM as a medium - that was just a first shot. USB flash
> drives would probably more functional but the question of encryption still
> applies.
It is possible, I also use encrypted USB hard disks.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)