Disk encryption question

I was asked today if it was possible to encrypt a CDROM just as you would a
disk - and I drew a blank. The question came up discussing a database we
maintain with a lot of the organizations financial info plus personal
membership data.

Can I create and mount an encrypted CD?

What are the performance effects?

Is it a viable one to two year archive medium?

The plan is to store period off-site backups and I can’t get a grasp on the
feasibility. Any opinions?


Will Honea

You can create a data CD which only consists of encrypted files. The delay in reading it will be the additional time needed to decrypt the data which will depend on the software you are using. You can presumably choose to give the files and folders pseudo-random names as long as you have a way of remembering what they mean.

On 2011-02-17 06:45, Will Honea wrote:
> I was asked today if it was possible to encrypt a CDROM just as you would a
> disk - and I drew a blank. The question came up discussing a database we
> maintain with a lot of the organizations financial info plus personal
> membership data.

Yes, you can. Not as easily, not an ISO CD, but it is possible. I do them
routinely.

> Can I create and mount an encrypted CD?

Yes.

> What are the performance effects?

None, but the procedure is different. You can not use k3b, for instance.

> Is it a viable one to two year archive medium?

[Failure to process this question. ERRR…]

> The plan is to store period off-site backups and I can’t get a grasp on the
> feasibility. Any opinions?

I can explain the procedure to create encripted DVDs or CDs if you want.
How you use them to create your archive, is up to you.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

On Thu, 17 Feb 2011 05:45:00 +0000, Will Honea wrote:

> Can I create and mount an encrypted CD?

Yes. The way I do it (and I’m sure there are others) is to use encfs to
create an encrypted set of files, and then burn that to disc. There are
most certainly other ways to do this.

> What are the performance effects?

Take whatever overhead you would have for decrypting the files on a hard
drive and add that to the time to access the files on the CD/DVD.

> Is it a viable one to two year archive medium?

That depends on the media used, not whether encryption is used or not.
I’ve got some discs that I’ve had archives on for a decade and I can
still read. I’ve got others that after a few years, I get read errors on.

Read errors + encrypted filesystem is an additional risk, because if you
get a read error in the part of the system that tells the system how to
decrypt the files, you’re sunk.

It also depends on how you store the discs. I’ve got some photo archives
that I burned onto discs (making multiple copies) that I store in a fire
safe. It’s not climate controlled, but it is dark inside, so any
degredation in the dye from any kind of photosensitivity is drastically
reduced (since the sun can’t penetrate the safe).

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Carlos E. R. wrote:

> On 2011-02-17 06:45, Will Honea wrote:
>> I was asked today if it was possible to encrypt a CDROM just as you would
>> a
>> disk - and I drew a blank. The question came up discussing a database we
>> maintain with a lot of the organizations financial info plus personal
>> membership data.
>
> Yes, you can. Not as easily, not an ISO CD, but it is possible. I do them
> routinely.
>
>> Can I create and mount an encrypted CD?
>
> Yes.
>
>> What are the performance effects?
>
> None, but the procedure is different. You can not use k3b, for instance.
>
>> Is it a viable one to two year archive medium?
>
> [Failure to process this question. ERRR…]
>
>> The plan is to store period off-site backups and I can’t get a grasp on
>> the
>> feasibility. Any opinions?
>
> I can explain the procedure to create encripted DVDs or CDs if you want.
> How you use them to create your archive, is up to you.

A short tutorial would be appreciated, Carlos. The “archive” reference is
to having a point-in-time snapshot of key data in a bank box to be refreshed
at something like annual end-of-year processing, not necessarily a full
system recovery.

I’m not married to CDROM as a medium - that was just a first shot. USB flash
drives would probably more functional but the question of encryption still
applies.

The whole question came up after a break-in where some of the office stuff
disappeared and we were considering options to cover both restoration of a
working system and potential compromise of any sensitive data. I keep daily
backups on a spare machine at home and the office manager maintains a backup
to a 500GB USB drive (frequency there is spotty) so system recovery is not
too much of a concern right now but a realistic look says we need a system
less dependent on a couple of individuals. That got me to looking at the
whole setup and I’m not happy with what I see - too much dependence on
someone doing something reliably and no provision for the possibility of
recovery if key individuals are no longer available. Not a good setup for a
volunteer organization so encryption is just part of a larger effort.


Will Honea

Simply burning the encrypted encFS folder (as suggested by hendersj) is a very feasible way; if you are looking for a platform independent solution I’d suggest Truecrypt. Simply create a container as big as the size of a DVD / CD (or maybe a few MB less), you can burn it easily and decrypt it on any system that runs Truecrypt.

On 2011-02-17 19:26, Will Honea wrote:
> Carlos E. R. wrote:

> A short tutorial would be appreciated, Carlos. The “archive” reference is
> to having a point-in-time snapshot of key data in a bank box to be refreshed
> at something like annual end-of-year processing, not necessarily a full
> system recovery.

Ok, I’ll explain my procedure. It just creates encrypted DVDs (or CDs if
you change the size and the media). How you use them to create backups is a
different subject :slight_smile:

Last time I wrote this up I did it in Spanish, so now I’ll translate.

It is a procedure to created encripted images that can be burnt directly to
a DVD and thus obtain media that can be mounted directly by Linux. We are
using LUKS. The image will not be an ISO 9660, but a FAT, XFS, Reiserfs,
ext2/3/4… whatever you prefer. I like XFS best, but XFS was affected till
recently (mid 11.2) that crashed the entire system badly, so I had to use
reiserfs for more than a year - so this procedure was written for reiserfs.

Assume we create the image in /imgs.

cd /imgs
dd if=/dev/zero of=crypta_f1_dvd.r bs=32K count=143433

This creates an empty file of about 4 GB, the exact size of a DVD.

losetup /dev/loop1 crypta_f1_dvd.r

This creates a virtual device for the system, like a virtual disk of that
size, in en /dev/loop1

time dd if=/dev/urandom of=/dev/loop1 bs=1M count=500

This fills the first 500 MB with random data. It is optional and slow.
we can use “random” instead of urandom, which is really more random
and much slower (not cpu intensive, read man something about it).

cryptsetup -v --key-size 256 luksFormat /dev/loop1

This encodes the virtual device. It asks for a passphrase twice:
It’d better be long and unguessable. Keep it safe, but keep it:
you can lose all your data if not.

cryptsetup luksDump /dev/loop1

That’s a check.

cryptsetup luksOpen /dev/loop1 cr_dvd_f1r

We map the virtual, encoded, device to another that is readable
(un-encripted). The name “cr_dvd_f1r” is arbitrary, just make sure
that it doesn’t exist yet. To see those in use, type: “dmsetup ls”.

cryptsetup status /dev/mapper/cr_dvd_f1r

That’s another check.

mkfs.reiserfs -l CR_DVD_on_F1 /dev/mapper/cr_dvd_f1r

We create a filesystem on it, reiserfs this time. We can use
whichever we like, but: ext3 wastes space in the journal and
metastructure - and space is needed on a DVD. FAT works alright,
but it doesn’t record linux permissions. XFS is ideal, but it
had a bug that crashed the system. An updated 11.2 oS or later
should be fine with XFS loop mounted.

And no, we can not use the ISO 9660 (CD/DVD standard) because
it is read-only.

For XFS we would do:

mkfs -V -t xfs -L CR_DVD_on_F2 /dev/mapper/cr_dvd_f1x

and I would name the image file “crypta_f1_dvd.x”. That’s the only thing
different.

file -s /dev/mapper/cr_dvd_f1r

We check that the filesystem has been created.

cryptsetup status cr_dvd_f1r

We test its status.

cryptsetup remove cr_dvd_f1r

We delete the un-encripted virtual device

losetup -d /dev/loop1

We delete the encripted virtual device

The image has been created; now we need to prepare for normal usage.
In “/etc/crypttab” we add this line:a:

cr_dvd_f1r /imgs/crypta_f1_dvd.r none noauto

And this other in fstab:

/dev/mapper/cr_dvd_f1r /mnt/crypta.dvd1.r
reiserfs noatime,noauto,nofail 1 5

(one line, no end “”)

Obviously, change what you want, as long as it matches. Nofail is
required or boot process will abort if the mapped device does not exist
during boot - and it doesn’t. We also need to create the mount point. For
xfs we would write instead:

cr_dvd_f1x /imgs/crypta_f1_dvd.x none noauto

/dev/mapper/cr_dvd_f1x /mnt/crypta.dvd1.x
xfs noatime,noauto,nofail 1 5

From now on, to mount the looped device we only need to issue this
command - all what we did above is preparation:

rccrypto start cr_dvd_f1r

or

rccrypto start /mnt/crypta.dvd1.r

We use “stop” instead to umount it. We can also use “status”.
Before version 11.2 the script is /etc/init.d/boot.crypto
(/sbin/rccrypto is a symbolic link I suggested be added, and
they did so :wink: ).

If when we do “start” it fails, look in the log, the terminal
messages are confussing, perhaps intentionally. If the log says
that the device is already mapped, it could be true, check with
“dmsetup ls”, and delete with “dmsetup remove”. Remember that
both gnome and kde would like to mount the devices on their
own, and if they do, the script will fail.

There is (was?) a bug in 11.2, after one of the updates, that
makes the script report failure, even if it worked. Check with
“… status”.

Once the image is mounted, we simply copy data to it, using
whatever we prefer: in /mnt/crypta.dvd1.r we have a 4 GB
filesystem for our use :slight_smile:

To burn the image to the DVD:

wodim -eject -v dev=/dev/dvd /imgs/crypta_f1_dvd.r

or k3b, brasero, whatever you like, as if it were an ISO image.
It will probably complain that it is not an ISO, just ignore
the warning. Make sure the image is not mounted, or the DVD
image will be created “opened”, and it will attempt an fsck
on mount which will fail (the DVD is not writable) and abort.

I also test the result of the burning in my burn script (after
ejecting and closing the drive, or it will fail):

cmp --bytes=$(wc -c </imgs/crypta_f1_dvd.r) /dev/dvd /imgs/crypta_f1_dvd.r

For mounting the DVD, it is enough to insert it, gnome will
ask for the password automatically. KDE should do the same
thing. Notice that you can not have the image and the DVD
mounted simultaneously, there is, or maybe, an UUID conflict.

You can also mount the DVD manually. In /etc/crypttab:

cr_dvd.l /dev/dvd.l none noauto,loop

where /dev/dvd.l is a symbolic link to /dev/dvd you have
to create on each boot (boot.local). It is a trick to help
the rccrypto script to distinguish what you want to mount
(a plain dvd or the encripted one.

In /etc/fstab:

/dev/mapper/cr_dvd.l /mnt/dvd.crypta.l auto
ro,noauto,user,noatime,nodiratime 0 0

(one line, no end “”)

And then we can mount the dvd with “rccrypto start cr_dvd.l” or
"rccrypto start /mnt/dvd.crypta.l).

And that is all, if I did not make mistakes :sunglasses:

Warning: if the DVD develops errors, it might be unrecoverable. Create two
at least if your data is important. I know of a procedure to add forward
recovery data to plain ISO 9660 DVDs, but not for the type I have described.

> I’m not married to CDROM as a medium - that was just a first shot. USB flash
> drives would probably more functional but the question of encryption still
> applies.

It is possible, I also use encrypted USB hard disks.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

Carlos E. R. wrote:

> Warning: if the DVD develops errors, it might be unrecoverable. Create two
> at least if your data is important. I know of a procedure to add forward
> recovery data to plain ISO 9660 DVDs, but not for the type I have
> described.
>
>
>> I’m not married to CDROM as a medium - that was just a first shot. USB
>> flash drives would probably more functional but the question of
>> encryption still applies.
>
> It is possible, I also use encrypted USB hard disks.

Thanks, Carlos. Copied and saved - my poor old brain would miss at least
two steps :wink: I especially appreciate the check/test steps.

I’ll probably end up with USB drives as well - I saw them on Amazon.com for
$105 for 1TB - even our graphics people would have trouble filling that up.

Now off to modify some storage on the server to provide an encrypted place
to store live runtime files. A quick stop at the local pawn shop turned up
a decent HP box and UPS that I can tuck away in a secure/obscure room to
hold it all so this may be less painful than I figured…


Will Honea