Burning encrypted data-DVDs or -CDs

Written for my blog on linuxquestions.org

Posted 1st May 2018 at 08:00 by Michael Uplawski

Tags disk-encryption, dvd, iso-image, luks

Already using a LUKS-encrypted hard-disk partition for data storage, I thought it would be a good idea to backup some files to an optical drive, instead.

A procedure to create a LUKS-encrypted DVD is outlined, further below in this blog entry.

As the software evolves, some of the advice that I found on the Internet is too old, but the fact is not easily detectable. Some of the mentioned tools are no longer available and some procedures are considered outdated. Here is the URL to one of the better tutorials that I can recommend: Creating a LUKS-encrypted DVD/BD data disc. The reason, why I prefer this tutorial is simply that it is the first one which worked

You must install the cryptsetup packages, which include LUKS support and for the UDF-filesystem the udftools. Other file-systems, iso9660 inclusive, should be okay, though.

Procedure

  1. Make an ISO container. truncate -s 23500M image.iso If you use a DVD of a capacity of 4.7G, do not choose 4.7G nor 4700M. This image would become too big for burning. Brasero, for example, reports 4.2G for an image file of only 4G (4194M) on disk.
  2. Set up a loop device. sudo losetup /dev/loop1 image.iso (increment the device-number if needed.)
  3. Format the loop device as a LUKS container. sudo cryptsetup luksFormat /dev/loop1 If you prefer to read key-data from a key-file rather than providing a key-phrase via keyboard, you can simply append the above command with the path to the key-file. The option “--key-file” is optional for “luksFormat”.
  4. Create a block device mapping for the LUKS container. sudo cryptsetup luksOpen /dev/loop1 volume1 Do not forget to add the path to the key-file, if you have named one in the previous command. Different from luksFormat, luksOpen needs the “--key-file” option in this case (beats me).
  5. Make a UDF filesystem on the block device sudo mkudffs --label='Give the filesystem a label' /dev/mapper/volume1
  6. Mount the UDF filesystem. sudo mkdir /media/datadisc sudo mount -t udf /dev/mapper/volume1 /media/datadisc
  7. Copy any files into the mount point
  8. Safely unmount the UDF filesystem. sudo umount /dev/mapper/volume1
  9. Close up the encrypted LUKS container and clean up the loop device. sudo cryptsetup luksClose volume1 sudo losetup -d /dev/loop1
  10. Burn the ISO file as-is to disc

To mount the encrypted disk

  1. sudo losetup /dev/loop1 /dev/sr0
  2. sudo cryptsetup -r luksOpen /dev/loop1 volume1
  3. sudo mount -t udf -o ro /dev/mapper/volume1 /media/datadisc

To unmount:

  1. sudo umount /dev/mapper/volume1
  2. sudo cryptsetup luksClose volume1
  3. sudo losetup -d /dev/loop1
Ω