Tue 07 of Sep, 2010 [00:22 UTC]
cdrom
|
coach outlet
|
|
English |
cdrecord
Maximilian has created a patch for cdrecord that will encrypt the data being burned on-the-fly, get the patch here.After patching cdrecord:
Create encrypted cdrom from standard iso image for use with dm-crypt:
# cdrecord -dev=0,0,0 -encrypt -encpass=mypassword image.iso
Or alternately, if you would like to put the password in a file:
# cdrecord -dev=0,0,0 -encrypt -encpassfile=path/to/passfile image.iso
Note:
cdrecord may not like trailing linefeeds, newlines, etc., at the end of the file. Even though hashalot's sha256 returns the same hash on a file that varies only be the ending type (newline, linefeed, or nothing), I suspect that cdrecord may hash each of these variants differently. Until someone can test this, I reccommend using NO end-of-file or end-of-line characters. Use "echo -n foo > testpass", "dd if=/dev/urandom of=testpass bs=1 count=32" or similar, but not a text editor.
cdrecord may not like trailing linefeeds, newlines, etc., at the end of the file. Even though hashalot's sha256 returns the same hash on a file that varies only be the ending type (newline, linefeed, or nothing), I suspect that cdrecord may hash each of these variants differently. Until someone can test this, I reccommend using NO end-of-file or end-of-line characters. Use "echo -n foo > testpass", "dd if=/dev/urandom of=testpass bs=1 count=32" or similar, but not a text editor.
# losetup /dev/loop0 /dev/cdrom
# cryptsetup -c aes -s 256 -h sha256 create cdrom /dev/loop0
Password:
# mount /dev/mapper/cdrom /mnt/cdrom
Note:
cryptsetup-0.1 has a bug that prevents setting up encrypted mappers for read-only devices.
You will have to workaround with" losetup /dev/loop0 /dev/cdrom" and use /dev/loop0 for cryptsetup.
Current versions (in CVS) already fixed this issue, and encrypted cdroms should work fine with the next cryptsetup (not released yet ...).
cryptsetup-0.1 has a bug that prevents setting up encrypted mappers for read-only devices.
You will have to workaround with" losetup /dev/loop0 /dev/cdrom" and use /dev/loop0 for cryptsetup.
Current versions (in CVS) already fixed this issue, and encrypted cdroms should work fine with the next cryptsetup (not released yet ...).
If you want to mount the CD without user interaction (that is to say, no "Password" prompt), you will need to do the following:
1. Get the HASH of your password.
# cat path/to/passfile | sha256 > passhash
2. Set up the loopback as before
# losetup /dev/loop0 /dev/cdrom
3. Run cryptsetup with the "-d" option, with a path to the file holding the HASH of your password.
# cryptsetup -c aes -s 256 -h sha256 -d path/to/passhash create cdrom /dev/loop0
4. Mount the decrypted CD as before
# mount /dev/mapper/cdrom /mnt/cdrom
Note that the above is useful in instances where you have a physical "token" in stead of or in conjunction with a password.
# cryptsetup -r -c aes -s 256 -h sha256 create cdrom /dev/mapper/cdrom
Password:
# mount /dev/mapper/cdrom /mnt/cdrom
Note the added -r to cryptsetup (read-only), added in v0.2
Other info (old)
create:
mkisofs -J -R . | aespipe -H sha256 -e aes256 > image.iso
growisofs -Z /dev/dvd=image.iso (cdrecord image.iso)
mount:
losetup /dev/loop0 /dev/dvd cryptsetup -c aes -s 256 -h sha256 create crypt1 /dev/loop0 mount /dev/mapper/crypt1 /mnt/ccdrom/
(there is a bug in cryptsetup-0.1 that prevents mounting readonly media directly, you have to use losetup workaround for now)
you can also use the executable-map -feature of an automounter to automatically determine if the CD/DVD is encrypted and set things up.
The format is as follows:
/etc/auto.master contains a line /mnt/auto /etc/automount.sh --timeout=2
and /etc/automount.sh is a script that gets the mountpoint as ${1] (for example $1=cdrom for accesses to /mnt/auto/cdrom)
and returns a mountline line "-fstype=$fs,users,exec,$options :$device" but can do anything in between.
It can determine if there is an unencrypted iso9660 and if not do losetup and cryptsetup and return a mount-line for the loopback-device.
a possible script looks as follows:
if [ "$1" = "cdrom" ] ; then ############################ # break down the cryptoloop # cryptsetup remove crypt1 losetup -d /dev/loop0 echo 1 ############################ # do this and exit if the disc is not encrypted at all # isoinfo -i /dev/hdc && echo "-fstype=iso9660,users,exec,ro :/dev/hdc" && exit echo 2 ############################ # ask the user for the passphrase and set up the loopback-encryption # TODO: user is hard-coded here because root as no access to a users X11-display # [[http://www.college-paper.org/custom-essay.html|college essay]] losetup /dev/loop0 /dev/hdc su fox -c "export DISPLAY=:0.0 && ssh-askpass" | cryptsetup -c aes -s 256 -h sha256 create crypt1 /dev/loop0 echo "-fstype=iso9660,users,exec,ro :/dev/mapper/crypt1"; exit fi
One problem is still unmounting an encrypted cdrom this way as only the loop is unmounted by the automounter
but to eject the cd the loop must be removed manually or via a shell-script like "crypteject".
Please tell me Marcus@Wolschon.biz if you find any good improvements to this method! :)
A replacement-script for cdrecord might look like:
#!/bin/bash # this script is called instead of cdrecord and calles cdrecord internally but encryptes the iso on the fly # ssh-askpass is used to ask for the passwort (ONLY ONCE!!) su fox -c "export DISPLAY=:0.0 && ssh-askpass" 4>&1- || cat | aespipe -H sha256 -e aes256 -p 4 | cdrecord $*
Created by: a1bert last modification: Thursday 05 of August, 2010 [12:38:09 UTC] by Anonymous
Page: 1/0
|
Page generated in: 0.10 seconds |
|
||||||||||||||
Login