niemueller.de::home niemueller.de
Open Software. Open Knowledge.


Home
About
Blog
Links
Projects
Software
 • Palm Software
 • Java Programs
 • Perl Scripts
 • Eggdrop Scripts
 • Scripts 'n' Snippets
Webmin
University
Wiki
Imprint


 
Last modified December 08 2008 17:37:44
Crypto DVD Backup Script
Crypto DVD Backup Script
Write encrypted backup DVDs using LUKS.
Introduction

The first rule about backups: DO backups! Ok, agreed. Where should I put my backups? I have a couple of external hard drives that I use most of them time rsyncing all my files to the external disk. I do this quite regularly once a week or so. This works fine. To be on the safe side and to have archive copies of data I want to finally delete I burn DVDs. But these DVDs contain data that is valuable to me like secret keys or emails. I do not want them to lie around in the basement where some jerk could steel them easily (my basement only is one of a dozen cages of all flats that you can easily open if you really want to). So to be safe in that unfortunate situation I wanted to encrypt these DVDs. Then I started investigating...

First about the medium to use. Optical media tend to be too small at least a few GBs, the always run behind the growth of hard drives and data volume. But tape drives are much more expensive and laborious to handle. And since I have DVD-burners anyway in all machines it seems to be a good fit. I even have dual layer drives which leverages that problem a bit. In the end I backup all the important personal data regularly and the other data which I wouldn't mind that much loosing is only synced to the mentioned external hard drive - encrypted, of course.

When I started investigating for already available solutions I came across two solutions at the Gentoo Wiki which really has a lot of great content. The first document HOWTO Burn Encrypted DVDs describes a way using aespipe. With this you create the ISO and then pipe it through aespipe to encrypt it. This could have been the whole story but there is a small problem: since there is no metadata about the encryption parameters you can't really tell in the future what is on the DVD. This may be desirable to deny knowledge about any content, if so this might be the solution for you. I wanted an approach that will hold this metadata on the DVD and I thought about LUKS which I already use for that very purpose on my encrypted hard drives. So I found the article HOWTO Burn Encrypted Optical Media With Luks which does exactly that. So here I'm going to briefly describe what is done and present a heavily modified script that supports dual layer DVDs and has some parameters for customization.

There is support in Gnome that will automatically ask for the password if an encrypted volume is added to the system. Currently there seems to be a bug in the code that tries to mount the crypto volume on the DVD read-write which is of course not possible. A bug has been filed at Red Hat Bugzilla as #267021. So in the not-so-distant future we should be able to use these encrypted DVDs really comfortably.

The Procedure
The basic idea is simple: use the LUKS crypto container on a DVD and store the ISO9660 file system inside the container. To achieve this a few steps are necessary. First an empty file is created as crypto container with the maximum size of the medium is created. Then an ISO image is generated from the given data sources (which are checked for size before creating the image if it fits). This ISO image is then piped into the encrypted container. After this the container is truncated to the real size. This truncated container is then burnt on DVD.
Installation
There is no installation needed. Just run the software. It needs bash, sed, awk, mkisofs and cdrecord (use wodim for this). This should all be in the standard distro. The script has been written for Fedora 7 and up, but should easily work on other distros as well.
Usage
The script can be used really simple. Either call it without any parameters to backup the current directory or use the -d flag one or multiple times to define one or more directories to backup. If you backup the current directory it will be the root directory of the DVD. If you use the -d flag the directories will be stored on the DVD with the full path. To store the data with the full path if you only backup the current directory use the -g flag. To burn on dual layer DVDs use the -D flag (for size check). You can use -V and -P to supply a volume ID and a publiser string respectively (32 characters maximum, stick to ASCII). If you have an ISO and want to write this to an encrypted DVD use the -i argument. Supply -k to prevent the encrypted ISO image from being deleted when done. Use -h to get a help message like this: 
[root@wintermute ~]# gencryptodvd -h
Usage: /root/bin/gencryptodvd [options]

Options:
 -i img.iso     Use given existing ISO image and put it into an
                encrypted container. -d/-V/-P/-g are ignored.
 -V volid       ISO volume ID
 -P publisher   ISO publisher
 -d dir         Directory to backup, may be used multiple times
                if not given, current directory is backuped
 -D             Use dual layer DVD (used for size check)
 -g             Use graft-pointing (see man genisoimage)
 -G             Use short graft-points (basedir of source dir as dir on DVD)
 -k             Keep ISO image after burning
 -f             Force creation, delete crypto ISO image if it exists
 -h             This help message
The script has to be run as root!
Download
News script are released and distributed under the terms of the GNU General Public License (GPL).
By downloading and/or using the software you agree to this license!

You may download the news manangement scripts as a .gz file. Use gunzip to get the script file.
Latest version is 0.2.

CryptoDVD Backup     .sh.gz (3900 Bytes)






Top 5 Pages
Wiki
WebLog
SquidGuard Webmin Module
Network Utilities Webmin Module
IPtables Webmin Module


Palm Software
UniMatrix UniMensa UniSorter
UniChat Onager


My Bookshelf
RSS Copyright © 2000-2025 by Tim Niemueller