Jari Ruusu <jariruusu@xxxxxxxxxxxxxxxxxxxxx> wrote: > I hope you are not using the same key file to encrypt multiple DVDs. > Re-using same key file for more than one file system will lead to > identical > ciphertexts. Identical ciphertexts leak information. I must admit, I didn´t get that. Mkisofs -r dirtree builds an ISO image which I pipe through aespipe. You mean I shouldn´t use one keyfile twice for doing this? But you are not concerned that an attacker may find the key to the data in the first 8192 bytes? However. Top on my to-do-list is a short guide on how to master ISO images for DVDs with loop-aes and keyfiles not on the DVD. "Perfect deniability" prohibits storing encrypted data along with non-encrypted data on same medium. That´s why I´d rather prefer to remove mbr from harddisk and store keys + tools on removable media. My question is how example 3.3. from aespipe.readme has to be altered to build encrypted DVDs with keyfiles outside the DVD. The aim is to store larger amounts of data safely and compatible with the future but without cleartext on any spot of the medium. I tend to do this: 3.3. Example 3 - Encrypted DVD-R ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Create 65 random encryption keys and encrypt those keys using gpg. Reading from /dev/random may take indefinitely long if kernel's random entropy pool is empty. If that happens, do some other work on some other console (use keyboard, mouse and disks). Use of gpg encrypted key file depends on encrypted swap. head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65 \ | gpg --symmetric -a >/a/usbstick/keyfile.gpg Create encrypted ISO9660 DVD-R image that can be mounted using Linux loop-AES crypto package version 3.0b or later: mkisofs -r directory-tree | aespipe -e aes128 -K /a/usbstick/keyfile.gpg >>image.iso This image file can then be mounted under Linux like this: mount -t iso9660 image.iso /media/dvd -o loop=/dev/loop0,encryption=AES128,gpgkey=/a/usbstick/keyfile.gpg Or, after writing image.iso to DVD-R, like this: mount -t iso9660 /dev/dvd /media/dvd -o loop=/dev/loop0,encryption=AES128,gpgkey=/a/usbstick/keyfile.gpg Or, if this line is added to /etc/fstab file: /dev/dvd /cryptdvd iso9660 defaults,noauto,loop=/dev/loop0,encryption=AES128,gpgkey=/a/usbstick/keyfile.gpg 0 0 What would you say about this? Will that dvd lock-up again when opening one of its folders containing some 30,000 files in it? Will there be problems with reads at/after end of disk and such? Choice of high quality media is also an aspect, I know. Question is if above modification results in a well crafted image? Proposals & critics welcome. Regards, Peter -- Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
