Burn encrypted CD/DVD/BD (Bluray) with K3b. Keywords: Linux, Debian, Ubuntu

genisoimage

#!/bin/bash
#
# Purpose:
#
# When you burn with K3b, this script will prompt for your
# desired encryption password (twice), and will encrypt the
# generated ISO with that password.  If your passwords don't
# match, you will be prompted to enter them again.  Your chosen
# password must be at least 20 characters long (this is a
# requirement of aespipe).
#
# Dependences:
#
# apt-get install aespipe zenity
#
# Usage:
# Put this script in ~/bin/genisoimage (the filename must be exactly "genisoimage")
#
# In K3b:
# Settings > Configure K3b > Programs
# On Search Path tab, add ~/bin (full path, not using ~/)
# On Programs tab, click Search button.  Then select ~/bin/genisoimage as the default mkisofs program.
#
# That's it, K3b will now prompt you for the password when you click the final Burn button, and the
# ISO that's written to the disc will be encrypted.  See the file below for how to mount the encrypted
# disc.
#
# I've used this with Bluray (BD-RE) discs only, but it should work fine for DVDs and CDs too.
#
# Technical note: The encryption is done using aespipe, which uses the deprecated loop-aes encryption.
# Support for loop-aes in the kernel has been removed, but "cryptsetup" can mount the encrypted ISO image
# just fine, so you needn't worry about losing support for mounting the discs.  A method of encrypting the ISO
# image using the newer dm-crypt method is possible, but would require allocating disk space for the ISO
# rather than doing the encryption on-the-fly using a pipe.  You'd also have to remove the ISO afterward,
# which couldn't be done in this script.  I wasn't able to locate a dm-crypt replacement for aespipe.
#

# We assume that if K3B is calling us with < 10 arguments,
# it is not doing a burn, but is instead probing for supported
# features.
if [ $# -lt 10 ]; then
        /usr/bin/genisoimage "$@"
        exit $?
fi

# If K3B calls us to get the ISO size, just let the real genisoimage handle it.
# The encrypted ISO size will be identical to the unencrypted size.
for arg in $@
do
        if [ "$arg" == "-print-size" ]; then
                /usr/bin/genisoimage "$@"
                exit $?
        fi
done

# If you want to burn without being prompted for a password, remove
# this section and use aespipe's -P option to provide the password
# in a file.  You should also be able to use GPG encryption using
# aespipe, but I haven't tested that.
while `true`
do
        password1=`zenity --password --title="Enter Password"`
        password2=`zenity --password --title="Confirm Password"`

        [ "$password1" == "$password2" ] && break
done

exec 3< <(echo "$password1")

# Uses deprecated loop-aes encryption
/usr/bin/genisoimage "$@" | aespipe -e aes256 -H sha256 -p 3

mount_odd.sh

#!/bin/sh

# Configure odd_device and mount_dir if needed
loopback_device=`losetup -f`
odd_device="/dev/dvd"
mount_dir="/mnt/loop"
mapper_name="decrypt_odd"

losetup "$loopback_device" "$odd_device"
cryptsetup --hash sha256 --cipher aes-cbc-plain --key-size 256 create "$mapper_name" "$loopback_device"
mount /dev/mapper/"$mapper_name" "$mount_dir"

# To unmount and clean up:
#
# umount "$mount_dir"
# cryptsetup remove "$mapper_name"
# losetup -d "$loopback_device"