Ken Rossato

Pages

• Introduction
• Lab Network
• DevOps Kit
• Encrypting Optical Media
• C++ Style Guide

Socials

• GitHub
• LinkedIn
• YouTube

GNOME has support for mounting LUKS-encrypted filesystems. While I imagine this is mostly used with thumb-drives (which can be directly encrypted from the Disks app), we can take advantage of this support to burn optical (DVD or BD) media which requires a code to decrypt. This allows us to create archival backups of personal files that can be safely disposed of by simply separating the disc from the code. The code can be added to a password manager, or if physical theft is not a concern (or the backups are intended to be accessible by others) the code can be printed onto a jewel-case insert or post-it note with a reminder to remove before disposal.

Credit to Frederick Ding for the workflow that inspired this. The purpose of my differences are to avoid creating a larger ISO file (and burning session) than necessary.

Step 1: Generate an unencrypted ISO

genisoimage -o image.iso -V "Volume name" -r -hide-rr-moved files

Rock Ridge for long file-names and deep directories is a good idea, Windows isn't going to be compatible so why bother with Joliet. Loopback-mount the ISO to ensure it looks how you want before burning a coaster. Alternately you can do this step in a disc-burning application like Brasero, but I found this gets more cumbersome as the number of files increases.

Step 2: Append blank space for the LUKS header

truncate -s +32M image.iso

Step 3: Encrypt the ISO file

sudo cryptsetup reencrypt --encrypt --type luks2 --sector-size 2048 --reduce-device-size 32M image.iso

sudo is required, but hopefully only this step. From man 8 cryptsetup-reencrypt:

--reduce-device-size size

This means that last size sectors on the original device will be lost, data will be effectively shifted by specified number of sectors.

It could be useful if you added some space to underlying partition or logical volume (so last size sectors contains no data).

[...]

Recommended minimal size is twice the default LUKS2 header size (--reduce-device-size 32M) for encryption mode.

Step 4: Burn it with growisofs

growisofs -dvd-compat -Z /dev/sr0=image.iso

Last updated Jan 28th, 2025.