Skip to content

Instantly share code, notes, and snippets.

@ladamson
Last active October 5, 2023 18:08
Show Gist options
  • Save ladamson/6451510 to your computer and use it in GitHub Desktop.
Save ladamson/6451510 to your computer and use it in GitHub Desktop.
Burn encrypted CD/DVD/BD (Bluray) with K3b. Keywords: Linux, Debian, Ubuntu
#!/bin/bash
#
# Purpose:
#
# When you burn with K3b, this script will prompt for your
# desired encryption password (twice), and will encrypt the
# generated ISO with that password. If your passwords don't
# match, you will be prompted to enter them again. Your chosen
# password must be at least 20 characters long (this is a
# requirement of aespipe).
#
# Dependences:
#
# apt-get install aespipe zenity
#
# Usage:
# Put this script in ~/bin/genisoimage (the filename must be exactly "genisoimage")
#
# In K3b:
# Settings > Configure K3b > Programs
# On Search Path tab, add ~/bin (full path, not using ~/)
# On Programs tab, click Search button. Then select ~/bin/genisoimage as the default mkisofs program.
#
# That's it, K3b will now prompt you for the password when you click the final Burn button, and the
# ISO that's written to the disc will be encrypted. See the file below for how to mount the encrypted
# disc.
#
# I've used this with Bluray (BD-RE) discs only, but it should work fine for DVDs and CDs too.
#
# Technical note: The encryption is done using aespipe, which uses the deprecated loop-aes encryption.
# Support for loop-aes in the kernel has been removed, but "cryptsetup" can mount the encrypted ISO image
# just fine, so you needn't worry about losing support for mounting the discs. A method of encrypting the ISO
# image using the newer dm-crypt method is possible, but would require allocating disk space for the ISO
# rather than doing the encryption on-the-fly using a pipe. You'd also have to remove the ISO afterward,
# which couldn't be done in this script. I wasn't able to locate a dm-crypt replacement for aespipe.
#
# We assume that if K3B is calling us with < 10 arguments,
# it is not doing a burn, but is instead probing for supported
# features.
if [ $# -lt 10 ]; then
/usr/bin/genisoimage "$@"
exit $?
fi
# If K3B calls us to get the ISO size, just let the real genisoimage handle it.
# The encrypted ISO size will be identical to the unencrypted size.
for arg in $@
do
if [ "$arg" == "-print-size" ]; then
/usr/bin/genisoimage "$@"
exit $?
fi
done
# If you want to burn without being prompted for a password, remove
# this section and use aespipe's -P option to provide the password
# in a file. You should also be able to use GPG encryption using
# aespipe, but I haven't tested that.
while `true`
do
password1=`zenity --password --title="Enter Password"`
password2=`zenity --password --title="Confirm Password"`
[ "$password1" == "$password2" ] && break
done
exec 3< <(echo "$password1")
# Uses deprecated loop-aes encryption
/usr/bin/genisoimage "$@" | aespipe -e aes256 -H sha256 -p 3
#!/bin/sh
# Configure odd_device and mount_dir if needed
loopback_device=`losetup -f`
odd_device="/dev/dvd"
mount_dir="/mnt/loop"
mapper_name="decrypt_odd"
losetup "$loopback_device" "$odd_device"
cryptsetup --hash sha256 --cipher aes-cbc-plain --key-size 256 create "$mapper_name" "$loopback_device"
mount /dev/mapper/"$mapper_name" "$mount_dir"
# To unmount and clean up:
#
# umount "$mount_dir"
# cryptsetup remove "$mapper_name"
# losetup -d "$loopback_device"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment