Skip to content

Instantly share code, notes, and snippets.

Last active Feb 1, 2020
What would you like to do?
Burn encrypted CD/DVD/BD (Bluray) with K3b. Keywords: Linux, Debian, Ubuntu
# Purpose:
# When you burn with K3b, this script will prompt for your
# desired encryption password (twice), and will encrypt the
# generated ISO with that password. If your passwords don't
# match, you will be prompted to enter them again. Your chosen
# password must be at least 20 characters long (this is a
# requirement of aespipe).
# Dependences:
# apt-get install aespipe zenity
# Usage:
# Put this script in ~/bin/genisoimage (the filename must be exactly "genisoimage")
# In K3b:
# Settings > Configure K3b > Programs
# On Search Path tab, add ~/bin (full path, not using ~/)
# On Programs tab, click Search button. Then select ~/bin/genisoimage as the default mkisofs program.
# That's it, K3b will now prompt you for the password when you click the final Burn button, and the
# ISO that's written to the disc will be encrypted. See the file below for how to mount the encrypted
# disc.
# I've used this with Bluray (BD-RE) discs only, but it should work fine for DVDs and CDs too.
# Technical note: The encryption is done using aespipe, which uses the deprecated loop-aes encryption.
# Support for loop-aes in the kernel has been removed, but "cryptsetup" can mount the encrypted ISO image
# just fine, so you needn't worry about losing support for mounting the discs. A method of encrypting the ISO
# image using the newer dm-crypt method is possible, but would require allocating disk space for the ISO
# rather than doing the encryption on-the-fly using a pipe. You'd also have to remove the ISO afterward,
# which couldn't be done in this script. I wasn't able to locate a dm-crypt replacement for aespipe.
# We assume that if K3B is calling us with < 10 arguments,
# it is not doing a burn, but is instead probing for supported
# features.
if [ $# -lt 10 ]; then
/usr/bin/genisoimage "$@"
exit $?
# If K3B calls us to get the ISO size, just let the real genisoimage handle it.
# The encrypted ISO size will be identical to the unencrypted size.
for arg in $@
if [ "$arg" == "-print-size" ]; then
/usr/bin/genisoimage "$@"
exit $?
# If you want to burn without being prompted for a password, remove
# this section and use aespipe's -P option to provide the password
# in a file. You should also be able to use GPG encryption using
# aespipe, but I haven't tested that.
while `true`
password1=`zenity --password --title="Enter Password"`
password2=`zenity --password --title="Confirm Password"`
[ "$password1" == "$password2" ] && break
exec 3< <(echo "$password1")
# Uses deprecated loop-aes encryption
/usr/bin/genisoimage "$@" | aespipe -e aes256 -H sha256 -p 3
# Configure odd_device and mount_dir if needed
loopback_device=`losetup -f`
losetup "$loopback_device" "$odd_device"
cryptsetup --hash sha256 --cipher aes-cbc-plain --key-size 256 create "$mapper_name" "$loopback_device"
mount /dev/mapper/"$mapper_name" "$mount_dir"
# To unmount and clean up:
# umount "$mount_dir"
# cryptsetup remove "$mapper_name"
# losetup -d "$loopback_device"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment