Cryptsetup containers from DVD

[frapelli]

I have created an encrypted container with cryptsetup/luks, and I supposed I could store it on a DVD and then open (mount) it from the DVD. It seems it is not possible, since I get error message (more or less) "mount: wrong FS, invalid option, damaged superblock, missing codepage or somthing else".

If I recopy the mastered container again on HD, I can mount and work without problems. So the file is not damaged.

So I understand you can't use luks files in read only, right?

Any way to find a solution? Googling I found haw to get an encrypted DVD with cryptsetup, but I did not succede, and after all, maybe it is not what I want.

Any way to get an encrypted file with Criptsetup/Lucks that can be mounted straight from DVD?

Thanks

[AS]

Which method/commands did you used to 'mount' the encrypted DVD ?
Looking at the error it seems you are trying to mount the encrypted layer directly, which is not possible.

[frapelli]

Where "diskimage" is the container file burned on DVD, which is mountable till it is on HD:

Code:

[root@localhost francesco]# losetup /dev/loop1 /media/New/diskimage
[root@localhost francesco]# cryptsetup luksOpen /dev/loop1 diskimage
Inserire la passphrase per /dev/loop1:
[root@localhost francesco]# mount /dev/mapper/diskimage /mnt/discodati
mount: dispositivo a blocchi/dev/mapper/discodati è protetto da scrittura, viene montato in sola lettura
mount: tipo fs errato, opzione non valida, superblocco su /dev/mapper/discodati danneggiato,
       codepage o programma ausiliario mancante, o altro errore
       In alcuni casi si possono trovare informazioni utili in syslog. Provare
       ad esempio 'dmesg | tail'

[root@localhost francesco]#

Thanks

[AS]

Where "diskimage" is the container file burned on DVD, which is mountable till it is on HD:

Code:

[root@localhost francesco]# losetup /dev/loop1 /media/New/diskimage
[root@localhost francesco]# cryptsetup luksOpen /dev/loop1 diskimage
Inserire la passphrase per /dev/loop1:
[root@localhost francesco]# mount /dev/mapper/diskimage /mnt/discodati
mount: dispositivo a blocchi/dev/mapper/discodati è protetto da scrittura, viene montato in sola lettura
mount: tipo fs errato, opzione non valida, superblocco su /dev/mapper/discodati danneggiato,
       codepage o programma ausiliario mancante, o altro errore
       In alcuni casi si possono trovare informazioni utili in syslog. Provare
       ad esempio 'dmesg | tail'

[root@localhost francesco]#

Thanks

The read-only container should not be a problem, as cryptsetup also allow for a specific --readonly option.

As I understand you are actually mounting the DVD media on /media/New, then you try to mount the encrypted container "diskimage".

If so, may be /dev/loop1 is/was already in use ?   you can check for the next available loop device using: losetup -f

Also, what filesystem type do you used inside the encrypted container ?

[frapelli]

As I understand you are actually mounting the DVD media on /media/New, then you try to mount the encrypted container "diskimage".

Right, DVD is mounted on /media/New, then I try to mount "diskimage" (a container on DVD) on /mnt/discodati.

If so, may be /dev/loop1 is/was already in use ?   you can check for the next available loop device using: losetup -f

losetup -a before operations says there is no loop in use, and anyway the command actually try to mount the container, but is stopped by "wrong FS etc."

Also, what filesystem type do you used inside the encrypted container ?

UDF encrypted with cryptsetup[/quote]

[AS]

As I understand you are actually mounting the DVD media on /media/New, then you try to mount the encrypted container "diskimage".

Right, DVD is mounted on /media/New, then I try to mount "diskimage" (a container on DVD) on /mnt/discodati.

If so, may be /dev/loop1 is/was already in use ?   you can check for the next available loop device using: losetup -f

losetup -a before operations says there is no loop in use, and anyway the command actually try to mount the container, but is stopped by "wrong FS etc."

careful here: when you mount the DVD media under /media/New, /dev/loop0 will be used, and of course the next available should be /dev/loop1 ... but check immediately before to try to use losetup ...

Also, what filesystem type do you used inside the encrypted container ?

UDF encrypted with cryptsetup

try to use the -t (type) option on mount:

mount  -t  udf  /dev/mapper/diskimage /mnt/discodati

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

did you tried to use directly cryptsetup without the initial loop mount ?

cryptsetup  luksOpen  /media/New/diskimage  diskimage
mount  -t  udf  /dev/mapper/diskimage   /mnt/discodati

may be it will fail, because /media/New/diskmage is not a device, but you can try it  

[frapelli]

mount  -t  udf  /dev/mapper/diskimage /mnt/discodati

Same output as without -t udf

crypsetup  luksOpen  /media/New/diskimage  diskimage

Command not found ...

[AS]

mount  -t  udf  /dev/mapper/diskimage /mnt/discodati

Same output as without -t udf

crypsetup  luksOpen  /media/New/diskimage  diskimage

Command not found ...

sorry, there was a typo ....

cryptsetup  luksOpen  /media/New/diskimage  diskimage
mount  -t  udf  /dev/mapper/diskimage   /mnt/discodati

[frapelli]

Exactly the same uotput: "Wrong FS etc."   

cryptsetup  luksOpen  /media/New/diskimage  diskimage however is accepted, and output of lusetup -a after is :

/dev/loop0: [0b01]:260 (/media/New/diskimage)

[AS]

Exactly the same uotput: "Wrong FS etc."   

cryptsetup  luksOpen  /media/New/diskimage  diskimage however is accepted, and output of lusetup -a after is :

/dev/loop0: [0b01]:260 (/media/New/diskimage)

that's the correct and expected output from losetup -a.

Also, can't find anything different from this howto:
http://weichselbraun.net/manual/encrypted_dvd/encrypted_dvd.html

Sorry, out of ideas right now, but I'm going to test the case myself, I will report back on this thread.

AS

[frapelli]

Thanks

[AS]

Simulation completed, mostly following the howto here:
http://weichselbraun.net/manual/encrypted_dvd/encrypted_dvd.html
highighted in red the difference from the howto

   dd  if=/dev/zero  of=/system/dvd.img  bs=1000000  count=4700
    losetup  /dev/loop0  /system/dvd.img
    cryptsetup  -c  aes-cbc-essiv:sha256  -y  -s  256  luksFormat  /dev/loop0
    < enter the passphrase >

    cryptsetup  luksOpen  /dev/loop0  dvd

    mkudffs  --media-type=dvd  /dev/mapper/dvd
    mkdir /iso
    mount  /dev/mapper/dvd  /iso
    mount  -o  remount,rw  /iso
    # add some data, i.e. /iso/testfile

    umount  /iso
    cryptsetup  luksClose  dvd
    losetup  -d  /dev/loop0

At this point my image is prepared, now I remount /system as read-only (don't do this on your '/' and '/home' filesystems), therefore simulating a read-only media like CD/DVDs.

   mount  -o  remount,ro  /system

the mount command show it better:

/dev/sda13 on /system type ext4 (ro,noatime,acl)

now, I try to use the encrypted image:

  cryptsetup  luksOpen  /system/dvd.img  secret
   < enter the passphrase >
   mount  /dev/mapper/secret  /mnt
   [ mount: block device /dev/mapper/secret is write-protected, mounting read-only ]

 
You can see, there are no errors here, even using a read-only filesystem/image.

ls  /mnt:

total 0
drwxr-xr-x 2 root root 40 Jan  8 22:19 lost+found/
-rw-r--r-- 1 root root  9 Jan  8 23:20 testfile

df  -T

...
/dev/sda13    ext4     76G   41G   32G  57% /system
/dev/mapper/secret
                    udf      4.4G  290K  4.4G    1% /mnt

losetup  -a

/dev/loop0: [080d]:12 (/system/dvd.img)

ending the tests:

umount  /mnt
cryptsetup  luksClose  secret

all is fine here, even when using read-only device.


May I suggest to check your container using the md5sum utility ? results should match.

DVD: md5sum  /media/New/diskimage
HD:  md5sum  <location of your working copy on hd of the diskimage file>

also, once you have mapped your container using:

cryptsetup  luksOpen  /media/New/diskimage diskimage

try:

udffsck  /dev/mapper/diskimage

AS

[frapelli]

Thanks AS, it worked.

I just had to change  "of=/system/dvd.img " with the actual address of the file (/media/sdb4/dvd.img), I suppose it is what you meant since "system" gave me an error message.

I am sorry for my delay, but I am quite busy these days, and had not time for my experiments. I'll try again next week, and I'll let you know in case of troubles.

Thank again for your time and attention.

[AS]

Thanks AS, it worked.

I just had to change  "of=/system/dvd.img " with the actual address of the file (/media/sdb4/dvd.img), I suppose it is what you meant since "system" gave me an error message.

Of course, "/system" is a partition on my system, where there was enough free space to make the test 

I am sorry for my delay, but I am quite busy these days, and had not time for my experiments. I'll try again next week, and I'll let you know in case of troubles.

Thank again for your time and attention.

You are welcome!

AS