Subject: Re: portable encrypted CD/USB
To: None <netbsd-users@NetBSD.org>
From: Stefan 'Kaishakunin' Schumacher <email@example.com>
Date: 05/23/2007 09:56:22
Content-Type: text/plain; charset=iso-8859-15
Also sprach Douglas Allan Tutty (firstname.lastname@example.org)
> On Tue, May 15, 2007 at 09:27:15PM +1000, Thilo Jeremias wrote:
> > Douglas Allan Tutty wrote:
> > >I see in the netbsd guide about using the CGD to create an encrypted C=
> > >It does note that such a CD can't be read with any other OS.
> > >
> > >Does anyone know of a tool to do something similar that is cross-OS
> > >between especially NetBSD and Debian GNU/Linux? Ideally, it wouldn't =
> > >limited to CD but could be used on e.g. USB sticks.
> > >
> > > =20
> > Things at a filesystem level are highly incompatible and specific to th=
> > easier (not as elegant though) would be to script something around well=
> > ported tools like openssl
> The cross-platform nature was why I was interested in the CD aspect.
> iso9660 is OS independant. If only there was an iso* cross-platform
> rw filesystem. In any event, whatever filesystem can be written to any
> raw device.
> > (you might even include scripts for win/lnx & bsd) that call
> > openssl enc -aes-256-cbs -d -pass "$1" -in "$2.cryp" -out "$2"
> I'll look into openssl. Unfortunatly, on my Debian box, the ssl docs
> are in pod format, whatever that is; makes it hard to read as plain
> text. I'll try to find docs in pdf, html, or plain text.
Some years ago I wrote a small shellskript to protect file on a HP
Jornada 680, before CGD was available. It is available as , but it
has several strong security issues. If you encrypt a decrpyted file to
access it, you have to reencrypt it if the content changed. And you
have to secure delete the encrypted version. A simple "rm foo" does
not work, since the content can still be reconstructed. Check out
pkgsrc/sysutils/wipe, to secure delete files. But note that not all
filesystems allow secure deletion by overweriting data and the way how
data can be secure deleted also depends on the media. A Flash-EEPROM
(eg. USB memory stick, CF Card) can be secure deleted by overwriting
the data one time with 0 or 1. A magnetic device needs a more specific
If you need a good introduction into cryptography, read , if you
think you don't need to read , read  ;-)
> Debian has aespipe that takes input, encrypts it, and spits it out via
> pipes. I don't know the details since I haven't seen it for other OSs.
> Perhaps there's a simple way to use openssl like that. Then use your
> archive format of choice (is pax cross-platform?) and pipe it through to
> encrypt and decrypt. =20
If you want to encrypt on file level / via pipes, you could use almost
any encryption program available. I use mcrypt, which is available as
pkgsrc/security/mcrypt/, to encrypt my backups that way:
dump -0 -a -f - /dev/fss0 2>dumplog | bzip2 | \=20
mcrypt -a rijndael-256 > `date +%y%m%d`.asc
You could substitute mcrypt with GnuPG, OpenSSL or even /usr/bin/bdes,
which only supports DES and is therefor insecure.
If you are interested in portabilitiy of the encrypted files, I'ld
suggest to use GnuPG. It is available on anything Unix-like and other
esotheric OS like MS Windows or MacOS X ;-)
 Applied Cryptography, Bruce Schneier,=20
 Why Cryptosystems Fail, Ross Anderson,=20
PGP FPR: CF74 D5F2 4871 3E5C FFFE 0130 11F4 C41E B3FB AE33
Worum haben die Menschen von Kindesbeinen an gebetet, wovon haben sie getr=
womit haben sie sich gequ=E4lt? Da=DF irgendeiner ihnen ein f=FCr allemal s=
age, was das
Gl=FCck ist, und sie mit einer Kette an dieses Gl=FCck schmiede. Und ist di=
gerade das, was wir tun? Der uralte Traum vom Paradies ...
Jewgenij Iwanowitsch Samjatin, =BBWir=AB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (NetBSD)
-----END PGP SIGNATURE-----