Subject: Re: portable encrypted CD/USB
To: None <>
From: Stefan 'Kaishakunin' Schumacher <>
List: netbsd-users
Date: 05/23/2007 09:56:22
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Also sprach Douglas Allan Tutty (
> On Tue, May 15, 2007 at 09:27:15PM +1000, Thilo Jeremias wrote:
> > Douglas Allan Tutty wrote:
> > >I see in the netbsd guide about using the CGD to create an encrypted C=
> > >It does note that such a CD can't be read with any other OS.
> > >
> > >Does anyone know of a tool to do something similar that is cross-OS
> > >between especially NetBSD and Debian GNU/Linux?  Ideally, it wouldn't =
> > >limited to CD but could be used on e.g. USB sticks.
> > >
> > > =20
> > Things at a filesystem level are highly incompatible and specific to th=
e OS,
> > easier (not as elegant though) would be to script something around well=
> > ported tools like openssl
> The cross-platform nature was why I was interested in the CD aspect.
> iso9660 is OS independant.  If only there was an iso* cross-platform
> rw filesystem.  In any event, whatever filesystem can be written to any
> raw device.
> >=20
> > (you might even include scripts for win/lnx & bsd) that call
> > openssl enc -aes-256-cbs -d -pass "$1" -in "$2.cryp" -out "$2"
> >=20
> I'll look into openssl.  Unfortunatly, on my Debian box, the ssl docs
> are in pod format, whatever that is; makes it hard to read as plain
> text.  I'll try to find docs in pdf, html, or plain text.

Some years ago I wrote a small shellskript to protect file on a HP
Jornada 680, before CGD was available. It is available as [1], but it
has several strong security issues. If you encrypt a decrpyted file to
access it, you have to reencrypt it if the content changed. And you
have to secure delete the encrypted version. A simple "rm foo" does
not work, since the content can still be reconstructed. Check out
pkgsrc/sysutils/wipe, to secure delete files. But note that not all
filesystems allow secure deletion by overweriting data and the way how
data can be secure deleted also depends on the media. A Flash-EEPROM
(eg. USB memory stick, CF Card) can be secure deleted by overwriting
the data one time with 0 or 1. A magnetic device needs a more specific

If you need a good introduction into cryptography, read [2], if you
think you don't need to read [2], read [3] ;-)

> Debian has aespipe that takes input, encrypts it, and spits it out via
> pipes.  I don't know the details since I haven't seen it for other OSs.
> Perhaps there's a simple way to use openssl like that.  Then use your
> archive format of choice (is pax cross-platform?) and pipe it through to
> encrypt and decrypt. =20

If you want to encrypt on file level / via pipes, you could use almost
any encryption program available. I use mcrypt, which is available as
pkgsrc/security/mcrypt/, to encrypt my backups that way:
 dump -0 -a -f - /dev/fss0 2>dumplog | bzip2 | \=20
 mcrypt -a  rijndael-256  > `date +%y%m%d`.asc

You could substitute mcrypt with GnuPG, OpenSSL or even /usr/bin/bdes,
which only supports DES and is therefor insecure.

If you are interested in portabilitiy of the encrypted files, I'ld
suggest to use GnuPG. It is available on anything Unix-like and other
esotheric OS like MS Windows or MacOS X ;-)

[2] Applied Cryptography, Bruce Schneier,=20
[3] Why Cryptosystems Fail, Ross Anderson,=20
PGP FPR: CF74 D5F2 4871 3E5C FFFE  0130 11F4 C41E B3FB AE33                                =20
Worum haben die Menschen von Kindesbeinen an gebetet, wovon haben sie getr=
womit haben sie sich gequ=E4lt? Da=DF irgendeiner ihnen ein f=FCr allemal s=
age, was das
Gl=FCck ist, und sie mit einer Kette an dieses Gl=FCck schmiede. Und ist di=
es nicht=20
gerade das, was wir tun? Der uralte Traum vom Paradies ...
Jewgenij Iwanowitsch Samjatin, =BBWir=AB

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.6 (NetBSD)