I periodically backup most of my user data using the only real medium I have handy for the purpose; CD-Rs. I'd like to start doing this cryptographically, so that I don't have all my private data readily accessible via CD; can anyone recommend a tool for doing this? Presumably, I'd need some kind of key management, since there will be quite a few CDs; I'd imagined carrying the keys around on my USB mini drive.

-Andrew

What exactly is your process for backing up this data? It could be very easy to add an encrypting step with gpg. Ex.: (assuming you already have a key prepared)

1. tar -xvjf backup.tar.bz2 ~/
2. gpg -r <keyname> -e backup.tar.bz2
3. mkisofs <your options> backup.tar.bz2 > backup.iso
4. cdrecord <options> backup.iso

Then you have your data encrypted, compressed, and on CDR.
Put key on drive:
1. gpg --export > your.key
2. mv to drive

Recover data:
1. go to other box
2. gpg --import < /path/to/your.key
3. cp /mnt/cdrom/backup.tar.bz2.gpg ~/
4. gpg -d backup.tar.bz2.gpg
5. (enter passphrase)
6. you then have an tar.bz2 archive of your data in other home dir.

Ian

I have a bash script for doing the backups that should be fairly easy to adapt to such a process.
How do I generate a key? (I'm not very familer with PGP in general...)

-Andrew

Generating a key:
http://www.nmlug.org/faqs/gen-gpg-key.html

In step 5, if you upload this key to the server, then anyone with access to this server, and thus your key, will be able to decrypt the data! I have 2 keys, one I use for email, and one for encrypting my own data.

Ian

I'm confused...why would I use a public key sytem to encrypt my private data?

Simply guard the key with your life. That's why I have multiple keys: 1 to share, so people can decrypt and verify my mail, and one protected so that I can only decrypt my files. If you create a passphrase with your data key, no-one can use it to decrypt without the passphrase.

Ian

Fair enough It still seems odd to use PGP for something of this nature, but at least it's well hardened, and a lot more portable/better maintained than other possibilities I've looked at. (CFS has never really impressed me, and TCFS is apparently years out of maintaince).

I assume it would be fairly reasonable, then, to use the same key for all my CDs?

You bet. Just remember that if your key somehow gets out, then your data security will be comprimised. You may want to "chmod 400 ~/.gnupg/pubring.gpg" so that no-one on you system can get your public keys w/o permission.

Ian

Great! I've got that working pretty smoothly for me now, though I still havn't scripted the whole bit.
I'm still a bit fuzzy on what I'm supposed to do with my fingerprint, though; the tutorial seems to think it's awfully important for me to hold on to.

-Andrew

>In step 5, if you upload this key to the server, then anyone with
>access to this server, and thus your key, will be able to decrypt
>the data!

Uh, no. You publish your _public_ key. To decrypt data the corresponding
_private_ key is required.

>It still seems odd to use PGP for something of this nature
Yeah, people reccommend it just because they have heard of it
or used it. For this purpose, PGP has no fundamental advantage
over a symetric cypher.
The advantage of public key cyphers is that when communicating
with someone else you can send the public key and enrcypted data
over an insecure channel and an evesdropper can't read the message.

What, then, do you think might be more appropriate?

Thank you both for your help

While the PGP idea DID work, I was finding it tedious to have to extract a 700MB tarball off of a disc simply to determine what was on it. After some experimenting, I ended up patching my kernel to support the CryptoAPI and the cryptoloop driver(http://www.kerneli.org/cryptoapi/), and then using a loop device via losetup -e to write an encrypted image directly onto the CD. This way I can transparently decrypt and browse any filesystem I happen to put on a CD without having to read the whole disc or rely on the clunky CFS, which in my experience is riddled with I/O errors and doesn't hide directory structure.
The static size of the container file isn't a problem, since I know in advance that all my images are around 700MB, though I'm still not sure what cipher to use; aes128 has been working well so far.

Assuming all the proper modules have been loaded, my general procedure looks like this:

Backup:
dd if=/dev/zero of=~/loopfile bs=1k count=700k #create 700MB empty file
losetup -e aes /dev/loop0 ~/loopfile #Attach it cryptographically to loop device
[create password]
mkisofs [options] -o /dev/loop0 #Copy stuff to it, OR...
dd if=/dev/cdromx of=/dev/loop0 #Migrate existing plaintext backup
losetup -d /dev/loop0 #Detach, clean up
cdrecord [options] ~/loopfile #Burn encrypted image as-is
rm ~/imagefile #Skip this and reuse the loopfile for another disc if convienent

Restore:
losetup -e aes /dev/loop0 /dev/cdromx #Tie CD to loop device
[provide password]
mount -t [fs] -o [options] /dev/loop0 /mnt/cdromx #Mount system; now it can be used transparently

This should hopefully be somewhat scriptable!

-Andrew