Hey there everybody. We have weekly backups which are hand delivered on DVD to a safe-deposit box. I'd like to start encrypting the data such that is protected on it's way to the box, as the DVD's contain some pretty sensitive information.

Anyway, it seems that dm-crypt and luks can make use of a password, a key file, or any combination. The keyfile is really just a glorified password. Take some bytes from dev random, store it in a file, and use it to encrypt and decrypt the device. It does not however seem like I can use public/private keypairs, such that the server thats actually encrypting the devices would only have the public key which would be useless in attempting to decrypt the file.

Does anybody know if I could accomplish this without too much trouble? Is there a reason why this hasn't been implemented directly into cryptsetup/LUKS yet?

Only reason that I'd prefer to do it this way as opposed to simply tar'ing my files and using gpg is that I like the idea of simply popping in the CD and having it prompt me for the password automatically like it does with my USB drive (except in this case it would be asking for the passphrase to the secret key). This way I don't have to go through showing all the people that might be involved how to decrypt and then untar..

Thanks,
Ken