Section: User Commands (1)
Updated: Jun 19, 2008


enciso - create encrypted ISO 9660 images


enciso [command] [options]


enciso is a wrapper script for gpg, aespipe and genisoimage for easy creation of encrypted ISO9660/Joliet/HFS filesystem images. Encryption is done by aespipe in multi-key-v3 mode, the keys can be saved in the header of the resulting image or in a separate key file. To mount the resulting images (or discs) the loop-AES kernel module is required (it is not required to create the image).

When creating a new image, a key file is generated containing 65 lines of random passwords, each one with a length of 120 characters. These 65 passwords will be used to encrypt the image with multi-key-v3 encryption, see aespipe(1) for details. The keys themselves are encrypted with gpg, currently only symmetric encryption (ie. with a password) is supported. The (ASCII-armored) output of gpg can be stored in a separate key file or in the image itself. In the latter case the first 16kB of the encrypted image will be used for the encrypted keys, padded with zeros to 16kB length.

The created image can be written to CD/DVD, the resulting discs can be transparently mounted on any system where the loop-AES kernel module and patched versions of mount and losetup are available. If the encrypted keys are not included in the image, the separate key file is required for mounting the disc/image.

Some meta information about the image is written to the comment section of the gpg output. Currently, these are: Comment: timestamp=<timestamp>
Comment: date=<YYYY/MM/DD hh:mm:ss>
Comment: version=<enciso version>
Comment: encryption=multi-key-v3
Comment: checksum=<type>:<checksum>
Comment: serial=<serial number>

The checksum and serial comments are only included if enabled with the appropriate command line options. The --noinfo option may be used to not include these comments. Note: the serial number included in the comments is the only information to identify the image without decrypting or mounting it (well, you may also write down the time you created an image, but the serial number is easier to work with). Both timestamp and date are UTC.

After the key creation aespipe is used to encrypt the image generated by genisoimage when using --create or an existing image when using --encrypt. The results are the same in both cases.

See the EXAMPLES section below for some usage examples and the commands to mount encrypted images or discs.

If you have any further questions, suggestions, bug reports etc. feel free to contact the author at mail@ntworks.net.


You need to use one (and only one) command to tell enciso what to do. For some commands other options are required, see below for details.

--create <directory> or -c <directory>

This command will create a new encrypted image from the given <directory>. Required option is --image to specify the location of the resulting image file. Note: you will be asked three times for the password, the first two times by gpg, the last time by aespipe.

--encrypt <image> or -e <image>

This will encrypt an already existing image. <image> may be a regular file or a block device (eg. /dev/cdrom) that should be encrypted. Required option is --image to specify the location of the resulting image file. Note: you will be asked three times for the password, the first two times by gpg, the last time by aespipe.

--extractkeyfile <image> or -x <image>

Use this command to extract the gpg-encrypted key file from the encrypted image <image>. The key file is in ASCII-armored format and will be printed to standard output unless the --keyfile option is used, in that case it will be written to the file specified.

--verify <image> or -v <image>

This will calculate the checksum of the encrypted image and compare it to the checksum stored in the header of <image>, which may be a regular file or a block device. You have to use the --checksum option when you create the encrypted image for this to work. If you did not write the key file to the image header you have to use the --keyfile option to specify the location.


These additional options change the behaviour of enciso or external applications used by it, also, some of them may be required for some commands to work. See the COMMANDS section above for details.

--aespipeargs <options>

Used to specify command line arguments for aespipe. Default is "-e AES256 -w 5". See aespipe(1) for details. Note: The parameter "-w 5" is used to make aespipe wait five seconds before asking for the password, so the password prompt will not be interupted by possible genisoimage warning messages.

--checksum <type> or -S <type>

Set this option to "md5" if you want to include a checksum of the encrypted part of the image in the key file. Set it to "none" if you have enabled checksums in a configuration file and want to disable it on command line. Other checksum algorithms are currently not supported. Do not use this option together with --noinfo. This option is required (on creation) to check the integrity of an encrypted image with the --verify command (after creation). Note: The checksum will be calculated after the image has been created, and this will take some time, depending on the size of the image and your system. No further message will be print before or after the checksum calculation.

--compression <type> or -z <type>

Set this to "mkzftree" to enable transparent compression. Set it to "none" if you have enabled compression in a configuration file and want to disable it on command line. The mkzftree program is required for this to work. If you enable this the directory tree that should be written to the image is copied to a temporary location (see the --tempdir option) and compressed, make sure that there is enough free space available. This option will set the -r and -z options for genisoimage. See also --mkzftreeargs, mkzftree(1) and genisoimage(1).

--config <file> or -C <file>

Use this option to specify a configuration file. See the CONFIGURATION section below for details.

--genisoimageargs <options>

The command line arguments for genisoimage. Default is "-U -hide-joliet-trans-tbl -D -iso-level 4 -J -joliet-long -l -N -r", which results in a non-standard compliant ISO-image, but it should work on any modern Linux system. Change this if you need other options, see genisoimage(1) for details. Note that you do not need to specify meta-information like VolumeID here, there are separate options available, see below.

--gpgargs <options>

Command line options for gpg, default is "--cipher-algo AES256 --digest-algo SHA512 -a -c --s2k-count 65011712". If key generation is to slow on your system decrease the "--s2k-count" option (it is set to the maximum value by default). See gpg(1) for details.

--image <image> or -i <image>

This option is required for the --create and --encrypt commands. Use it to specify the location of the encrypted image. The file must not exist or enciso will exit with a return value of 3.

--keyfile <file> or -k <file>

When used with the --create or --encrypt commands this option tells enciso to not save the key file in the header of the encrypted image but to <file> instead. The encrypted image will not contain any meta information in this case, as this is written to the gpg-comments of the key file. If the file already exists it is used and no new keys are created.

When used with --extractkeyfile it specifies the path of the key file that should be created.

This option is required for the --verify command if the encrypted image does not include the key file, in this case it specifies the location of the key file (ie. you should use the same value here for creation and verification of an image).

--mkzftreeargs <options>

Command line options for mkzftree. Default value is "-z 9" for maximum compression. See mkzftree(1) for details. This is only used when --compression is set to "mkzftree", see above.

--noinfo or -n

Use this to omit the meta information in the key file or image header. See section DESCRIPTION above for details.

--random <file|internal>

Use <file> as random source for the keys. Default is "/dev/urandom". This may even be a regular file, but you really should not do this! If you set this option to "internal" Perl's built in random number generator will be used.

--serial <string> or -s <string>

Serial number of the disc. You may set this to any string to identify the disc. Serial is included in the gpg-comments section of the key file or image header and can be read without decrypting the image. Do not use together with the --noinfo option, as --noinfo takes precendence over other options.

--tempdir <directory>

Set the temporary directory. This is only used when transparent compression is enabled (see --compression) to store the compressed directory tree that is then written to the image. Make sure there is enough free space at that location. Default value is "/tmp".

--applicationid <string>
--preparer <string>
--publisher <string>
--systemid <string>
--volumeid <string>

These are options to set meta information for the ISO-image. All of these options will be passed to genisoimage (see genisoimage(1) for details, some options have different names) and so included in the image. You can not read these options without decrypting the image.

--aespipepath <file>
--genisoimagepath <file>
--gpgpath <file>
--mkzftreepath <file>

These options can be used to specify the paths to external programs. enciso will use the which command to get the full paths, which should be fine on most systems. You will need these options only if one of the programs is not located in your $PATH. Note: if genisoimage is called mkisofs on your system, you have to set the --genisoimagepath option to the path of mkisofs or you will not be able to use --create.


It is possible to set default values for each command line option in a configuration file. The default paths are /usr/local/etc/enciso/enciso.conf for a system wide configuration file and ~/.enciso/enciso.conf for per user configurations. An additional file may be specified with the --config command line option. The configuration files are processed in that order. In general, every value found in a configuration file will replace an existing one, ie., user configuration will override system wide configuration.

The syntax of the configuration files is <option> = <value>

Where <option> is the same as the long command line option without the two leading dashes. Whitespace characters at the beginning and at the end will be removed. If an option exists multiple times in a configuration file the last value will be used. An exception are the command line options for external programs (eg. aespipeargs) which may be specified multiple times and values are concatenated to allow splitting long lines. Note that this is only the case for occurences in one configuration file, values set in a file processed earlier are always replaced. Also, command line arguments will always replace settings of the configuration files.

Comments start with the # or the % character, which must be the first none-whitespace character in a line. Inline comments are not supported!

Note: Since every command line option is valid in a configuration file you may even set commands like create or verify in a configuration file. Any restrictions and/or requirements mentioned for the command line options apply.


To help you get started, the following examples are provided to show you the most common commands used to work with enciso and encrypted images or discs. Please read the sections above for more information.

Create an encrypted image

enciso --create /home/johndoe/mydirectory --image /home/johndoe/mydirectory.img --serial 0001 --checksum md5

This command will create an image that contains the contents of /home/johndoe/mydirectory/, the serial 0001 and a checksum will be written to the header. The resulting image /home/johndoe/mydirectory.img can then be written to a CD or DVD. (Note: You may use relative paths for every option that expects a file or directory name.)

Encrypt an already existing image

enciso --encrypt /dev/cdrom --image /home/johndoe/cdrom.img --serial CDROM-01 --checksum md5

This will create an encrypted image from the disc in /dev/hdc.

Do not include the keys in the image

enciso --create mydirectory --image mydirectory.img --serial 0001 --keyfile mydirectory.gpg

Note that you need to use the --keyfile option with some commands after that, see the COMMANDS section above for details.

Mount an existing image or disc

mount mydirectory.img /mnt -o loop,encryption=AES256,gpgkey=mydirectory.img,offset=16384

This will mount the created image to /mnt/. If the keys are not included in the image you may use the following command:

mount mydirectory.img /mnt -o loop,encryption=AES256,gpgkey=mydirectory.gpg

Create only the loop device

This command will create a decrypted loop device for an image file. Useful if you want to copy a decrypted version of the image:

losetup -e AES256 -K mydirectory.img -o 16384 /dev/loop0 mydirectory.img


enciso will return the following exit codes:



aespipe(1), genisoimage(1), gpg(1), losetup(1), mkzftree(1), mount(1)


Stefan Göbel - mail@ntworks.net


Copyright © 2007-2008 Stefan Göbel

enciso is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

enciso is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with enciso. If not, see <http://www.gnu.org/licenses/>.