Password-protected encryption for automated CD & DVD production for the Rimage Systems and disc burning

Have a product question?


SecureDisc – Rimage Edition (SDR) integrates with the Rimage production suite to secure the contents of any DVD or CD using a password. SDR makes it simple to integrate encryption into an existing work flow by automatically encrypting the image data for each disc as part of the automated production process. Discs are encrypted using the Advanced Encryption Standard (AES) 256-bit algorithm, and processed at the image format level for even stronger security. SecureDisc does not require the use of specialized media.

To read encrypted discs, the intended receiver only needs the correct password and does NOT need to download or install any software on their PC. The SecureDisc Explorer decryption client automatically deployed on each encrypted disc supports Windows XP, Vista, 7, 8, 8.1 and 10 (including 64-bit installations) and will automatically launch AUTORUN.INF scripting in the encrypted session once the correct password has been entered.

SDR works with Rimage’s Production Server service as a transparent proxy. When encryption is enabled, SDR automatically intercepts and encrypts the ISO or UDF image for each disc before recording. SDR’s unique ‘Forced Encryption Mode’ can also encrypt every disc production job regardless of the upstream software work flow, eliminating the need to modify any third party applications.

Encryption passwords may be specified per job through Rimage API calls, legacy (Network Publisher/IOF/POF) job requests, a merge field in the label file, a password file included with the disc content or a fixed password that will be used for all discs produced.

Benefits At A Glance

  • Automated encryption of DVDs and CDs during production regardless of current software workflow
  • Highly secure 256-bit AES encryption using a FIPS 140-2 Validated Engine*
  • User friendly ‘zero footprint’ decryption on client PC supporting all major Windows versions 
  • Simple password integration options to accommodate almost any production environment
  • Supports all standard media compatible with Rimage production systems
  • Compatible with any Rimage Producer or Professional Series equipment including many legacy models


Disc Creation:

  • Rimage Producer or Professional Series
  • Rimage software version 8.0 and above
  • A modern Windows operating system, NOT available for Linux or OS X
  • 5MB free disk space for program files

Disc Viewing:

  • Windows XP, Vista, 7, 8, 8.1 or 10 (32-bit or 64-bit); Windows RT is not supported
  • CD or DVD reader
  • Free disk space for caching the contents of the encrypted disc session

Encryption Engine Specifications

  • 256-bit AES (Advanced Encryption Algorithm) with FIPS 140-2 Validation
  • CBC Encryption Mode (each encrypted block has it’s own key)
  • 256-bit SHA for password-to-key generation
  • Format/Image based encryption (performed at the block/sector level)


  • SecureDisc – Rimage Edition is licensed per Rimage system (or Control Center, for non-embedded systems)
  • Sub-licensed on a per-encrypted image basis
  • SecureDisc Explorer and Resident Clients are free of charge for SAE customers


Frequently asked questions

SecureDisc utilizes a 256-bit AES cryptographic engine which provides the highest level of security recognized by commercial and government entities. Although no technology can claim to be ‘unbreakable,’ a 256-bit key is the closest commercially available technology to that theoretical goal. However, the encryption engine alone is not the sole component of a secure solution. SecureDisc encrypts the entire disc image. Picture this as taking all the files to be protected and placing them inside a virtual ‘safe.’ This is distinct from file-based encryption methods that individually ‘lock’ each file on the media. Encrypting the entire disc image creates a more secure solution since there is no visibility to any of the protected files until the image is decrypted by entering the correct password. This is one of an array of methods SecureDisc uses in order to prevent ‘cracking’ software from extracting the password and allowing unauthorized access. There are widely available software applications that can ‘brute force attack’ encrypted files by making thousands of attempts per second using every possible password combination and eventually obtain the password. These applications cannot be used to defeat SecureDisc, as every time an unsuccessful password attempt is made the disc is automatically ejected from the drive, requiring manual re-loading of the disc for each failed attempt.

SecureDisc utilizes the multi-session capability of optical burners to produce, in effect, two distinct “discs” (referred to as ‘sessions’) on one piece of media. One session is encrypted and invisible to the Windows operating system, the other is ‘open’ and mounts exactly as a standard (unencrypted) disc would. This provides the best of both worlds- distribution of public (“open”) data along with securely encrypted data on one piece of media. The encrypted session is accessed through a Decrypt Client application, which is freely licensed to SecureDisc customers for unlimited distribution and is typically included in the ‘open’ session of each disc. SecureDisc also offers an option to produce single session encrypted discs that contain no ‘open’ session and cannot be accessed without a separately distributed decrypt client that must be installed on the recipient PC.

The most popular mode in SecureDisc is called ‘Client on Board.’ In this mode, the encrypted material is automatically burned on the disc along with another “open” session that is recognized by Windows as a standard disc. The open session can contain whatever files the distributor would like to have available prior to decryption, including readme files, disclaimers or other documentation, and typically contains the SecureDisc Explorer Client (SEC) application. SEC can be launched manually by the user or via Autorun and immediately prompts for the password. If the correct password is entered, the contents of the encrypted session are shown. If there is an Autorun file in the encrypted session, that can be launched as well to automatically offer a viewer application or other interface to the user. Note that none of this activity requires downloading or installation of any software on the client PC.

The Explorer Client requires direct device access to work, since it bypasses the Windows file-system layer entirely and reads the disc using raw SCSI commands. In Windows 2000 and XP, the default permissions on CD-ROM class devices (which, despite the name, also includes more modern drives such as DVD recorders and Blu-Ray drives) are set to allow only Administrators direct access to the drive. If you are running the Explorer Client as an Administrator on a 2000 or XP machine, and the permissions are set to defaults, then the Explorer Client will ask if you want to enable CD-ROM access for all users. Answering “Yes” will set new default permissions on the CD-ROM class which allows non-Administrators to access the machine’s optical drives directly. This only applies to CD-ROM class devices, as defined by Microsoft, and will not change permissions on your hard drives or any network shares. You may need to reboot after applying the new permissions. Windows Vista and 7 have more relaxed default permissions for CD-ROM class devices, and so this message will not appear on a Vista or 7 machine.

There is a base license that is paid only once per system. The base license authorizes that system to produce encrypted discs and it never needs to be renewed. Updates within the major release purchased are covered under optional SAE. If a new major release is issued and an existing SecureDisc owner wants to purchase the new major release, SAE customers pay 50% off of the Commercial Price. Image Packs are bundled licenses that decrement every time a unique encrypted disc image is generated. Image Pack license keys are ‘plugged in’ to the SecureDisc base license. Please refer to the Discrete Technologies Commercial Price List for pricing.

An ‘Image’ is defined as a unique disc (CD, DVD or Blu-Ray) image that is encrypted by SD-R. That disc image may contain any number of files that can fit on the chosen media. The term ‘unique’ means SecureDisc only encrypts a particular disc image once, even if the job request is for multiple copies. For example, if Bank ABC uses SecureDisc to produce two copies of the September statement CD for Client XYZ, that would only count as ONE Image decremented from the Image Pack. However, the next disc is a statement for Client UVW, which counts as another image from the Image Pack. Image Packs are licensed per base system (PC or robotic unit) and are non-transferable between systems. So if multiple robotic units are in production, they each need a separate Image Pack license. As an example, if Bank ABC has three Rimage systems and produces a total of approximately 30,000 unique disc images per year (after eliminating all duplicates, since they do not count against the Image Pack license), and production volume is shared approximately equally across all three Rimage systems, Bank ABC could purchase three 10,000 Image Packs to support a typical 12 months of production. Alternatively, Bank ABC could purchase three larger Image Packs to reduce the per disc image cost as well as allow increased production time between Image Pack re-orders. If volume is unevenly split across Rimage units, clients can purchase (for example) a 10,000 Image Pack for Rimage system A and a 25,000 Image Pack for Rimage system B, etc. Image Packs are refilled using a simple procedure of emailing request codes generated in the SecureDisc console. Please refer to the Discrete Technologies Commercial Price List for pricing.

SecureDisc does not generate or manage passwords, rather, it encrypts using a password provided by your workflow. There are 4 ways to introduce an encryption password:

– Inside the job production order

– Include with disc content (inside a password text file, password blanked before recording)

– Use a fixed, global password (every disc has the same password)

– Use an extra merge field in the label file (password is automatically blanked before printing)