Encrypt your important files using Tomb

Slashdot it! Delicious Share on Facebook Tweet! Digg!
Konstantin Kalishko

Konstantin Kalishko

Creepy Crypto

Important data can easily be protected against unauthorized access using encrypted containers. Tomb is a potential replacement for the now discontinued TrueCrypt, and it performs its job elegantly just using Linux's onboard tools and standard processes.

Current Linux distributions make it easy to use encryption to secure your home directory against prying eyes. But encrypting whole partitions also has some drawbacks: First, you need to decide whether to encrypt whole partitions when installing the system. Second, encryption makes data recovery more difficult if you cannot boot the system.

Swapping an encrypted partition out to another disk is also tricky. Many users thus prefer to use encrypted containers like the ones that you can (or used to be able to) create and integrate with TrueCrypt [1], for example.

The TrueCrypt developers surprisingly stopped working on the software when support for Windows XP ended. They said that TrueCrypt wasn't secure because it might contain unfixed vulnerabilities.

The TrueCrypt team advised Windows users to switch to BitLocker (the encryption built into Windows). Integrated Windows encryption is certainly not an option for Linux users and security-conscious users. However, Tomb [2] is an interesting alternative for former TrueCrypt users that builds on established Linux standards.

Installing Tomb

Tomb uses the dm-crypt [3] cryptography module, which is integrated into the Linux kernel's device mapper. It also relies on the LUKS [4] extension, which adds a header with information about encryption to the encrypted space, thus making it easier to handle the encrypted data.

Users can, for example, create multiple keys and change or delete them as needed, without having to rewrite the encrypted data from scratch. As a simple shell script, Tomb combines various actions into one small program, without the program needing to reinvent the encryption wheel. Any Linux system with kernel 2.6 or later will have the necessary tools out of the box.

Although the program only has a few dependencies, you are unlikely to find Tomb in the major distributions' repositories right now. In other words, you generally need to install manually, although this is not difficult.

Tomb provides an installation guide on the project page [5]; for Arch Linux, you will find Tomb in the AUR [6]. To install it, you will need to load the necessary dependencies via the package manager (Listing 1 gives you a how-to for Debian/Ubuntu), then load the program's source code in the form of the Tomb <Version>.tar.gz file onto your computer [7] and extract the archive (Listing 2). Typing make install in the code directory then installs the program on your system.

Listing 1

Load Dependencies

01 $ sudo apt-get install zsh sudo gnupg cryptsetup pinentry-curses
02 ### For graphical dialogues with PIN entry
03 $ sudo apt-get install pinentry-gtk2  ### With Gnome, Unity or Xfce
04 $ sudo apt-get install pinentry-qt4   ### With KDE
05 ### Optional dependencies
06 $ sudo apt-get install dcfldd qrencode steghide swish-e wipe

Listing 2

Install Tomb

01 $ tar xf Tomb*.tar.gz
02 $ cd Tomb*
03 $ sudo make install
04 $ tomb -v
05 Tomb 2.1 - a strong and gentle undertaker for your secrets
07 Copyright (C) 2007-2015 Dyne.org Foundation, License GNU GPL v3+
08 This is free software: you are free to change and redistribute it
09 For the latest source code go to <http://dyne.org/software/tomb>
10 [...]


After the installation, prepare a virtual tomb for your data; this will hold the data to be encrypted later on. In Tomb-speak, this is referred to as "digging a tomb." Launch Tomb from a terminal using the dig command and the -s <size in MB> option, plus the name of the encrypted container to be created (Listing 3).

Listing 3

Launch Tomb

01 $ tomb dig -s 100 secret.crypt
02 tomb  .  Commanded to dig tomb secret.crypt
03 tomb (*) Creating a new tomb in secret.crypt
04 tomb  .  Generating secret.crypt of 100MiB
05 100 blocks (100Mb) written.
06 100+0 records in
07 100+0 records out
08 -rw------- 1 username users 100M 11. Aug 16:23 secret.crypt
09 tomb (*) Done digging secret
10 tomb  .  Your tomb is not yet ready, you need to forge a key and lock it:
11 tomb  .  tomb forge secret.crypt.key
12 tomb  .  tomb lock secret.crypt -k secret.crypt.key

The size needs to be at least 10MB. You can, of course, enlarge the Tomb later, but you cannot shrink it. The encrypted data tomb should then be in the current directory.

A container is not very useful if you do not have a key file. You can create one by launching Tomb a second time and using the forge command (Listing 4) – Tomb outputs the relevant notes at the end of the dig command. However, the program needs root privileges to create the key file; the process may also take a while – depending on the size of the container and speed of the system.

Listing 4

Create a Key File

01 $ tomb forge secret.crypt.key
02 tomb  .  Commanded to forge key secret.crypt.key
03 mkdir: the ?/home/username/.gnupg? directory cannot be created: The file already exists
04 tomb  .  Commanded to forge key secret.crypt.key with cipher algorithm AES256
05 tomb  .  This operation takes time, keep using this computer on other tasks,
06 tomb  .  once done you will be asked to choose a password for your tomb.
07 tomb  .  To make it faster you can move the mouse around.
08 tomb  .  If you are on a server, you can use an Entropy Generation Daemon.
09 256 blocks (0Mb) written.
10 256+0 records in
11 256+0 records out
12 tomb (*) Choose the  password of your key: secret.crypt.key
13 tomb  .  (You can also change it later using 'tomb passwd'.)
14 [GNUPG:] PROGRESS need_entropy X 60 120
15 [GNUPG:] PROGRESS need_entropy X 120 120
16 [...]
17 [GNUPG:] PROGRESS need_entropy X 60 120
18 [GNUPG:] PROGRESS need_entropy X 120 120
22 tomb  .  Key is valid.
23 tomb  .  Done forging secret.crypt.key
24 tomb (*) Your key is ready:
25 -rw------- 1 username users 531 11. Aug 16:27 secret.crypt.key

Tomb also refuses to execute the command if a swap partition is active (Listing 5). The problem is that you cannot stop the data you want to encrypt ending up in the system's unencrypted cache. You therefore need to switch off the cache using swapoff -a – or force the action using the -f option.

Listing 5

Active Swap Detected

01 $ tomb forge secret.crypt.key
02 tomb  .  Commanded to forge key secret.crypt.key
03 tomb  .  An active swap partition is detected...
04 [sudo] password for username: ***********
05 tomb [W] This poses a security risk.
06 tomb [W] You can deactivate all swap partitions using the command:
07 tomb [W]  swapoff -a
08 tomb [W] [#163] I may not detect plain swaps on an encrypted volume.
09 tomb [W] But if you want to proceed like this, use the -f (force) flag.
10 tomb [E] Operation aborted.
11 $ sudo swapoff -a

Buy this article as PDF

Express-Checkout as PDF

Pages: 6

Price $0.99
(incl. VAT)

Buy Ubuntu User

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Encrypting flash drives with UsbCryptFormat

    USB sticks and external hard drives can easily be lost or stolen. You should therefore protect these storage media against loss and misuse. UsbCryptFormat lets you do this without much effort.

  • Encrypting email with GnuPG

    US intelligence agencies tap into billions of call data and electronic messages monthly – reason enough to consider encrypting your email traffic.

  • Zeroshell workshop

    A wireless LAN is easier to set up than a cable LAN but is significantly less secure. A RADIUS server can change that.

  • Playing with Parrot Security OS

    The latest release of Parrot Security OS has some extremely colorful plumage, which will appeal to both hackers and lay users interested in their systems' safety.

  • Installing and testing Nextcloud

    Leading ownCloud developers, including the project founder Frank Karlitschek, became dissatisfied with the direction of the project, so they started Nextcloud, a fork of the code and a new company. The goal is to create a better balance among the company, clients, and users. We take a look at how Nextcloud is faring.