|
Konstantin Kalishko
Important data can easily be protected against unauthorized access using encrypted containers. Tomb is a potential replacement for the now discontinued TrueCrypt, and it performs its job elegantly just using Linux's onboard tools and standard processes.
Current Linux distributions make it easy to use encryption to secure your home directory against prying eyes. But encrypting whole partitions also has some drawbacks: First, you need to decide whether to encrypt whole partitions when installing the system. Second, encryption makes data recovery more difficult if you cannot boot the system.
Swapping an encrypted partition out to another disk is also tricky. Many users thus prefer to use encrypted containers like the ones that you can (or used to be able to) create and integrate with TrueCrypt [1], for example.
The TrueCrypt developers surprisingly stopped working on the software when support for Windows XP ended. They said that TrueCrypt wasn't secure because it might contain unfixed vulnerabilities.
The TrueCrypt team advised Windows users to switch to BitLocker (the encryption built into Windows). Integrated Windows encryption is certainly not an option for Linux users and security-conscious users. However, Tomb [2] is an interesting alternative for former TrueCrypt users that builds on established Linux standards.
Tomb uses the dm-crypt [3] cryptography module, which is integrated into the Linux kernel's device mapper. It also relies on the LUKS [4] extension, which adds a header with information about encryption to the encrypted space, thus making it easier to handle the encrypted data.
Users can, for example, create multiple keys and change or delete them as needed, without having to rewrite the encrypted data from scratch. As a simple shell script, Tomb combines various actions into one small program, without the program needing to reinvent the encryption wheel. Any Linux system with kernel 2.6 or later will have the necessary tools out of the box.
Although the program only has a few dependencies, you are unlikely to find Tomb in the major distributions' repositories right now. In other words, you generally need to install manually, although this is not difficult.
Tomb provides an installation guide on the project page [5]; for Arch Linux, you will find Tomb in the AUR [6]. To install it, you will need to load the necessary dependencies via the package manager (Listing 1 gives you a how-to for Debian/Ubuntu), then load the program's source code in the form of the Tomb <Version>.tar.gz file onto your computer [7] and extract the archive (Listing 2). Typing make install in the code directory then installs the program on your system.
Listing 1
Load Dependencies
01 $ sudo apt-get install zsh sudo gnupg cryptsetup pinentry-curses 02 ### For graphical dialogues with PIN entry 03 $ sudo apt-get install pinentry-gtk2 ### With Gnome, Unity or Xfce 04 $ sudo apt-get install pinentry-qt4 ### With KDE 05 ### Optional dependencies 06 $ sudo apt-get install dcfldd qrencode steghide swish-e wipe
Listing 2
Install Tomb
01 $ tar xf Tomb*.tar.gz 02 $ cd Tomb* 03 $ sudo make install 04 $ tomb -v 05 Tomb 2.1 - a strong and gentle undertaker for your secrets 06 07 Copyright (C) 2007-2015 Dyne.org Foundation, License GNU GPL v3+ 08 This is free software: you are free to change and redistribute it 09 For the latest source code go to <http://dyne.org/software/tomb> 10 [...]
After the installation, prepare a virtual tomb for your data; this will hold the data to be encrypted later on. In Tomb-speak, this is referred to as "digging a tomb." Launch Tomb from a terminal using the dig command and the -s <size in MB> option, plus the name of the encrypted container to be created (Listing 3).
Listing 3
Launch Tomb
01 $ tomb dig -s 100 secret.crypt 02 tomb . Commanded to dig tomb secret.crypt 03 tomb (*) Creating a new tomb in secret.crypt 04 tomb . Generating secret.crypt of 100MiB 05 100 blocks (100Mb) written. 06 100+0 records in 07 100+0 records out 08 -rw------- 1 username users 100M 11. Aug 16:23 secret.crypt 09 tomb (*) Done digging secret 10 tomb . Your tomb is not yet ready, you need to forge a key and lock it: 11 tomb . tomb forge secret.crypt.key 12 tomb . tomb lock secret.crypt -k secret.crypt.key
The size needs to be at least 10MB. You can, of course, enlarge the Tomb later, but you cannot shrink it. The encrypted data tomb should then be in the current directory.
A container is not very useful if you do not have a key file. You can create one by launching Tomb a second time and using the forge command (Listing 4) – Tomb outputs the relevant notes at the end of the dig command. However, the program needs root privileges to create the key file; the process may also take a while – depending on the size of the container and speed of the system.
Listing 4
Create a Key File
01 $ tomb forge secret.crypt.key 02 tomb . Commanded to forge key secret.crypt.key 03 mkdir: the ?/home/username/.gnupg? directory cannot be created: The file already exists 04 tomb . Commanded to forge key secret.crypt.key with cipher algorithm AES256 05 tomb . This operation takes time, keep using this computer on other tasks, 06 tomb . once done you will be asked to choose a password for your tomb. 07 tomb . To make it faster you can move the mouse around. 08 tomb . If you are on a server, you can use an Entropy Generation Daemon. 09 256 blocks (0Mb) written. 10 256+0 records in 11 256+0 records out 12 tomb (*) Choose the password of your key: secret.crypt.key 13 tomb . (You can also change it later using 'tomb passwd'.) 14 [GNUPG:] PROGRESS need_entropy X 60 120 15 [GNUPG:] PROGRESS need_entropy X 120 120 16 [...] 17 [GNUPG:] PROGRESS need_entropy X 60 120 18 [GNUPG:] PROGRESS need_entropy X 120 120 19 [GNUPG:] NEED_PASSPHRASE_SYM 9 3 2 20 [GNUPG:] BEGIN_ENCRYPTION 2 9 21 [GNUPG:] END_ENCRYPTION 22 tomb . Key is valid. 23 tomb . Done forging secret.crypt.key 24 tomb (*) Your key is ready: 25 -rw------- 1 username users 531 11. Aug 16:27 secret.crypt.key
Tomb also refuses to execute the command if a swap partition is active (Listing 5). The problem is that you cannot stop the data you want to encrypt ending up in the system's unencrypted cache. You therefore need to switch off the cache using swapoff -a – or force the action using the -f option.
Listing 5
Active Swap Detected
01 $ tomb forge secret.crypt.key 02 tomb . Commanded to forge key secret.crypt.key 03 tomb . An active swap partition is detected... 04 [sudo] password for username: *********** 05 tomb [W] This poses a security risk. 06 tomb [W] You can deactivate all swap partitions using the command: 07 tomb [W] swapoff -a 08 tomb [W] [#163] I may not detect plain swaps on an encrypted volume. 09 tomb [W] But if you want to proceed like this, use the -f (force) flag. 10 tomb [E] Operation aborted. 11 $ sudo swapoff -a
Pages: 6
US / Canada
UK / Australia
USB sticks and external hard drives can easily be lost or stolen. You should therefore protect these storage media against loss and misuse. UsbCryptFormat lets you do this without much effort.
US intelligence agencies tap into billions of call data and electronic messages monthly – reason enough to consider encrypting your email traffic.
A wireless LAN is easier to set up than a cable LAN but is significantly less secure. A RADIUS server can change that.
The latest release of Parrot Security OS has some extremely colorful plumage, which will appeal to both hackers and lay users interested in their systems' safety.
Leading ownCloud developers, including the project founder Frank Karlitschek, became dissatisfied with the direction of the project, so they started Nextcloud, a fork of the code and a new company. The goal is to create a better balance among the company, clients, and users. We take a look at how Nextcloud is faring.
