Tomb – A File Encryption and Personal Backup Tool for Linux

[‘

n

Tomb is a free open source, small, powerful and simple tool for encrypting files on GNU/Linux. At the time of this writing, it comprises of a shell script (zsh) using generic filesystem GNU tools and the Linux kernel crypto API (cryptsetup and LUKS).

n

It also employs various GNU/Linux tools such as steghide, lsof, mlocate, resizefs, dcfld and many more, to extend its functionality.

n

Tomb is used to create secure backups of secret or personal files in encrypted, password-protected directories called tombs. These directories can only be opened using their associated keyfiles and passwords.

n

After creating a tomb, you can store its key files separately, for example your tomb file can exist on a remote server while the key file is on your laptop or desktop at home or in office. If the tomb file is on your laptop or desktop, you can hide it within the filesystem or as a more secure option, store the key in a USB drive.

n

In addition, you can hide a tomb in the filesystem or move it safely over a network or in external storage media; share it with other friends or colleagues. You can also hide a key in an image as we will see later on.

n

Requirements

n

Tomb needs a few programs such as zsh, gnupg, cryptsetup and pinentry-curses to be installed on a system in order to work.

n

How to Installing Tomb in Linux Systems

n

First start by installing the following required tools using your distribution default package manager and also we will install steghide to add functionality for hiding of keys in images.

n

$ sudo apt install gnupg zsh cryptsetup pinentry-curses steghidet#Debian/Ubunturn$ sudo yum install gnupg zsh cryptsetup pinentry-curses steghidet#CentOS/RHELrn$ sudo dnf install gnupg zsh cryptsetup pinentry-curses steghidet#Fedora 22+rn

n

After installing required packages, download the stable tomb source code for your distribution or use the following wget command to download directly in terminal as shown.

n

$ cd Downloads/rn$ wget -c https://files.dyne.org/tomb/Tomb-2.5.tar.gz rn

n

Next, extract the tar archive file you just downloaded and move into the decompressed folder.

n

$ tar -xzvf Tomb-2.5.tar.gzrn$ cd Tomb-2.5rn

n

Finally, run the following command, as root or use sudo command to gain root privileges, to install the binary under /usr/local/bin/.

n

$ sudo make installrn

n

How to Create Tombs in Linux Systems

n

After installing tomb, you can generate a tomb by creating a new key for it and set its password as explained below.

n

To create a tomb, use the dig sub-command and the -s flag to set its size in MB (this size can be increased when a tomb gets full to capacity after adding files).

n

$ sudo tomb dig -s 30 tecmint.tomb      rn

n

Create a New Tomb
Create a New Tomb

n

Then create a new key for tecmint.tomb with the forge sub-command and set its password when asked. This operation will take some time to complete, just sit back and relax or go prepare yourself a cup of coffee.

n

$ sudo tomb forge tecmint.tomb.keyrn

n

While creating the key, tomb will complain if swap space exists on disk, and it will terminate if that swap memory is turned on as shown in the following screenshot. This is due to a security risk associated with swap memory on disk (refer to documentation or man page for more information).

n

You can either use the -f flag to force the operation or turn of swap memory with the following command.

n

$ sudo swapoff -arn

n

Turn Off Swap
Turn Off Swap

n

Then try to create the tomb key once more.

n

Create a New Tomb Key File
Create a New Tomb Key File

n

Next, format tecmint.tomb to lock it with the above key. The -k flag specifies the location of the key file to use.

n

$ sudo tomb lock tecmint.tomb -k tecmint.tomb.keyrn

n

Lock Tomb File with Key
Lock Tomb File with Key

n

How to Open a New Tomb

n

To open a tomb, use the open sub-command, you will be prompted to enter the password you set while creating the tomb.

n

$ sudo tomb open -k tecmint.tomb.key tecmint.tomb  rn

n

Open a New Tomb
Open a New Tomb

n

From the output of the previous command, the tomb has been opened and mounted on /media/tecmint/ – this is where you can add your secret files.

n

If you have numerous tombs, you can list all open tombs plus get some information about them as shown.

n

$ sudo tomb list rn

n

List All Tombs
List All Tombs

n

How to Copy Files to Open Tomb

n

Now you can add your secret or important files to the tomb as follows. Every time you need to add more files, open the tomb first, as shown above.

n

$ sudo cp -v passwds.txt accounts.txt keys.txt -t /media/tecmint/rn

n

Copy Files to Open Tomb
Copy Files to Open Tomb

n

After opening a tomb, once you are done using it or adding files to it, use the close sub-command to close the tomb file. But if a process is working with an open tomb, if may fail to close.

n

$ sudo tomb closern

n

You can close all tombs by running.

n

$ sudo tomb close allrn

n

To force an open tomb to close, even when a process is interacting with it, use the slam sub-command.

n

$ sudo tomb slam rnORrn$ sudo tomb slam all rn

n

How to Hiding Tomb Key in an Image

n

It is also possible to hide/encode the tomb key in an image using the bury sub-command, as follows

n

$ sudo tomb bury -k tecmint.tomb.key zizu.jpg rn

n

Hide Tomb Key in Image
Hide Tomb Key in Image

n

Then use the newly created jpeg image to open the tomb, as shown.

n

$ sudo tomb open -k zizu.jpg tecmint.tombrn

n

Open Tomb Using Encoded Image
Open Tomb Using Encoded Image

n

You can also recover a key encoded in a jpeg image with the exhume sub-command.

n

$ sudo tomb  exhume zizu.jpg -k tecmint.tomb.keyrnORrn$ sudo tomb -f exhume zizu.jpg -k tecmint.tomb.key   #force operation if key exists in current directoryrn

n

Reoover a Key from Image
Reoover a Key from Image

n

Attention: Remember to hide the tomb key, do not keep it in the same directory with the tomb. For example, we will move the key for tecmint.tomb into a secret location (you can use your own location) or keep it on an external media or move it to remote server over SSH.

n

$ sudo mv tecmint.tomb.key /var/opt/keys/  rn

n

Unfortunately, we can not exploit all the tomb usage commands and options in this guide, you can consult its man page for more information. There, you will find instruction on how to change a tomb’s key and password, resize it and much more.

n

$ man tomb rn

n

Tomb Github repository: https://github.com/dyne/Tomb

n

Summary

n

Tomb is a simple yet powerful and easy-to-use encryption tool for handling files as delicate as secrets, on GNU/Linux systems. Share your thoughts about it via the comment form below.

n

‘]