Tomb is an 100% free and open source system for file encryption on GNU/Linux, facilitating the backup of secret files.
guix package -i tomb file
For the sake of this tutorial, I’ve created a
mkdir tomb_test && cd tomb_test
Note most of our commands include a
-f flag which causes
tomb to ignore the fact that I’m using a swap file (and if you’re on a default PantherX OS install, so do you.). This is not ideal because by chance, some of the things we try to keep secret, may end-up in that swap file until they are overwritten by other data. If you would like to temporarily disable swap, you may do so:
su - root swapoff /swapfile # swapon /swapfile to re-enable it
First create a key with which to secure the store (tomb). You will be prompted for a password, that secures the key itself.
secret.tomb.key is the filename of the key file you would like to create
$ tomb forge secret.tomb.key -f .tomb-real . Commanded to forge key secret.tomb.key with cipher algorithm AES256 .tomb-real [W] This operation takes time. Keep using this computer on other tasks. .tomb-real [W] Once done you will be asked to choose a password for your tomb. .tomb-real [W] To make it faster you can move the mouse around. .tomb-real [W] If you are on a server, you can use an Entropy Generation Daemon. 512+0 records in 512+0 records out 512 bytes copied, 0.00206366 s, 248 kB/s .tomb-real (*) Choose the password of your key: secret.tomb.key .tomb-real . (You can also change it later using 'tomb passwd'.) .tomb-real . Key is valid. .tomb-real . Done forging secret.tomb.key .tomb-real (*) Your key is ready: -rw------- 1 franz users 859 Feb 3 09:47 secret.tomb.key
Once you have a key, you can create a new store (tomb).
100 stands for Megabytes as in the size of your store (100MB).
secret.tomb is the name of your store. Maybe don’t use such an obvious name.
$ tomb dig -s 100 secret.tomb -f .tomb-real . Commanded to dig tomb .tomb-real (*) Creating a new tomb in secret.tomb .tomb-real . Generating secret.tomb of 100MiB 100+0 records in 100+0 records out 104857600 bytes (105 MB, 100 MiB) copied, 0.495994 s, 211 MB/s -rw------- 1 franz users 100M Feb 3 09:57 secret.tomb .tomb-real (*) Done digging secret.tomb .tomb-real . Your tomb is not yet ready, you need to forge a key and lock it: .tomb-real . tomb forge secret.tomb.key .tomb-real . tomb lock secret.tomb -k secret.tomb.key
Now it’s time to encrypt the tomb with the key you created earlier. You will be promted for the password you used to secure the key.
$ tomb lock secret.tomb -k secret.tomb.key .tomb-real [W] File is not yet a tomb: secret.tomb .tomb-real . Valid tomb file found: secret.tomb .tomb-real . Commanded to lock tomb secret.tomb .tomb-real . Checking if the tomb is empty (we never step on somebody else's bones). .tomb-real . Fine, this tomb seems empty. .tomb-real . Key is valid. .tomb-real . Locking using cipher: aes-xts-plain64 .tomb-real . A password is required to use key secret.tomb.key .tomb-real . Password OK. .tomb-real (*) Locking secret.tomb with secret.tomb.key .tomb-real . Formatting Luks mapped device. .tomb-real . Formatting your Tomb with ext4 filesystem. .tomb-real . Done locking secret using Luks dm-crypt aes-xts-plain64 .tomb-real (*) Your tomb is ready in secret.tomb and secured with key secret.tomb.key
To actually add data to the store, open it with the key file. You will be prompted for your user password and then the key-file password. The user password (with superuser priviliges) is necessary to mount the store under
/media/secret and makes it accessible via file browser.
$ tomb open secret.tomb -k secret.tomb.key -f .tomb-real . Commanded to open tomb secret.tomb [sudo] Enter password for user franz to gain superuser privileges .tomb-real . Valid tomb file found: secret.tomb .tomb-real . Key is valid. .tomb-real . Mountpoint not specified, using default: /media/secret .tomb-real (*) Opening secret on /media/secret .tomb-real . This tomb is a valid LUKS encrypted device. .tomb-real . Cipher is "aes" mode "xts-plain64" hash "sha512" .tomb-real . A password is required to use key secret.tomb.key .tomb-real . Password OK. .tomb-real (*) Success unlocking tomb secret .tomb-real . Filesystem detected: .tomb-real . Checking filesystem via /dev/loop0 .tomb-real (*) Success opening secret.tomb on /media/secret
Always make sure your store is closed after using it (or before shutting down your computer).
$ tomb close [sudo] Enter password for user franz to gain superuser privileges .tomb-real . Closing tomb [secret] mounted on /media/secret .tomb-real (\*) Tomb [secret] closed: your bones will rest in peace.
These steps are optional but will greatly enhance the security of your store.
An interesting way to hide your key, is to use a JPG image to store the key. Here’s how-to do that:
guix package -i steghide
Now we need a JPG image; I copied one from my Pictures folder to
$ cp ~/Pictures/Some.jpg . $ ls secret.tomb secret.tomb.key Some.jpg
To embed the key in the JPG:
$ tomb bury -k secret.tomb.key Some.jpg .tomb-real . Key is valid. .tomb-real (*) Encoding key -----BEGIN PGP MESSAGE----- ... -----END PGP MESSAGE----- inside image Some.jpg .tomb-real . Please confirm the key password for the encoding .tomb-real . A password is required to use key secret.tomb.key .tomb-real . Password OK. embedding standard input in "Some.jpg"... done .tomb-real (*) Tomb key encoded succesfully into image Some.jpg
You can now delete your key with:
To retrieve the key file:
$ tomb exhume -k secret.tomb.key Some.jpg .tomb-real . Trying to exhume a key out of image Some.jpg /home/franz/.gtkrc-2.0:11: error: unexpected end of file, expected number (integer) (pinentry-gtk-2:15737): Gtk-WARNING **: 11:05:23.679: Unable to locate theme engine in module_path: "adwaita", wrote extracted data to "secret.tomb.key". .tomb-real (*) Key succesfully exhumed to secret.tomb.key.
Bonus: To get determine whether a file has a key:
$ steghide info Some.jpg "Some.jpg": format: jpeg capacity: 25.1 KB Try to get information about embedded data ? (y/n) y Enter passphrase: embedded data: size: 806.0 Byte encrypted: serpent, cbc compressed: yes
If you want to make sure that your secret store is mostly useless, make sure that you store the key, or even better, the JPG that contains the key, in a seperate location.
PantherX & (unofficial) GNU Guix Wiki.
Last update: 2022-09-21 21:54:22 +0000
Inspired by the excellent Arch Linux Wiki