Tomb is a simple tool to manage encrypted storage on Linux using LUKS, dm-crypt, GPG and other well know Linux software. It generates encrypted storage folders to be opened and closed using their associated key files, which are also protected with a password chosen by the user.
A tomb is like a locked folder that can be safely transported and hidden in a filesystem; its keys can be kept separate, for instance keeping the tomb file on your computer hard disk and the key files on a USB stick.
Since Tomb 2.4, Tomb supports asymmetric encryption of Tomb keys using public/private GPG key pairs. It is now possible to protect a Tomb key using a GPG key (which can also be password-less for automation) as well encrypt a Tomb key for multiple recipients (list of GPG ids).
The purpose of this blog post is to explain how use Tomb with the new support of GPG key.
In order to create a tomb, there are three steps to follow.
With a GPG key you have three different ways to protect your to tomb key:
The three new tomb options are:
-g/--gpgida flag to activate the use of a GnuPG key in Tomb.
-rto provide GnuPG recipients (separated by comma)
-Rto provide GnuPG hidden recipients (separated by comma)
In the following examples, we are going to use:
secret.tombas our tomb,
secret.tomb.keyas our tomb key,
39D3991Cas our GPG key id to protect the tomb key.
Dig a 100MB tomb
dig secret.tomb -s 100
Forge a tomb key
tomb forge secret.tomb.key -g
tomb forge secret.tomb.key -gr 39D3991C
tomb forge secret.tomb.key -gR 39D3991C
To use the default key,
default-key <keyid> default-recipient-self
Otherwise, the first key in the keyring is used.
Lock a tomb with a key
tomb lock secret.tomb -k secret.tomb.key -g
With a hidden key ID, you can use:
tomb lock secret.tomb -k secret.tomb.key -gR 39D3991C
Open a tomb
tomb open secret.tomb -k secret.tomb.key -g
Warning: Do not forget the
-g option, otherwise tomb will act as if the tomb key was password encrypted.
OpenPGP Smart Cards
Are supported, you need to set it up in your GPG keyring and it should work out of the box. It provides an extra level of security and allows a PIN code to be used for unlocking the GPG key and decrypt the tomb key. After 3 false attempts, the smart card locks itself down.
Share a tomb
A tomb key can be encrypted with more than one recipient. Therefore, a tomb can be shared between different user. The multiple recipients are given using the
-r/-R option and must be separated by a comma
You will need to provide a steganography password on the top of your GPG key. Please note the key is buried encrypted, the use of the GPG key is only to make sure your bury a key you own.
$ tomb bury cat.jpg -k secret.tomb.key -g $ tomb exhume cat.jpg -k secret.tomb.key $ # If you want to open the tomb with a buried key $ tomb open test.tomb -k cat.jpg -g