My blurb about Tomb
Using encryption is important when you store personal information on general-purpose computers. Information can, and in general should, easily move about via inter-connected devices. Keeping your keyfiles separate from your encrypted container adds a useful layer of security. If ever your encrypted container is lost, stolen, or purposefully stored, it is a completely useless chunk of data without its keyfile and the keyfiles correlating password. Encrypted containers that have integrated keys also have the risk of being attacked via brute-force. With the evolution of processing power along with GPU-accelerated applications, and the decrease in cost of said processing, brute-forcing passwords gets easier every year.
Special note: TrueCrypt also supports the use of keyfiles.
Tomb website: http://www.dyne.org/software/tomb/
Tomb on Github: https://github.com/dyne/Tomb/
Note: This specific blog post is licensed as Creative Commons CC0 for the purpose of contributing to the Crypto.is project. You are free to copy, change, delete, or publish any part of this guide.
This guide is written to demonstrate how to:
1. Install Tomb in Ubuntu 11.10 x64
2. Create your first tomb
3. Securely move your tomb keyfile to a USB drive
4. Access and use your tomb
5. Securely delete your tomb
To install Tomb, follow the Crypto.is guide here (see: “Install from Debian Repository”): https://crypto.is/guides/install-tomb/
With your terminal open, verify that you have Tomb installed correctly via version check:
You should get this output:
Tomb - 1.2
Creating a tomb
Before you begin, you can safely verify that your computer’s swap space is encrypted by trying to encrypt it. If you have swap space, and without the proper “–ignore-swap” flag, Tomb will not create your file and you will receive the following warning:
You have swap activated; use --ignore-swap if you want to skip this check
. Using encryption with swap activated is very bad, because some files, or even your secret key, could be written on hard disk.
. However, it could be that your swap is encrypted. If this is case, this is ok. Then, use --ignore-swap to skip this check
. You seem to be using 1 swaps:
/dev/dm-0 partition 1234567 0 -1
Try encrypting your swap space if you have it:
You will get this warning if your swap space is already encrypted:
WARNING: [/dev/dm-0] already appears to be encrypted, skipping.
WARNING: There were no usable swap devices to be encrypted. Exiting.
Create a “test” tomb that is 2 Megabytes in size:
tomb create -s 2 test --ignore-swap
Enter your new password and again for verification. Remember, when creating a password for an encrypted container, a longer password is better than a more complicated password.
…is better than:
…because a longer password, in general, takes longer to brute-force, presuming that your tomb and keyfile are together.
Moving your keyfile to a USB device
Copy, not move, your keyfile to your USB device:
sudo cp test.tomb.key /media/name-of-mounted-usb-device/
Shred the original keyfile to securely delete it:
sudo shred -f -v -z -u test.tomb.key
Mounting your tomb
Remember that Tomb is a command-line utility, so even after mounting your tomb, you cannot access it using a GUI.
Mount your “test” tomb referencing the keyfile that is located on your USB drive:
tomb open test.tomb -k /media/name-of-mounted-usb-device/test.tomb.key --ignore-swap
Move a file over to your mounted tomb directory (into your tomb):
sudo mv /name-of-directory/name-of-file /media/test.tomb
Note: you can, of course, copy it over then shred the original.
Closing your tomb directory
Close your mounted tomb directory when you are done:
Deleting your tomb
If you ever need to delete your tomb, be sure to delete both the tomb and the keyfile:
sudo shred -f -v -z -u test.tomb
shred -f -v -z -u /media/name-of-mounted-usb-device/test.tomb.key