Open source data encryption with Tomb

In this blog, I will show how you can utilise open-source data encryption software Tomb to protect your private data on your Linux server. This can be used to create a private folder than only you can open, which can be used as a Samba file share mount, to host your private data for OwnCloud/Nextcloud, or whatever you fancy (hey, no judgement here child).

Firstly, you need to install some pre-reqs:

apt-get -y install zsh pinentry-curses

Once install, grab the latest Tomb (this has probably changed, but 2.3 was the latest when i wrote this) and extract it:

cd /tmp
wget https://files.dyne.org/tomb/Tomb-2.3.tar.gz
tar xvfz Tomb-2.3.tar.gz
cd Tomb-2.3

Next, lets go ahead and make Tomb, and test its working:

make install
tomb -h

You should see an output showing you the commands of Tomb, such as:

root@server:/tmp/Tomb-2.3# tomb -h
Tomb 2.3 - a strong and gentle undertaker for your secrets

Copyright (C) 2007-2017 Dyne.org Foundation, License GNU GPL v3+
This is free software: you are free to change and redistribute it
For the latest sourcecode go to <http://dyne.org/software/tomb>

Syntax: tomb [options] command [arguments]

Next, we need to create a key that will be used to protect our data:

tomb forge secrets.tomb.key

This will ask for a password as below:

root@server:/tmp/Tomb-2.3# tomb forge secrets.tomb.key
tomb . Commanded to forge key secrets.tomb.key with cipher algorithm AES256
tomb [W] This operation takes time, keep using this computer on other tasks,
tomb [W] once done you will be asked to choose a password for your tomb.
tomb [W] To make it faster you can move the mouse around.
tomb [W] If you are on a server, you can use an Entropy Generation Daemon.
256+0 records in
256+0 records out
256 bytes copied, 397.618 s, 0.0 kB/s
tomb (*) Choose the password of your key: secrets.tomb.key
tomb . (You can also change it later using 'tomb passwd'.)
tomb . Key is valid.
tomb . Done forging secrets.tomb.key
tomb (*) Your key is ready:
-rw------- 1 root root 527 Apr 5 12:07 secrets.tomb.key

Now that our key is created, we need to create our ‘tomb’. The tomb is basically a container for your files that can only be mounted if the key (and thus password) and provided, meaning its super secure. To create the tomb, the ‘-s’ flag is used – and takes an integer as an input. This integer is the size of the tomb in MiB, so 100GB would be 95367MiB, for example. Below i’m just creating a small example to display what happens:

root@server:/tmp/Tomb-2.3# tomb dig -s 100 secrets.tomb
tomb . Commanded to dig tomb secrets.tomb
tomb (*) Creating a new tomb in secrets.tomb
tomb . Generating secrets.tomb of 100MiB
100+0 records in
100+0 records out
104857600 bytes (105 MB, 100 MiB) copied, 9.08815 s, 11.5 MB/s
-rw------- 1 root root 100M Apr 5 12:08 secrets.tomb
tomb (*) Done digging secrets
tomb . Your tomb is not yet ready, you need to forge a key and lock it:
tomb . tomb forge secrets.tomb.key
tomb . tomb lock secrets.tomb -k secrets.tomb.key
root@server:/tmp/Tomb-2.3#

Now, as it says above, we need to now associate our created key with our newly created tomb, meaning only our key can open the tomb once locked:

root@server:/tmp/Tomb-2.3# tomb lock -k secrets.tomb.key secrets.tomb
tomb . Commanded to lock tomb secrets.tomb
tomb . Checking if the tomb is empty (we never step on somebody else's bones).
tomb . Fine, this tomb seems empty.
tomb . Key is valid.
tomb . Locking using cipher: aes-xts-plain64:sha256
tomb . A password is required to use key secrets.tomb.key
tomb . Password OK.
tomb (*) Locking secrets.tomb with secrets.tomb.key
tomb . Formatting Luks mapped device.
tomb . Formatting your Tomb with Ext3/Ext4 filesystem.
tomb . Done locking secrets using Luks dm-crypt aes-xts-plain64:sha256
tomb (*) Your tomb is ready in secrets.tomb and secured with key secrets.tomb.key
root@server:/tmp/Tomb-2.3#

Success! We can now open and close our Tomb, as below:

root@server:/tmp/Tomb-2.3# tomb open -k secrets.tomb.key secrets.tomb
tomb . Commanded to open tomb secrets.tomb
tomb . Valid tomb file found: secrets.tomb
tomb . Key is valid.
tomb . Mountpoint not specified, using default: /media/secrets
tomb (*) Opening secrets on /media/secrets
tomb . This tomb is a valid LUKS encrypted device.
tomb . Cipher is "aes" mode "xts-plain64:sha256" hash "sha1"
tomb . A password is required to use key secrets.tomb.key
tomb . Password OK.
tomb (*) Success unlocking tomb secrets
tomb . Checking filesystem via /dev/loop0
fsck from util-linux 2.27.1
secrets: clean, 11/25168 files, 8831/100352 blocks
tomb (*) Success opening secrets.tomb on /media/secrets
root@server:/tmp/Tomb-2.3# cd /media/secrets/
root@server:/media/secrets# ls
lost+found
root@server:/media/secrets# touch hello
root@server:/media/secrets# ls
hello lost+found
root@server:/media/secrets#

In the above, I’ve gone into our tomb and created a file called ‘hello’ to show you can write to it. Now, if you want to close all off the tombs, simply use the command ‘tomb close all’, or alternatively if you are in a hurry, use ‘tomb slam’ – which is the equivalent of kicking the power out of the back.

root@server:/media# tomb close all
tomb . Closing tomb [secrets] mounted on /media/secrets
tomb . Closing tomb bind hook: /media/root/secrets
losetup: /dev/loop0: detach failed: No such device or address
tomb (*) Tomb [secrets] closed: your bones will rest in peace.
root@server:/media#
root@server:/media# ls
cdrom
root@server:/media#

The above shows the closing of the tomb, and a ‘ls’ shows that there is no trace remaining.

Now, if you want to use this for production purposes, i’d recommending further reading – you can do a LOT of cool things with Tomb such as QR Codes for authentication, hiding PIN numbers in images (steganography, oo), etc. You’ll also want to move your tomb from /tmp 🙂 Enjoy, and i hope this stokes some creative fires.