Encryption is an essential security practice. While your file system may have encryption enabled, what about shared machines or extremely sensitive information?

Fear not, you can keep your secret Justin Bieber music collection in your closet with Tomb.

What Is a Tomb?

In the Linux sense of the word, a tomb is like a locked folder that can be safely stored within a file system. Another great feature is that the keys that unlock the tomb can be kept separately. For example, you may have your tomb on a shared computer, and your keys on a USB drive.

One of the best things about Tomb is that it sits on standard Linux technology. The underlying technology used by Tomb has been in Linux kernels since version 2.6, which means you're using technology developed by arguably some of the best Linux developers.

Tomb claims their ambition is to provide military-grade security by way of:

  • A minimalist design consisting of small and readable code.
  • Facilitation of good practices, like physical separation of storage and keys.
  • Adoption of a few standard and well-tested implementations.

Tombs are like single files whose contents are inaccessible in the absence of the key they were locked with and its password. Once open, the tombs are just like regular folders. Tombs can even be slammed close even when in use.

As mentioned, you must have the tomb, its key, and the password to access it. Files can be further obfuscated using obscurity to hide tombs, and embedding keys into JPEGs.

Interested? Here's how to do it.

Installing Tomb

Installing Tomb and its dependencies is as easy as it gets. Just download the latest version, unzip the file, then use the make command.

The dependencies you need are:

  • zsh
  • sudo
  • gnupg
  • cryptsetup
  • pinentry-curses

You may already have these installed. If not, once you've downloaded all the dependencies using apt or whichever package manager your system uses type:

        wget https://files.dyne.org/tomb/Tomb-2.5.tar.gz
tar xvfz Tomb-2.5.tar.gz
sudo make install

And that's all there is to it. You're ready to start creating and using Tomb!

Creating a Tomb

Tomb is one of those applications that has its commands themed around its name. For example, it has commands like dig, bury, and exhume. For a full list of Tomb's commands check out its man page by typing:

        man tomb
    

To create your first tomb, you need to dig it! When your ready, type:

        tomb dig -s 200 secrets.tomb
    
protect sensitive data using tomb on linux

This command creates a 200MB tomb to store your unlucky selfie collection. Feel free to create whichever size suits you. A tomb can always be resized using the resize command. Bear in mind that you can always grow a tomb, but not shrink one.

Locking the Tomb

Now we have one part of our secure file, we need to create a key and lock the tomb. To create this, type:

        tomb forge secrets.tomb.key
protect sensitive data using tomb on linux

You may have noticed that this command didn't execute and Tomb has issued a warning. The warning shows that you have a running swap file. This is a risk because contents of your RAM can be written to your swap file during this process, and if someone analyzes your swap file they could potentially pick out your key or password!

Tomb at this point recommends turning off your swap file when working with your tomb and turning swap back on again after you're done. Tomb kindly provides you with the command to do so! To view any configured swap partitions type:

        sudo swapon -s
    

You can turn your swap on and off by using the following commands:

        sudo swapoff -a
sudo swapon -a
protect sensitive data using tomb on linux

If you aren't bothered by your swap file you can force the creation of the key by typing:

        tomb forge secrets.tomb.key -f
protect sensitive data using tomb on linux

Depending on the speed of your PC the key generation may take a while. You can accelerate this by some random mouse movements. You will be prompted to enter and confirm a password for your key. Now to lock your tomb with the key you just created type:

        tomb lock secrets.tomb -k secrets.tomb.key
protect sensitive data using tomb on linux

Using a Tomb

To open and use your tomb type:

        tomb open -k secrets.tomb.key secrets.tomb
    
protect sensitive data using tomb on linux

At this point, you will be prompted to enter your password for the key. Once done, the tomb will be unlocked, and mounted like an external drive.

Tombs can also be used to store config files for some of your applications. You could first unlock your tomb and start an application that requires said config files. If someone tries to start that application without unlocking the tomb, the application will seem like it's just unconfigured.

Once you're done organizing your X Factor rehearsal videos inside your tomb, you can close it in one of two ways. Either using the close command or the slam command.

        tomb close [<name of tomb> | all]
tomb slam all

If you have more than one tomb open, you can either specify the name of the tomb to be closed or use all for closing all currently open tombs. The close command will fail if the tomb is in use by a running process.

If you're in a hurry and need to close your tombs regardless of running processes you can use the slam command. This may result in unsaved data loss to files that are in use, so use with caution.

More Security Through Obscurity

One of the things to be aware of when using Tomb is that there isn't any cleanup process. That means once you're done with your tomb, you need to ensure the key is removed if it exists on the same machine.

Keeping a tomb and key on the same machine creates an element of risk. There are ways to be a little sneaky and hide keys in plain sight. Take this folder for example:

protect sensitive data using tomb on linux

It contains some family pictures, all with sequential names. At first glance, nothing seems out of place. Anyone looking at these pictures would be none the wiser. Now, look at this picture in particular:

protect sensitive data using tomb on linux

This picture has a lot more to it that meets the eye. Embedded inside this picture is a key used to unlock a tomb hidden using steganography. Impressive right? If you're feeling like James Bond and would like to do this type:

        sudo apt install steghide
    

To hide a key inside a JPEG type:

        tomb bury -k secrets.tomb.key Picture-name.jpg
    
protect sensitive data using tomb on linux

After entering the password for your key file, you can now delete the key file entirely. This means that there will no key file left in plain sight. Instead, it will actually be hidden inside a JPEG. To get the key back out run:

        tomb exhume -k tempsecret.key Picture-name.jpg
    
protect sensitive data using tomb on linux

Once your key has been exhumed or extracted, use it to open its respective tomb. After you've locked the tomb, feel free to delete the key as it can always be exhumed from the JPEG.

Finally, ensure your tombs are hidden among other files as opposed to just keeping them in the root of your drive. Give them names that will allow them to blend in with the noise.

Keep It Secret, Keep It Safe!

Tomb brings with it some great features. In the extras directory, there are a few other helpful tools like a GUI interface and tray icons.

Tomb adds an extra layer of security for those extremely sensitive files that you may have. The theming convention also adds a little fun to the experience! Your skeletons can now rest in peace.

Image Credit: Photoloide/Depositphotos