Category Archives: Information Tools

Installing and using Tomb in Ubuntu 11.10

My blurb about Tomb

Using encryption is important when you store personal information on general-purpose computers. Information can, and in general should, easily move about via inter-connected devices. Keeping your keyfiles separate from your encrypted container adds a useful layer of security. If ever your encrypted container is lost, stolen, or purposefully stored, it is a completely useless chunk of data without its keyfile and the keyfiles correlating password. Encrypted containers that have integrated keys also have the risk of being attacked via brute-force. With the evolution of processing power along with GPU-accelerated applications, and the decrease in cost of said processing, brute-forcing passwords gets easier every year.

Special note: TrueCrypt also supports the use of keyfiles.

Tomb website: http://www.dyne.org/software/tomb/
Tomb on Github: https://github.com/dyne/Tomb/

Note: This specific blog post is licensed as Creative Commons CC0 for the purpose of contributing to the Crypto.is project. You are free to copy, change, delete, or publish any part of this guide.

This guide is written to demonstrate how to:

1. Install Tomb in Ubuntu 11.10 x64
2. Create your first tomb
3. Securely move your tomb keyfile to a USB drive
4. Access and use your tomb
5. Securely delete your tomb

Installation

To install Tomb, follow the Crypto.is guide here (see: “Install from Debian Repository”): https://crypto.is/guides/install-tomb/

Verify installation

With your terminal open, verify that you have Tomb installed correctly via version check:

tomb -v

You should get this output:

Tomb - 1.2

Reference: http://www.dyne.org/software/tomb/

Creating a tomb

Before you begin, you can safely verify that your computer’s swap space is encrypted by trying to encrypt it. If you have swap space, and without the proper “–ignore-swap” flag, Tomb will not create your file and you will receive the following warning:

You have swap activated; use --ignore-swap if you want to skip this check
. Using encryption with swap activated is very bad, because some files, or even your secret key, could be written on hard disk.
. However, it could be that your swap is encrypted. If this is case, this is ok. Then, use --ignore-swap to skip this check
. You seem to be using 1 swaps:
/dev/dm-0 partition 1234567 0 -1

Try encrypting your swap space if you have it:

sudo ecryptfs-setup-swap

Reference: https://help.ubuntu.com/community/EncryptedHome

You will get this warning if your swap space is already encrypted:

WARNING: [/dev/dm-0] already appears to be encrypted, skipping.
WARNING: There were no usable swap devices to be encrypted. Exiting.

Create a “test” tomb that is 2 Megabytes in size:

tomb create -s 2 test --ignore-swap

Enter your new password and again for verification. Remember, when creating a password for an encrypted container, a longer password is better than a more complicated password.

PartyLikeIts#1999ButIn@2012

…is better than:

fG#jg8-sm$db

…because a longer password, in general, takes longer to brute-force, presuming that your tomb and keyfile are together.

Moving your keyfile to a USB device

Copy, not move, your keyfile to your USB device:

sudo cp test.tomb.key /media/name-of-mounted-usb-device/

Shred the original keyfile to securely delete it:

sudo shred -f -v -z -u test.tomb.key

Reference: http://maketecheasier.com/ubuntu-how-to-delete-your-files-or-wipe-your-hard-drive-beyond-recovery/2008/02/14

Mounting your tomb

Remember that Tomb is a command-line utility, so even after mounting your tomb, you cannot access it using a GUI.

Mount your “test” tomb referencing the keyfile that is located on your USB drive:

tomb open test.tomb -k /media/name-of-mounted-usb-device/test.tomb.key --ignore-swap

Move a file over to your mounted tomb directory (into your tomb):

sudo mv /name-of-directory/name-of-file /media/test.tomb

Note: you can, of course, copy it over then shred the original.

Closing your tomb directory

Close your mounted tomb directory when you are done:

tomb slam

Deleting your tomb

If you ever need to delete your tomb, be sure to delete both the tomb and the keyfile:

sudo shred -f -v -z -u test.tomb
shred -f -v -z -u /media/name-of-mounted-usb-device/test.tomb.key