My blurb about Tomb
Using encryption is important when you store personal information on general-purpose computers. Information can, and in general should, easily move about via inter-connected devices. Keeping your keyfiles separate from your encrypted container adds a useful layer of security. If ever your encrypted container is lost, stolen, or purposefully stored, it is a completely useless chunk of data without its keyfile and the keyfiles correlating password. Encrypted containers that have integrated keys also have the risk of being attacked via brute-force. With the evolution of processing power along with GPU-accelerated applications, and the decrease in cost of said processing, brute-forcing passwords gets easier every year.
This guide is written to demonstrate how to:
1. Install Tomb in Ubuntu 11.10 x64
2. Create your first tomb
3. Securely move your tomb keyfile to a USB drive
4. Access and use your tomb
5. Securely delete your tomb
To install Tomb, follow the Crypto.is guide here (see: “Install from Debian Repository”): https://crypto.is/guides/install-tomb/
With your terminal open, verify that you have Tomb installed correctly via version check:
You should get this output:
Tomb - 1.2
Creating a tomb
Before you begin, you can safely verify that your computer’s swap space is encrypted by trying to encrypt it. If you have swap space, and without the proper “–ignore-swap” flag, Tomb will not create your file and you will receive the following warning:
You have swap activated; use --ignore-swap if you want to skip this check
. Using encryption with swap activated is very bad, because some files, or even your secret key, could be written on hard disk.
. However, it could be that your swap is encrypted. If this is case, this is ok. Then, use --ignore-swap to skip this check
. You seem to be using 1 swaps:
/dev/dm-0 partition 1234567 0 -1
Try encrypting your swap space if you have it:
You will get this warning if your swap space is already encrypted:
WARNING: [/dev/dm-0] already appears to be encrypted, skipping.
WARNING: There were no usable swap devices to be encrypted. Exiting.
Create a “test” tomb that is 2 Megabytes in size:
tomb create -s 2 test --ignore-swap
Enter your new password and again for verification. Remember, when creating a password for an encrypted container, a longer password is better than a more complicated password.
…is better than:
…because a longer password, in general, takes longer to brute-force, presuming that your tomb and keyfile are together.
Moving your keyfile to a USB device
Copy, not move, your keyfile to your USB device:
sudo cp test.tomb.key /media/name-of-mounted-usb-device/
Shred the original keyfile to securely delete it:
sudo shred -f -v -z -u test.tomb.key
Mounting your tomb
Remember that Tomb is a command-line utility, so even after mounting your tomb, you cannot access it using a GUI.
Mount your “test” tomb referencing the keyfile that is located on your USB drive:
tomb open test.tomb -k /media/name-of-mounted-usb-device/test.tomb.key --ignore-swap
Move a file over to your mounted tomb directory (into your tomb):
sudo mv /name-of-directory/name-of-file /media/test.tomb
Note: you can, of course, copy it over then shred the original.
Closing your tomb directory
Close your mounted tomb directory when you are done:
Deleting your tomb
If you ever need to delete your tomb, be sure to delete both the tomb and the keyfile:
sudo shred -f -v -z -u test.tomb
shred -f -v -z -u /media/name-of-mounted-usb-device/test.tomb.key