2023-06-25 21:08:32 +00:00
|
|
|
.TH tomb 1 "Jun 25, 2023" "tomb"
|
2011-01-26 15:00:40 +00:00
|
|
|
|
|
|
|
.SH NAME
|
|
|
|
Tomb \- the Crypto Undertaker
|
|
|
|
|
|
|
|
.SH SYNOPSIS
|
2011-01-26 15:16:50 +00:00
|
|
|
.B
|
2011-02-12 16:54:53 +00:00
|
|
|
.IP "tomb [options] command [arguments]"
|
2011-01-26 15:00:40 +00:00
|
|
|
|
|
|
|
.SH DESCRIPTION
|
|
|
|
|
2011-02-06 16:04:52 +00:00
|
|
|
Tomb is an application to manage the creation and access of encrypted
|
2011-03-03 16:04:52 +00:00
|
|
|
storage files: it can be operated from commandline and it can
|
|
|
|
integrate with a user's graphical desktop.
|
2011-01-26 15:00:40 +00:00
|
|
|
|
2011-03-03 16:04:52 +00:00
|
|
|
Tomb generates encrypted storage files to be opened and closed using
|
|
|
|
their associated keys, which are also protected with a password chosen
|
|
|
|
by the user. To create, open and close tombs a user will need super
|
|
|
|
user rights to execute the tomb commandline utility.
|
2011-01-26 15:00:40 +00:00
|
|
|
|
2011-02-06 16:04:52 +00:00
|
|
|
A tomb is like a locked folder that can be safely transported and
|
|
|
|
hidden in a filesystem; it encourages users to keep their keys
|
|
|
|
separate from tombs, for instance keeping a tomb file on your computer
|
|
|
|
harddisk and its key file on a USB stick.
|
2011-01-26 15:00:40 +00:00
|
|
|
|
2011-01-26 15:16:50 +00:00
|
|
|
|
|
|
|
.SH COMMANDS
|
2011-02-12 16:54:53 +00:00
|
|
|
|
2011-01-26 15:00:40 +00:00
|
|
|
.B
|
2013-03-25 11:02:56 +00:00
|
|
|
.IP "dig"
|
|
|
|
Generates a file that can be used as a tomb and will occupy as much
|
|
|
|
space as its desired initial size, the unlocked \fI.tomb\fR file can
|
2017-03-22 15:39:25 +00:00
|
|
|
then be locked using a \fIkey\fR. It takes a mandatory \fI-s\fR option
|
|
|
|
which is the size in megabytes (MiB). Tombs are digged using random
|
2021-01-25 14:14:31 +00:00
|
|
|
data gathered from a non-blocking source (/dev/urandom). For very
|
|
|
|
large tombs this may take up too much time and entropy, then it is
|
|
|
|
possible to use \fIfallocate(1)\fR being aware it does not pre-fill
|
|
|
|
with random data, decreasing the tomb's security.
|
2013-03-25 11:02:56 +00:00
|
|
|
|
|
|
|
.B
|
|
|
|
.IP "forge"
|
2022-02-20 21:05:01 +00:00
|
|
|
Creates a new \fIkey\fR and prompts the user for a \fIpassword\fR to protect
|
|
|
|
its usage using symmetric encryption. This operation uses random data from a
|
|
|
|
non-blocking source (/dev/urandom) and it may take long only in some cases; to
|
|
|
|
switch using a blocking source the \fI--use-random\fR flag can be used. The
|
|
|
|
\fI-g\fR option switches on the use of a GPG key instead of a password
|
|
|
|
(asymmetric encryption), then the \fI-r\fR option indicates the recipient key;
|
|
|
|
more recipient GPG ids can be indicated (comma separated). The default cipher
|
|
|
|
to protect the key is AES256, a custom one can be specified using the \fI-o\fR
|
|
|
|
option, for a list of supported ciphers use \fI-v\fR. For additional protection
|
|
|
|
against dictionary attacks on keys, the \fI--kdf\fR option can be used when
|
|
|
|
forging a key, making sure that the binaries in \fIextras/kdf\fR were compiled
|
2019-05-22 07:55:02 +00:00
|
|
|
and installed on the system.
|
2013-03-25 11:02:56 +00:00
|
|
|
|
|
|
|
.B
|
|
|
|
.IP "lock"
|
|
|
|
Initializes and locks an empty tomb (made with \fIdig\fR) using a key
|
|
|
|
(made with \fIforge\fR), making it ready for usage. After this
|
2015-07-08 19:30:21 +00:00
|
|
|
operation, the tomb can only be opened in possession of the key and
|
2013-06-12 12:10:27 +00:00
|
|
|
knowing its password. As in any other command requiring a key, the
|
2017-02-21 14:39:54 +00:00
|
|
|
option \fI-k\fR should be used to specify a key file; in case of
|
|
|
|
encryption to GPG recipients the \fI-g\fR flag should be used followed
|
|
|
|
by \fI-r\fR and the recipient's secret GPG key id. The \fI-o\fR
|
2014-01-12 22:32:23 +00:00
|
|
|
option can be used to specify the cipher specification: default is
|
2021-01-04 21:00:29 +00:00
|
|
|
"aes-xts-plain64", old versions of Tomb used "aes-cbc-essiv:sha256".
|
|
|
|
If you are looking for something exotic, also try
|
|
|
|
"serpent-xts-plain64". More options may be found in cryptsetup(8) and
|
|
|
|
Linux documentation. The \fI--filesystem\fR option can be used to
|
2022-10-25 11:45:34 +00:00
|
|
|
specify an alternative filesystem used to format the tomb,
|
2021-01-04 21:00:29 +00:00
|
|
|
in place of the default "ext4". This operation requires root
|
2022-10-25 11:45:34 +00:00
|
|
|
privileges to loopback mount, format the tomb (using LUKS and mkfs),
|
2024-01-13 12:54:09 +00:00
|
|
|
then set the key in its first LUKS slot.
|
2022-10-25 11:45:34 +00:00
|
|
|
|
|
|
|
.RS
|
|
|
|
Supported filesystems for \fI--filesystem\fR:
|
2023-09-30 20:47:51 +00:00
|
|
|
.PD 0
|
|
|
|
.IP "ext3" 15
|
|
|
|
using operating system defaults
|
|
|
|
.IP "ext4"
|
|
|
|
using operating system defaults
|
|
|
|
.IP "btrfs"
|
|
|
|
for tombs >= 47MB using operating system defaults
|
|
|
|
.IP "btrfsmixedmode"
|
|
|
|
for tombs >=18MB btrfs mixed mode (see mkfs.btrfs(8))
|
|
|
|
.IP "ext3maxinodes"
|
|
|
|
ext3 with a maximum of inodes (for many small files)
|
|
|
|
.IP "ext4maxinodes"
|
|
|
|
ext4 with a maximum of inodes (for many small files)
|
|
|
|
.PD
|
2022-10-25 11:45:34 +00:00
|
|
|
.RE
|
2011-02-12 16:54:53 +00:00
|
|
|
|
2011-01-26 15:16:50 +00:00
|
|
|
.B
|
|
|
|
.IP "open"
|
2017-02-21 14:39:54 +00:00
|
|
|
Opens an existing \fItomb file\fR (first argument) using a key
|
2019-02-22 08:50:04 +00:00
|
|
|
(\fI-k\fR) which can also be hidden inside a \fIjpeg image\fR (see
|
|
|
|
\fIbury\fR/\fIexhume\fR) or a long text file
|
|
|
|
(see\fIcloak\fR/\fIuncloak\fR). If a second argument is given it will
|
2016-12-22 19:46:40 +00:00
|
|
|
indicate the \fImountpoint\fR where the tomb should be made
|
|
|
|
accessible, else the tomb is mounted in a directory inside /media (if
|
|
|
|
not available it uses /run/media/$USER). The option \fI-o\fR can be
|
2017-02-21 14:39:54 +00:00
|
|
|
used to pass mount(8) options (default: rw,noatime,nodev). The
|
|
|
|
\fI-g\fR option is needed when using GPG encryption to recipients.
|
2011-02-12 16:54:53 +00:00
|
|
|
|
2011-05-09 08:32:08 +00:00
|
|
|
.B
|
|
|
|
.IP "list"
|
|
|
|
List all the tombs found open, including information about the time
|
2013-03-30 16:29:51 +00:00
|
|
|
they were opened and the hooks that they mounted. If the first
|
|
|
|
argument is present, then shows only the tomb named that way or
|
2015-07-08 19:30:21 +00:00
|
|
|
returns an error if it's not found. If the option
|
2014-06-09 10:22:33 +00:00
|
|
|
\fI--get-mountpoint\fR is used then print a simple list of currently
|
|
|
|
open tomb mountpoint paths.
|
2011-05-09 08:32:08 +00:00
|
|
|
|
2017-12-11 12:41:36 +00:00
|
|
|
.B
|
|
|
|
.IP "ps"
|
|
|
|
List all the processes found running inside the tombs that are open,
|
|
|
|
printing out their PIDs and owners. This is useful to have an overview
|
|
|
|
of programs that are keeping the tombs busy and would eventually be
|
|
|
|
killed by the \fIslam\fR command. The lsof(8) utility is used
|
|
|
|
internally to enumerate processes running in one or all tombs.
|
|
|
|
|
2013-03-30 16:29:51 +00:00
|
|
|
.B
|
|
|
|
.IP "index"
|
2015-07-06 11:03:32 +00:00
|
|
|
Creates or updates the search indexes of all tombs currently open:
|
|
|
|
enables use of the \fIsearch\fR command using simple word patterns on
|
2024-05-12 21:29:14 +00:00
|
|
|
file names. Indexes are created using plocate's updatedb(8) and
|
|
|
|
recoll(1) if they are found on the system. Indexes allow one to search
|
2015-07-06 11:03:32 +00:00
|
|
|
very fast for filenames and contents inside a tomb, they are stored
|
|
|
|
inside it and are not accessible if the Tomb is closed. To avoid
|
|
|
|
indexing a specific tomb simply touch a \fI.noindex\fR file in it.
|
2024-05-12 21:29:14 +00:00
|
|
|
Useful tools to have: poppler-utils, aspell, xdg-utils, plocate.
|
2013-03-30 16:29:51 +00:00
|
|
|
|
|
|
|
.B
|
|
|
|
.IP "search"
|
2015-07-06 11:03:32 +00:00
|
|
|
Takes any string as argument and searches for them through all tombs
|
|
|
|
currently open and previously indexed using the \fIindex\fR command.
|
2024-05-12 21:29:14 +00:00
|
|
|
The search matches filenames if plocate is installed and then also
|
|
|
|
file contents if recoll is installed, all results are listed on the
|
|
|
|
console.
|
|
|
|
One can also run recoll's GUI using \fIrecoll -c /media/tomb\fR
|
2013-03-30 16:29:51 +00:00
|
|
|
|
2011-01-26 15:16:50 +00:00
|
|
|
.B
|
|
|
|
.IP "close"
|
2013-03-25 11:02:56 +00:00
|
|
|
Closes a currently open tomb. If more tombs are open, the first
|
|
|
|
argument should be used to specify the name of the tomb to be closed,
|
|
|
|
or \fIall\fR to close all currently open tombs. This command fails if
|
|
|
|
the tomb is in use by running processes (to force close, see
|
|
|
|
\fIslam\fR below).
|
|
|
|
|
|
|
|
.B
|
|
|
|
.IP "slam"
|
2015-07-08 19:30:21 +00:00
|
|
|
Closes a tomb like the command \fIclose\fR does, but it doesn't fail
|
2013-03-25 11:02:56 +00:00
|
|
|
even if the tomb is in use by other application processes: it looks
|
2017-02-05 19:03:29 +00:00
|
|
|
for and closes each of them (in order: TERM, HUP, KILL). This command may
|
2013-03-25 11:02:56 +00:00
|
|
|
provoke unsaved data loss, but assists users to face surprise
|
2017-02-05 19:03:29 +00:00
|
|
|
situations. It requires \fIlsof\fR else it falls back to \fIclose\fR.
|
2013-03-25 11:02:56 +00:00
|
|
|
|
2011-04-27 21:19:06 +00:00
|
|
|
|
2011-11-03 14:13:49 +00:00
|
|
|
.B
|
|
|
|
.IP "passwd"
|
2013-06-20 10:46:20 +00:00
|
|
|
Changes the password protecting a key file specified using
|
2017-02-21 14:39:54 +00:00
|
|
|
\fI-k\fR. With keys encrypted for GPG recipients use \fI-g\fR followed
|
|
|
|
by \fI-r\fR to indicate the new recipient key, or a comma separated
|
2017-04-16 10:15:21 +00:00
|
|
|
list.. The user will need to know the key's current password, or
|
|
|
|
possess at least one of the current recipients GPG secret keys,
|
|
|
|
because the key contents will be decoded and reencoded using the new
|
|
|
|
passwords or keys. If the key file is broken (missing headers) this
|
|
|
|
function also attempts its recovery.
|
2013-03-25 11:02:56 +00:00
|
|
|
|
2013-06-20 10:46:20 +00:00
|
|
|
.B
|
|
|
|
.IP "setkey"
|
|
|
|
Changes the key file that locks a tomb, substituting the old one with
|
|
|
|
a new one. Both the old and the new key files are needed for this
|
2017-02-21 14:39:54 +00:00
|
|
|
operation and their passwords or GPG recipient(s) secret keys must be
|
|
|
|
available. The new key must be specified using the \fI-k\fR option,
|
|
|
|
the first argument should be the old key and the second and last
|
|
|
|
argument the tomb file. Use the \fI-g\fR option to unlock the tomb
|
2017-04-16 10:15:21 +00:00
|
|
|
with a GPG key, the \fI-r\fR to indicate the recipient or a comma
|
|
|
|
separated list for more than one recipient.
|
2011-11-03 14:13:49 +00:00
|
|
|
|
2012-01-17 11:36:41 +00:00
|
|
|
.B
|
|
|
|
.IP "resize"
|
2013-03-25 11:02:56 +00:00
|
|
|
Increase the size of a tomb file to the amount specified by the
|
2018-01-03 10:14:21 +00:00
|
|
|
\fI-s\fR option, which is the new size in megabytes (MiB). Full access
|
|
|
|
to the tomb using a key (\fI-k\fR) and its password is required. Tombs
|
|
|
|
can only grow and can never be made smaller. This command makes use of
|
|
|
|
the cryptsetup(8) resize feature and the resize2fs command: its much
|
|
|
|
more practical than creating a new tomb and moving everything into
|
|
|
|
it. There is no data-loss if a failure occurs during resize: the
|
|
|
|
command can be re-launched and the resize operation will complete.
|
2012-01-17 11:36:41 +00:00
|
|
|
|
2013-06-20 10:46:20 +00:00
|
|
|
.B
|
|
|
|
.IP "engrave"
|
|
|
|
This command transforms a tomb key into an image that can be printed
|
2015-07-08 19:30:21 +00:00
|
|
|
on paper and physically stored as backup, i.e. hidden in a book. It
|
2013-06-20 10:46:20 +00:00
|
|
|
Renders a QRCode of the tomb key, still protected by its password: a
|
|
|
|
PNG image (extension \fI.qr.png\fR) will be created in the current
|
|
|
|
directory and can be later printed (fits an A4 or Letter format). To
|
|
|
|
recover an engraved key one can use any QRCode reader on a smartphone:
|
|
|
|
save it into a file and then use that file as a key (\fI-k\fR).
|
2011-02-12 16:54:53 +00:00
|
|
|
|
|
|
|
.B
|
|
|
|
.IP "bury"
|
2013-06-12 12:10:27 +00:00
|
|
|
Hides a tomb key (\fI-k\fR) inside a \fIjpeg image\fR (first argument)
|
|
|
|
using \fIsteganography\fR: the image will change in a way that cannot
|
|
|
|
be noticed by human eye and hardly detected by data analysis. This
|
|
|
|
option is useful to backup tomb keys in unsuspected places; it depends
|
2017-02-21 14:39:54 +00:00
|
|
|
from the availability of \fIsteghide\fR. Use the \fI-g\fR flag and
|
|
|
|
\fI-r\fR option followed by recipient id to use GPG asymmetric
|
|
|
|
encryption.
|
2011-02-12 16:54:53 +00:00
|
|
|
|
|
|
|
.B
|
|
|
|
.IP "exhume"
|
2013-03-25 11:02:56 +00:00
|
|
|
This command recovers from jpeg images the keys that were previously
|
|
|
|
hidden into them using \fIbury\fR. Exhume requires a key filename
|
2013-06-12 12:10:27 +00:00
|
|
|
(\fI-k\fR) and a \fIjpeg image\fR file (first argument) known to be
|
|
|
|
containing a key. If the right key password is given, the key will be
|
|
|
|
exhumed. If the password is not known, it is very hard to verify if a
|
|
|
|
key is buried in any image or not.
|
2011-01-26 15:00:40 +00:00
|
|
|
|
2019-02-22 08:50:04 +00:00
|
|
|
.B
|
|
|
|
.IP "cloak"
|
2024-05-12 22:31:07 +00:00
|
|
|
Cloaks a tomb key (\fI-k\fR) disguising it as a text file using a
|
|
|
|
cipher from \fIextras/cloak/ciphers\fR (second argument) using
|
|
|
|
\fIcloakify\fR. This option is useful to backup tomb keys in
|
|
|
|
unsuspected places; it needs \fIextras/cloak\fR installed and
|
|
|
|
\fIpython3\fR.
|
2019-02-22 08:50:04 +00:00
|
|
|
|
|
|
|
.B
|
|
|
|
.IP "uncloak"
|
2024-05-12 22:31:07 +00:00
|
|
|
Recovers a tomb key from a cloaked text file. Uncloak requires a text
|
|
|
|
file (first argument), a cipher file (second argument) and optionally
|
|
|
|
an output file (third argument). If the first two parameters are
|
|
|
|
correct then the output will be a valid tomb key file restored from
|
|
|
|
cloak.
|
2019-02-22 08:50:04 +00:00
|
|
|
|
2011-01-26 15:16:50 +00:00
|
|
|
.SH OPTIONS
|
|
|
|
.B
|
2011-01-26 15:00:40 +00:00
|
|
|
.B
|
|
|
|
.IP "-k \fI<keyfile>\fR"
|
2015-06-24 21:33:21 +00:00
|
|
|
For all operations requiring a key, this option specifies the location
|
|
|
|
of the key file to use. Arguments can also be \fIjpeg image\fR files
|
2019-02-22 08:50:04 +00:00
|
|
|
where keys have been hidden using the \fIbury\fR or \fIcloak\fR
|
|
|
|
commands, or text files retrieved from \fIengraved\fR QR codes. If the
|
|
|
|
\fIkeyfile\fR argument is "-" (dash), Tomb will read the key from
|
|
|
|
stdin (blocking).
|
2012-08-04 16:34:10 +00:00
|
|
|
.B
|
2011-02-20 13:59:30 +00:00
|
|
|
.IP "-n"
|
2020-02-04 14:07:08 +00:00
|
|
|
Skip processing of exec-hooks and bind-hooks if found inside the tomb.
|
2011-02-20 13:59:30 +00:00
|
|
|
See the \fIHOOKS\fR section in this manual for more information.
|
2011-05-24 10:04:18 +00:00
|
|
|
.B
|
2018-01-03 11:12:19 +00:00
|
|
|
.IP "-p"
|
|
|
|
When opening a tomb, preserves the ownership of all files and
|
|
|
|
directories contained in it. Normally the \fIopen\fR command changes
|
|
|
|
the ownership of a tomb's contents to the UID and GID of the user who
|
2019-07-05 06:04:06 +00:00
|
|
|
has successfully opened it: it is a usability feature in case a tomb is
|
2018-01-03 11:12:19 +00:00
|
|
|
used by a single user across different systems. This flag deactivates
|
|
|
|
this behaviour.
|
|
|
|
.B
|
2011-05-24 10:04:18 +00:00
|
|
|
.IP "-o"
|
|
|
|
Manually specify mount options to be used when opening a tomb instead
|
2014-06-09 10:22:33 +00:00
|
|
|
of the default \fIrw,noatime,nodev\fR, i.e. to mount a tomb read-only
|
|
|
|
(ro) to prevent any modification of its data. Can also be used to
|
|
|
|
change the symmetric encryption algorithm for keys during \fIforge\fR
|
|
|
|
operations (default \fIAES256\fR) or the LUKS encryption method during
|
2019-11-18 09:17:38 +00:00
|
|
|
\fIlock\fR operations (default \fIaes-xts-plain64\fR).
|
2011-08-31 15:07:18 +00:00
|
|
|
.B
|
2012-01-17 18:01:20 +00:00
|
|
|
.IP "-f"
|
|
|
|
Force flag, currently used to override swap checks, might be
|
|
|
|
overriding more wimpy behaviours in future, but make sure you know
|
2014-06-09 10:22:33 +00:00
|
|
|
what you are doing if you force an operation.
|
2011-02-20 13:59:30 +00:00
|
|
|
.B
|
2015-07-08 19:30:21 +00:00
|
|
|
.IP "-s \fI<MBytes>\fR"
|
2014-11-23 13:55:03 +00:00
|
|
|
When digging or resizing a tomb, this option must be used to specify
|
|
|
|
the \fIsize\fR of the new file to be created. Units are megabytes (MiB).
|
|
|
|
.B
|
2017-02-21 14:39:54 +00:00
|
|
|
.IP "-g"
|
|
|
|
Tell tomb to use a asymmetric GnuPG key encryption instead of a
|
2021-10-20 14:27:27 +00:00
|
|
|
symmetric passphrase to protect a tomb key. This option can be
|
|
|
|
followed by \fI-r\fR when the command needs to specify recipient(s).
|
2017-02-03 20:07:21 +00:00
|
|
|
.B
|
2017-02-21 14:39:54 +00:00
|
|
|
.IP "-r \fI<gpg_id>[,<gpg_id2>]\fR"
|
2017-04-16 10:15:21 +00:00
|
|
|
Provide a new set of recipient(s) to encrypt a tomb key. \fIgpg_ids\fR
|
2019-02-20 19:36:26 +00:00
|
|
|
can be one or more GPG key ID, comma separated. All GPG keys must be
|
|
|
|
trusted keys in GPG.
|
2017-02-03 20:07:21 +00:00
|
|
|
.B
|
2015-02-20 11:44:13 +00:00
|
|
|
.IP "--kdf \fI<itertime>\fR"
|
2022-02-20 21:05:01 +00:00
|
|
|
Activate the KDF feature against dictionary attacks when creating a key: forces
|
|
|
|
a delay of \fI<itertime>\fR times every time this key is used. The actual time
|
|
|
|
to wait depends on the CPU speed (default) or the RAM size (argon2) of the
|
|
|
|
computer where the key is used. Using 5 or 10 is a sane amount for modern
|
|
|
|
computers, the value is multiplied by 1 million.
|
|
|
|
.B
|
|
|
|
.IP "--kdftype \fIargon2 | pbkdf2\fR"
|
|
|
|
Adopt the \fIargon2\fR algorithm for KDF, stressing the RAM capacity rather
|
|
|
|
than the CPU speed of the computer decrypting the tomb. Requires the
|
|
|
|
\fIargon2\fR binary by P-H-C to be installed, as packaged by most distros.
|
|
|
|
Default is \fIpbkdf2\fR.
|
|
|
|
.B
|
|
|
|
.IP "--kdfmem \fI<memory>\fR"
|
|
|
|
In case of \fIargon2\fR KDF algorithm, this value specifies the size of RAM
|
2023-06-25 21:08:32 +00:00
|
|
|
used: it consists of a number which is the elevated power of two in kilobytes.
|
|
|
|
Default is 18 which is 250 MiB (2^18 = 262,144 kilobytes).
|
2019-05-30 16:48:30 +00:00
|
|
|
.B
|
2021-10-20 14:27:27 +00:00
|
|
|
.IP "--sudo \fI<executable>\fR"
|
|
|
|
Select a different tool than sudo for privilege escalation.
|
|
|
|
Alternatives supported so far are: pkexec, doas, sup, sud. For any
|
|
|
|
alternative to work the executable must be included in the current
|
2021-10-21 09:49:54 +00:00
|
|
|
PATH.
|
2021-10-20 14:27:27 +00:00
|
|
|
.B
|
2019-05-30 16:48:30 +00:00
|
|
|
.IP "--sphx-user \fI<username>\fR"
|
|
|
|
Activate the SPHINX feature for password-authenticated key agreement.
|
|
|
|
This option indicates the \fI<username>\fR used to retrieve the
|
|
|
|
password from a sphinx oracle key reachable via TCP/IP.
|
2022-11-21 08:44:21 +00:00
|
|
|
.B
|
2019-05-30 16:48:30 +00:00
|
|
|
.IP "--sphx-host \fI<domain>\fR"
|
|
|
|
Activate the SPHINX feature for password-authenticated key agreement.
|
|
|
|
This option indicates the \fI<domain>\fR used to retrieve the password
|
|
|
|
from a sphinx oracle daemon reachable via TCP/IP. This is not the
|
|
|
|
network address of the daemon, which is configured in /etc/sphinx
|
|
|
|
|
2014-11-23 13:55:03 +00:00
|
|
|
.B
|
2011-01-26 15:00:40 +00:00
|
|
|
.IP "-h"
|
2014-06-09 10:22:33 +00:00
|
|
|
Display a help text and quit.
|
2011-01-26 15:00:40 +00:00
|
|
|
.B
|
|
|
|
.IP "-v"
|
2014-06-09 10:22:33 +00:00
|
|
|
Display version and quit.
|
2011-02-03 21:20:30 +00:00
|
|
|
.B
|
|
|
|
.IP "-q"
|
|
|
|
Run more quietly
|
2011-10-31 22:34:21 +00:00
|
|
|
.B
|
2011-02-06 16:04:52 +00:00
|
|
|
.IP "-D"
|
2011-02-10 14:32:23 +00:00
|
|
|
Print more information while running, for debugging purposes
|
2014-06-09 10:22:33 +00:00
|
|
|
|
|
|
|
.SH DEV MODE
|
2011-10-31 22:34:21 +00:00
|
|
|
.B
|
|
|
|
.IP "--no-color"
|
2014-06-09 10:22:33 +00:00
|
|
|
Suppress colors in console output (needed for string parsing by
|
|
|
|
wrappers).
|
|
|
|
.B
|
2014-11-21 21:50:45 +00:00
|
|
|
.IP "--unsafe"
|
2014-06-09 10:22:33 +00:00
|
|
|
Enable using dev-mode arguments, i.e. to pass passwords from
|
|
|
|
commandline options. This is mostly used needed for execution by
|
|
|
|
wrappers and testing suite.
|
|
|
|
.B
|
2019-05-22 07:55:02 +00:00
|
|
|
.IP "--use-random"
|
|
|
|
Use a blocking random source. Tomb uses by default /dev/urandom since
|
|
|
|
the non-blocking source of Linux kernel doesn't degrades the quality
|
|
|
|
of random.
|
2014-06-09 10:22:33 +00:00
|
|
|
.B
|
|
|
|
.IP "--tomb-pwd <string>"
|
|
|
|
Use string as password when needed on tomb.
|
|
|
|
.B
|
|
|
|
.IP "--tomb-old-pwd <string>"
|
|
|
|
Use string as old password when needed in tomb commands requiring
|
|
|
|
multiple keys, like \fIpasswd\fR or \fIsetkey\fR.
|
|
|
|
.B
|
2014-11-23 13:55:03 +00:00
|
|
|
.IP "-U"
|
2014-06-09 10:22:33 +00:00
|
|
|
Switch to this user ID when dropping privileges.
|
|
|
|
.B
|
2014-11-23 13:55:03 +00:00
|
|
|
.IP "-G"
|
2014-06-09 10:22:33 +00:00
|
|
|
Switch to this group ID when dropping privileges.
|
|
|
|
.B
|
2014-11-23 13:55:03 +00:00
|
|
|
.IP "-T"
|
2014-06-09 10:22:33 +00:00
|
|
|
Switch to this TTY terminal when dropping privileges.
|
2011-08-31 15:07:18 +00:00
|
|
|
|
2011-02-24 11:26:48 +00:00
|
|
|
.SH HOOKS
|
|
|
|
|
|
|
|
Hooks are special files that can be placed inside the tomb and trigger
|
|
|
|
actions when it is opened and closed; there are two kinds of such
|
2020-02-04 14:07:08 +00:00
|
|
|
files: \fIbind-hooks\fR and \fIexec-hooks\fR can be placed in the
|
2011-02-24 11:26:48 +00:00
|
|
|
base root of the tomb.
|
|
|
|
|
|
|
|
.B
|
|
|
|
.IP "bind-hooks"
|
2018-01-03 18:53:30 +00:00
|
|
|
This hook file consists of a simple text file named \fIbind-hooks\fR
|
|
|
|
containing a two column list of paths to files or directories inside
|
2024-01-10 13:31:08 +00:00
|
|
|
the tomb. The files and directories will be made directly
|
2018-01-03 18:53:30 +00:00
|
|
|
accessible by the tomb \fIopen\fR command inside the current user's
|
|
|
|
home directory. Tomb uses internally the "mount \-o bind" command to
|
|
|
|
bind locations inside the tomb to locations found in $HOME. In the
|
|
|
|
first column are indicated paths relative to the tomb and in the
|
|
|
|
second column are indicated paths relative to $HOME contents, for
|
2011-02-24 11:26:48 +00:00
|
|
|
example:
|
2013-03-25 11:02:56 +00:00
|
|
|
.EX
|
2024-01-10 16:18:43 +00:00
|
|
|
mail mail
|
|
|
|
.gnupg .gnupg
|
|
|
|
.fmrc .fetchmailrc
|
|
|
|
.mozilla .mozilla
|
2013-03-25 11:02:56 +00:00
|
|
|
.EE
|
2011-02-24 11:26:48 +00:00
|
|
|
|
|
|
|
.B
|
2017-06-06 10:45:29 +00:00
|
|
|
.IP "exec-hooks"
|
|
|
|
This hook file gets executed as user by tomb with the first argument
|
2018-01-03 18:53:30 +00:00
|
|
|
determining the step of execution (\fIopen\fR or \fIclose\fR) and the second
|
|
|
|
being the full path to the mountpoint. The \fIexec-hooks\fR file should be
|
|
|
|
executable (ELF or shell script) and present inside the Tomb. Tomb
|
|
|
|
executes this hook as user and adds the name, loopback device and
|
|
|
|
dev-mapper device paths as additional arguments for the \fIclose\fR
|
|
|
|
command.
|
2011-02-24 11:26:48 +00:00
|
|
|
|
2011-02-03 21:20:30 +00:00
|
|
|
.SH PRIVILEGE ESCALATION
|
|
|
|
|
|
|
|
The tomb commandline tool needs to acquire super user rights to
|
2021-10-21 09:49:54 +00:00
|
|
|
execute most of its operations: so it uses sudo(8) or other configured
|
|
|
|
tools, while pinentry(1) is adopted to collect passwords from the
|
|
|
|
user. Tomb executes as super user only when required.
|
2011-02-03 21:20:30 +00:00
|
|
|
|
2013-05-25 14:29:19 +00:00
|
|
|
To be made available on multi user systems, the superuser execution of
|
|
|
|
the tomb script can be authorized for users without jeopardizing the
|
|
|
|
whole system's security: just add such a line to \fI/etc/sudoers\fR:
|
|
|
|
|
|
|
|
.EX
|
|
|
|
username ALL=NOPASSWD: /usr/local/bin/tomb
|
|
|
|
.EE
|
2011-01-26 15:00:40 +00:00
|
|
|
|
2018-01-23 08:37:14 +00:00
|
|
|
To avoid that tomb execution is logged by \fIsyslog\fR also add:
|
|
|
|
|
|
|
|
.EX
|
2024-01-10 16:18:43 +00:00
|
|
|
Cmnd_Alias TOMB = /usr/local/bin/tomb
|
|
|
|
Defaults!TOMB !syslog
|
2018-01-23 08:37:14 +00:00
|
|
|
.EE
|
|
|
|
|
|
|
|
.SH PASSWORD INPUT
|
|
|
|
|
2014-10-23 23:35:29 +00:00
|
|
|
Password input is handled by the pinentry program: it can be text
|
|
|
|
based or graphical and is usually configured with a symlink. When
|
|
|
|
using Tomb in X11 it is better to use a graphical pinentry-gtk2 or
|
|
|
|
pinentry-qt because it helps preventing keylogging by other X
|
|
|
|
clients. When using it from a remote ssh connection it might be
|
|
|
|
necessary to force use of pinentry-curses for instance by unsetting
|
|
|
|
the DISPLAY environment var.
|
|
|
|
|
|
|
|
|
2011-08-31 15:07:18 +00:00
|
|
|
.SH SWAP
|
|
|
|
|
2013-05-25 14:29:19 +00:00
|
|
|
On execution of certain commands Tomb will complain about swap memory
|
2015-07-08 19:30:21 +00:00
|
|
|
on disk when present and \fIabort if your system has swap
|
2013-05-25 14:29:19 +00:00
|
|
|
activated\fR. You can disable this behaviour using the
|
|
|
|
\fI--force\fR. Before doing that, however, you may be interested in
|
|
|
|
knowing the risks of doing so:
|
2011-08-31 15:07:18 +00:00
|
|
|
.IP \(bu
|
2012-01-17 13:00:20 +00:00
|
|
|
During such operations a lack of available memory could cause the swap
|
|
|
|
to write your secret key on the disk.
|
2011-08-31 15:07:18 +00:00
|
|
|
.IP \(bu
|
2012-01-17 13:00:20 +00:00
|
|
|
Even while using an opened tomb, another application could occupy too
|
|
|
|
much memory so that the swap needs to be used, this way it is possible
|
|
|
|
that some contents of files contained into the tomb are physically
|
|
|
|
written on your disk, not encrypted.
|
2011-08-31 15:07:18 +00:00
|
|
|
.P
|
|
|
|
|
2012-01-17 13:00:20 +00:00
|
|
|
If you don't need swap, execute \fI swapoff -a\fR. If you really need
|
2013-05-25 14:29:19 +00:00
|
|
|
it, you could make an encrypted swap partition. Tomb doesn't detect if
|
|
|
|
your swap is encrypted, and will complain anyway.
|
2011-08-31 15:07:18 +00:00
|
|
|
|
2017-01-02 11:02:23 +00:00
|
|
|
.SH DENIABILITY
|
|
|
|
|
|
|
|
The possibility to have an encrypted volume which is invisible and
|
|
|
|
cannot be detected is called "deniability". The cryptographic layer of
|
|
|
|
the device mapper in Linux (dm-crypt) does not implement
|
|
|
|
deniability. Tomb is just a wrapper on top of that and it doesn't add
|
|
|
|
cryptographic deniability. However a certain way of using tomb can
|
|
|
|
facilitate a weak sort of deniability outside of the scenario of
|
|
|
|
seized devices and forensic analysis of files and blocks on disc.
|
|
|
|
|
|
|
|
For instance to eliminate any trace of tomb usage from the shell
|
|
|
|
history ZSh users can activate the "HISTIGNORESPACE" feature and
|
2019-07-05 06:04:06 +00:00
|
|
|
prefix all invocations of tomb with a blank space, including two lines
|
2017-01-02 11:02:23 +00:00
|
|
|
in ".zshrc":
|
|
|
|
|
|
|
|
.EX
|
2024-01-10 16:18:43 +00:00
|
|
|
export HISTIGNORESPACE=1
|
|
|
|
alias tomb=' tomb'
|
2017-01-02 11:02:23 +00:00
|
|
|
.EE
|
|
|
|
|
|
|
|
.SH PASSWORD INPUT
|
|
|
|
|
2024-01-10 13:28:05 +00:00
|
|
|
Tomb uses the external program "pinentry" to let users type the key password
|
|
|
|
into a terminal or a graphical window. This program works in conjunction with
|
|
|
|
"gpg-agent", a daemon running in background to facilitate secret key
|
|
|
|
management with gpg. It is recommended one runs "gpg-agent" launching it from
|
|
|
|
the X session initialization ("~/.xsession" or "~/.xinitrc" files) with this
|
|
|
|
command:
|
2017-01-02 11:02:23 +00:00
|
|
|
|
|
|
|
.EX
|
2024-01-10 16:18:43 +00:00
|
|
|
eval $(gpg-agent --daemon --write-env-file "${HOME}/.gpg-agent-info")
|
2017-01-02 11:02:23 +00:00
|
|
|
.EE
|
|
|
|
|
|
|
|
In the future it may become mandatory to run gpg-agent when using tomb.
|
|
|
|
|
2017-02-03 20:07:21 +00:00
|
|
|
.SH SHARE A TOMB
|
2017-04-16 10:15:21 +00:00
|
|
|
A tomb key can be encrypted with more than one recipient. Therefore, a
|
|
|
|
tomb can be shared between different users. The recipients are given
|
|
|
|
using the \fI-r\fR (or/and \fI-R\fR) option and if multiple each GPG
|
|
|
|
key ID must be separated by a comma (\fI,\fR). Sharing a tomb is a
|
|
|
|
very sensitive action and the user needs to trust that all the GPG
|
|
|
|
public keys used are kept safe. If one of them its stolen or lost, it
|
|
|
|
will be always possible to use it to access the tomb key unless all
|
|
|
|
its copies are destroyed. The \fI-r\fR option can be used in the tomb
|
|
|
|
commands: \fIopen\fR, \fIforge\fR \fIsetkey\fR, \fIpasswd\fR,
|
|
|
|
\fIbury\fR, \fIexhume\fR and \fIresize\fR.
|
2017-02-03 20:07:21 +00:00
|
|
|
|
2019-05-30 16:48:30 +00:00
|
|
|
.SH SPHINX (PAKE)
|
|
|
|
|
|
|
|
Using the package libsphinx
|
|
|
|
.UR https://github.com/stef/libsphinx
|
|
|
|
.UE
|
2024-01-13 12:54:09 +00:00
|
|
|
and its python client/daemon implementation pwdsphinx
|
2019-05-30 16:48:30 +00:00
|
|
|
.UR https://github.com/stef/pwdsphinx
|
|
|
|
.UE
|
|
|
|
is possible to store and retrieve safely the password that locks the
|
|
|
|
tomb. Using this feature will make it impossible to retrieve the
|
|
|
|
password without the oracle sphinx server running and reachable. Each
|
|
|
|
key entry needs a username and a domain specified on creation and
|
|
|
|
a password that locks it.
|
|
|
|
|
2019-10-03 04:31:45 +00:00
|
|
|
SPHINX makes it impossible to maliciously retrieve the password
|
2019-05-30 16:48:30 +00:00
|
|
|
locking the tomb key without an attacker accessing both the
|
|
|
|
server, the sphinx password and the tomb key file.
|
|
|
|
|
2013-03-25 11:02:56 +00:00
|
|
|
.SH EXAMPLES
|
2013-05-25 14:29:19 +00:00
|
|
|
|
|
|
|
.IP \(bu
|
|
|
|
Create a 128MB large "secret" tomb and its keys, then open it:
|
|
|
|
|
2013-03-25 11:02:56 +00:00
|
|
|
.EX
|
2013-05-20 11:17:48 +00:00
|
|
|
tomb dig -s 128 secret.tomb
|
2013-06-12 12:28:40 +00:00
|
|
|
|
2013-05-20 11:17:48 +00:00
|
|
|
tomb forge secret.tomb.key
|
2013-06-12 12:28:40 +00:00
|
|
|
|
2013-06-12 12:10:27 +00:00
|
|
|
tomb lock secret.tomb -k secret.tomb.key
|
2013-06-12 12:28:40 +00:00
|
|
|
|
2013-05-20 11:17:48 +00:00
|
|
|
tomb open secret.tomb -k secret.tomb.key
|
2013-03-25 11:02:56 +00:00
|
|
|
.EE
|
2013-05-25 14:29:19 +00:00
|
|
|
|
2013-06-12 12:10:27 +00:00
|
|
|
.IP \(bu
|
|
|
|
Open a Tomb using the key from a remote SSH shell, without saving any
|
|
|
|
local copy of it:
|
|
|
|
|
|
|
|
.EX
|
2015-07-08 19:30:21 +00:00
|
|
|
ssh user@my.shell.net 'cat .secrets/tomb.key' | tomb open secret.tomb -k -
|
2013-06-12 12:10:27 +00:00
|
|
|
.EE
|
|
|
|
|
2014-11-14 19:23:16 +00:00
|
|
|
.IP \(bu
|
2014-11-21 21:50:45 +00:00
|
|
|
Open a Tomb on a remote server passing the unencrypted local key on stdin via SSH,
|
2014-11-14 19:23:16 +00:00
|
|
|
without saving any remote copy of it:
|
|
|
|
|
|
|
|
.EX
|
2014-11-21 21:50:45 +00:00
|
|
|
gpg -d .secrets/tomb.key | ssh server tomb open secret.tomb -k cleartext --unsafe
|
2014-11-14 19:23:16 +00:00
|
|
|
.EE
|
|
|
|
|
2013-05-25 14:29:19 +00:00
|
|
|
.IP \(bu
|
|
|
|
Create a bind hook that places your GnuPG folder inside the tomb, but
|
|
|
|
makes it reachable from the standard $HOME/.gnupg location every time
|
|
|
|
the tomb will be opened:
|
|
|
|
|
|
|
|
.EX
|
2013-06-12 12:28:40 +00:00
|
|
|
tomb open GPG.tomb -k GPG.tomb.key
|
2013-05-25 14:29:19 +00:00
|
|
|
echo ".gnupg .gnupg" > /media/GPG.tomb/bind-hooks
|
|
|
|
mv ~/.gnupg /media/GPG.tomb/.gnupg && mkdir ~/.gnupg
|
2013-06-12 12:28:40 +00:00
|
|
|
tomb close GPG && tomb open GPG.tomb -k GPG.tomb.key
|
2013-05-25 14:29:19 +00:00
|
|
|
.EE
|
|
|
|
|
|
|
|
.IP \(bu
|
2013-09-19 13:37:21 +00:00
|
|
|
Script a tomb to launch the Firefox browser every time is opened,
|
|
|
|
keeping all its profile data inside it:
|
2013-05-25 14:29:19 +00:00
|
|
|
|
|
|
|
.EX
|
2013-06-12 12:28:40 +00:00
|
|
|
tomb open FOX.tomb -k FOX.tomb.key
|
2020-02-04 14:07:08 +00:00
|
|
|
cat <<EOF > /media/FOX.tomb/exec-hooks
|
2013-09-19 13:37:21 +00:00
|
|
|
#!/bin/sh
|
|
|
|
if [ "$1" = "open" ]; then
|
2024-01-10 16:18:43 +00:00
|
|
|
firefox -no-remote -profile "$2"/firefox-pro &
|
2013-09-19 13:37:21 +00:00
|
|
|
fi
|
|
|
|
EOF
|
2024-01-10 16:18:43 +00:00
|
|
|
chmod +x /media/FOX.tomb/exec-hooks
|
|
|
|
mkdir /media/FOX.tomb/firefox-pro
|
2013-09-19 13:37:21 +00:00
|
|
|
.EE
|
2013-06-12 12:28:40 +00:00
|
|
|
|
2013-09-19 13:37:21 +00:00
|
|
|
.IP \(bu
|
|
|
|
Script a tomb to archive Pictures using Shotwell, launching it on open:
|
2013-06-12 12:28:40 +00:00
|
|
|
|
2013-09-19 13:37:21 +00:00
|
|
|
.EX
|
|
|
|
tomb open Pictures.tomb -k Pictures.tomb.key
|
|
|
|
cat <<EOF > /media/Pictures.tomb/bind-hooks
|
|
|
|
Pictures Pictures
|
|
|
|
EOF
|
2024-01-10 16:18:43 +00:00
|
|
|
cat <<EOF > /media/Pictures.tomb/exec-hooks
|
2013-09-19 13:37:21 +00:00
|
|
|
#!/bin/sh
|
|
|
|
if [ "$1" = "open" ]; then
|
2024-01-10 16:18:43 +00:00
|
|
|
which shotwell > /dev/null
|
|
|
|
if [ "$?" = "0" ]; then
|
|
|
|
shotwell -d "$2"/Pictures/.shotwell &
|
|
|
|
fi
|
2013-05-25 14:29:19 +00:00
|
|
|
fi
|
|
|
|
EOF
|
2020-02-04 14:07:08 +00:00
|
|
|
chmod +x /media/Pictures.tomb/exec-hooks
|
2013-05-25 14:29:19 +00:00
|
|
|
.EE
|
|
|
|
|
2011-01-26 15:00:40 +00:00
|
|
|
.SH BUGS
|
2014-11-14 19:23:16 +00:00
|
|
|
Please report bugs on the Github issue tracker at
|
|
|
|
.UR https://github.com/dyne/Tomb/issues
|
2011-08-31 15:15:23 +00:00
|
|
|
.UE
|
|
|
|
|
2017-01-02 11:02:23 +00:00
|
|
|
One can also try to get in touch with developers via the #dyne chat
|
|
|
|
channel on \fIhttps://irc.dyne.org\fR.
|
2011-02-03 21:20:30 +00:00
|
|
|
|
2011-01-26 15:00:40 +00:00
|
|
|
.SH COPYING
|
|
|
|
|
2021-01-04 21:00:29 +00:00
|
|
|
This manual is Copyright (c) 2011-2021 by Denis Roio <\fIjaromil@dyne.org\fR>
|
2011-01-26 15:00:40 +00:00
|
|
|
|
2015-06-24 21:33:21 +00:00
|
|
|
This manual includes contributions by Boyska and Hellekin O. Wolf.
|
2011-09-27 10:16:19 +00:00
|
|
|
|
2011-01-26 15:00:40 +00:00
|
|
|
Permission is granted to copy, distribute and/or modify this manual
|
|
|
|
under the terms of the GNU Free Documentation License, Version 1.1 or
|
|
|
|
any later version published by the Free Software Foundation.
|
|
|
|
Permission is granted to make and distribute verbatim copies of this
|
|
|
|
manual page provided the above copyright notice and this permission
|
|
|
|
notice are preserved on all copies.
|
|
|
|
|
|
|
|
.SH AVAILABILITY
|
|
|
|
|
2011-02-06 16:04:52 +00:00
|
|
|
The most recent version of Tomb sourcecode and up to date
|
|
|
|
documentation is available for download from its website on
|
2015-07-08 19:30:21 +00:00
|
|
|
\fIhttps://tomb.dyne.org\fR.
|
2011-01-26 15:00:40 +00:00
|
|
|
|
|
|
|
.SH SEE ALSO
|
|
|
|
|
|
|
|
.B
|
|
|
|
.IP cryptsetup(8)
|
2017-01-02 11:02:23 +00:00
|
|
|
.B
|
|
|
|
.IP pinentry(1)
|
|
|
|
.B
|
|
|
|
.IP gpg-agent(1)
|
2011-01-26 15:00:40 +00:00
|
|
|
|
2017-01-02 11:02:23 +00:00
|
|
|
GnuPG website: https://www.gnupg.org
|
2011-01-26 15:00:40 +00:00
|
|
|
|
2017-01-02 11:02:23 +00:00
|
|
|
DM-Crypt website: https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
|
2011-01-26 15:00:40 +00:00
|
|
|
|
2017-01-02 11:02:23 +00:00
|
|
|
LUKS website: https://gitlab.com/cryptsetup/cryptsetup/wikis/home
|