#title Tomb - The Crypto Undertaker #author Jaromil * Tomb - Crypto Undertaker [[images/tomb_n_bats.png]] Tomb is a simple tool to manage **encrypted storage** on GNU/Linux, from the hashes of the [[http://dynebolic.org][dyne:bolic]] nesting mechanism. Tomb aims to be an **100% free** and open source system for easy encryption and backup of personal files, written in code that is easy to review and links commonly shared components. Tomb generates encrypted storage files to be opened and closed using their associated keyfiles, which are also protected with a password chosen by the user. A tomb is like a locked folder that can be safely transported and hidden in a filesystem; its keys can be kept separate, for instance keeping the tomb file on your computer harddisk and the key files on a USB stick. ** Documentation First of all the usual info you'd expect a software to provide: - [[README]] - [[ChangeLog]] - [[TODO]] - [[AUTHORS]] And more below, read on... *** Who needs Tomb Our target community are desktop users with no time to click around, sometimes using old or borrowed computers, operating in places endangered by conflict where a leak of personal data can be a threat. If you don't own a laptop then it's possible to go around with a USB stick and borrow computers, still leaving no trace and keeping your data safe during transports. Tomb aims to facilitate all this and to be interoperable across popular GNU/Linux operating systems. *** Aren't there enough encryption tools already? We've felt the urgency of publishing Tomb for other operating systems than dyne:bolic since the current situation in personal desktop encryption is far from optimal. [[http://en.wikipedia.org/wiki/TrueCrypt][TrueCrypt]] makes use of statically linked libraries so that its code is hard to audit, plus is [[http://lists.freedesktop.org/archives/distributions/2008-October/000276.html][not considered free]] by free operating system distributors because of liability reasons, see [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=364034][Debian]], [[https://bugs.edge.launchpad.net/ubuntu/+bug/109701][Ubuntu]], [[http://lists.opensuse.org/opensuse-buildservice/2008-10/msg00055.html][Suse]], [[http://bugs.gentoo.org/show_bug.cgi?id=241650][Gentoo]] and [[https://fedoraproject.org/wiki/ForbiddenItems#TrueCrypt][Fedora]]. [[http://tom.noflag.org.uk/cryptkeeper.html][Cryptkeeper]] is the best alternative to Tomb out there and its main advantage consists in not needing root access on the machine it's being used. But Cryptkeeper still has drawbacks: it uses [[http://www.arg0.net/encfs][EncFS]] which implements weaker encryption than dm-crypt and it doesn't promotes the separated storage of keys. At last, the [[https://we.riseup.net/debian/automatically-mount-encrypted-home][Encrypted home]] mechanisms on operating systems as Debian and Ubuntu adopt encryption algorithms as strong as Tomb does, but they need to be configured when the machine is installed, they cannot be easily transported and again they don't promote separated storage of keys. With Tomb we try to overcome all these limitations providing strong encryption, encouraging users to separate keys from data and letting them transport tombs around easily. Also to facilitate auditing and customization we intend to: - write short and readable code, linking shared libs - provide easy to use graphical interfaces and desktop integration - keep the development process open and distributed using GIT - distribute Tomb under the GNU General Public License v3 If you believe this is a worthy effort, you are welcome to [[http://dyne.org/donate][support it]]. *** How does it works Tombs are operated from a normal file browser or from the commandline. To open a tomb is sufficient to click on it, or use the command **tomb-open** [[images/monmort.png]] When a tomb is open your panel will have a little icon in the tray reminding you that a tomb is open, offering to explore it or close it. See the [[manual][manpage]] for more information on how to operate Tomb from the text terminal. [*] Tomb - simple commandline tool for encrypted storage . version 0.9 (Jan/2011) by Jaromil @ dyne.org . [*] Syntax: tomb [options] command [file] [mountpoint] . [*] Options: . -h print this help . -v print out the version information for this tool . -s size of the storage file when creating one (in MB) . -k path to the key to use for decryption . -S acquire super user rights if possible . [*] Commands: . create create a new encrypted storage FILE and keys . open open an existing tomb FILE on MOUNTPOINT . close closes the tomb on MOUNTPOINT *** Where do we learn more from Here below some articles that are useful to understand Tomb more in detail and to get in touch with the difficult job of a Crypto Undertaker: - [[TKS1-draft.pdf][TKS1 - An anti-forensic, two level, and iterated key setup scheme]] - [[New_methods_in_HD_encryption.pdf][New Methods in Hard Disk Encryption]] - [[Luks_on_disk_format.pdf][LUKS On-Disk Format Specification]] - [[LinuxHDEncSettings.txt][Linux hard disk encryption settings]] ** Downloads For licensing information see the [[http://www.gnu.org/copyleft/gpl.html][GNU General Public License]] Below a list of formats you can download this application: ready to be run with some of the interfaces developed, as a library you can use to build your own application and as source code you can study. *** Code repository Latest stable release is 0.9 (28 January 2011) more about it in the [[ftp://ftp.dyne.org/tomb/NEWS][NEWS]] and [[ftp://ftp.dyne.org/tomb/ChangeLog][ChangeLog]] Source releases are checked and signed by [[http://jaromil.dyne.org][Jaromil]] using [[http://www.gnupg.org][GnuPG]]. On [[ftp://ftp.dyne.org/tomb][ftp.dyne.org/tomb]] you find all present and past Tomb releases, source code for extra plugins and more binaries that we occasionally build for various architectures. The bleeding edge version is developed on our [[http://code.dyne.org][code repository]] using **GIT**, you can clone the repository free and anonymously git clone git://code.dyne.org/tomb.git ** Development *** Stage of development Tomb is an evolution of the 'mknest' tool developed for the [[http://dynebolic.org][dyne:bolic]] GNU/Linux distribution, which is used by its 'nesting' mechanism to encrypt the Home directory of users. As such, it uses well tested and reviewed routines and its shell code is pretty readable. The name transition from 'mknest' to 'tomb' is marked by the adaptation of mknest to work on Debian based operating systems. At present time Tomb is easy to install and use, it mainly consists of a Shell script and some auxiliary C code for desktop integration (GTK), making use of GNU tools and the cryptographic API of the Linux kernel. *** People involved Tomb is designed and written by [[http://jaromil.dyne.org][Jaromil]]. Tomb's artwork is contributed by [[http://monmort.blogspot.org][Món Mort]]. Testing and fixes are contributed by Dreamer and Hellekin O. Wolf. Most research we refer to is documented by Clemens Fruhwirth. Tomb relies on Cryptsetup(8) and LUKS, big up to the developers involved \o/ *** How can you help Code is pretty short and readable: start looking around it and the materials found in doc/ which are good pointers at security measures to be further implemented. Have a look in the TODO file to see what our plans are. At the moment we can use some good help in porting this tool on M$/Windows and Apple/OSX, still keeping the minimal approach we all love. Please report bugs on the tracker at http://bugs.dyne.org Get in touch with developers via mail using this web page http://dyne.org/contact or via chat on http://irc.dyne.org