Tomb/ChangeLog.md

# Tomb ChangeLog

## 2.10
### Sep 2023

This release adds optional support for Argon2 KDF brute-force
protection and introduces support for doas as an alternative to sudo
for privilege escalation. It also improves support for BTRFS formatted
Tombs, adds zram detection as swap memory, updates documentation and
translations and cleans up the script code.

## 2.9
### Jan 2021

This release fixes all bugs introduced by the unfortunate 2.8 release
series in 2020 as well introduces support for BTRFS formatted
Tombs. The fixes are for password insertion to work on all desktops,
as well the fix to a regression when using old Zsh versions. The new
feature is activated by the '--filesystem' flag on 'lock' commands.
It only supports BTRFS as internal filesystem of a Tomb instead of the
default EXT4; resizing works as well to create and send or receive
subvolumes and snapshots inside a Tomb. There are also some cleanups,
small error handling improvements and no more need for suid actions by
'forge' and 'dig' commands.



## 2.8.1
### Nov 2020

This is a minor bugfix release. It fixes two bugs introduced by the
previous release: the release of loopback devices and a typo affecting
password insertion in text-only mode. It also provides a cosmetic fix
for the output of 'tomb list' that now displays correct sizes. At
last, the docker wrapper has been included in extras/ to be shipped in
Tomb. The span of CVE-2020-28638 has been assessed with more precision
and KNOWN_BUGS updated accordingly.

## 2.8
### Nov 2020

This new release updates the documentation, improves usability and
fixes two bugs. A bug has been found (CVE-2020-28638) to corrupt
passwords entered using pinentry-curses on desktops using a X11
DISPLAY, the documentation in KNOWN_BUGS outlines how to fix
regressions. Another bug has been fixed to prevent mounting tombs that
are already opened, a situation leading to potential data loss.
Changes mentioned lead to a small internal refactoring and cleanup,
leading to a change in the way volumes appear in /dev/mapper. Along
the usability improvements are the support of GNUPGHOME environment
variable to support non-standard GnuPG home locations as well updated
translations and the fact that debug messages are now written to
stderr, making it easier to parse stdout.

## 2.7
### Oct 2019

Fixed getent parsing of passwd and notation of conditionals
normalised.  A few other minor fixes and documentation improvements.


## 2.6
### May 2019

This release adds new features and provides an important fix for usage
of Tomb with cryptsetup 2.1 and future versions; it also fixes a
whitespace bug in KDF passwords, all fixes are documented in
KNOWN_BUGS. A notable new feature is the libsphinx integration for
password-authenticated key agreement (PAKE). Another feature is the
integration of cloakify to support new cloak/uncloak commands that
hide keys inside long text files. Also support for gpg sub-keys has
been added and overall gpg asymmetric key protection is improved.



## 2.5
### January 2018

This is mostly a bugfix release, including two internal
refactorings. An important change is the re-introduction (since v2.3)
of ownership change of all files inside tombs, to facilitate single
user usage, which is now default and can be prevented using the '-p'
flag on 'open' commands. The first refactoring concerns the test
units, now using the 'sharness' framework. The other refactoring
concerns 'post-hooks' now renamed to 'exec-hooks' and launched on
'open' and 'close' commands with a defined set of arguments. Another
internal change concerns the use of 'findmnt' instead of parsing the
output of 'mount -l', which grants compatibility with more recent
versions of util-linux. A fix was made to the 'slam' command for a
better process detection and the introduction of a new 'ps' command to
just list processes using tombs. Another fix was made to support tomb
hidden filenames (starting with a dot) without any extension. Some
more minor fixes were made to messaging and translations, plus all the
documentation is updated.


## 2.4
### April 2017

This release introduces a major new feature with support for
asymmetric encryption of Tomb keys using public/private GPG key
pairs. It is now possible to protect a Tomb key using a GPG key (which
can also be password-less for automations) as well encrypt a Tomb key
for multiple recipients (list of GPG ids). Other improvements include:
a fix to the 'slam' command with better detection of running programs
using 'lsof' (new optional dependency); a fix to 'forge' key creation
to really use 512 bits long keys to really trigger usage of AES256;
correct support for opening tombs in read-only mode; update of the
Tomber python wrapper in extras. Documentation has been updated.

## 2.3
### January 2017

Fix to bug occurring when using ZSh version 5.3 or higher. Fix to
inclusion of final newline in keys generated with 2.2, only affecting
third-party software. Removed chmod/chown of tombs when open. Enhanced
continuous integration script with regression tests with usage of old
stable versions of Tomb and shellcheck linting.  Improved parser and
post-hooks to avoid usage of external binaries (grep and cat) also
improving security when decrypting keys. Fix for clean execution via
sudo nopasswd. Updated extras/gtomb to latest stable version.  Various
documentation updates about kdf, using images as keys, deniability and
gpg-agent usage. New experimental port to Android platforms in extras.

## 2.2
### December 2015

New Qt5 desktop tray in extras/qt-tray.
New Zenity based Gtk interface in extras/gtomb (experimental).
Better resizing procedure recovers from failure without starting over
with a new dig.  Fixes for correct handling of bind-hooks mountpoints
containing whitespaces, implying a refactoring of how the mtab is
parsed, along with workaround for Debian bugs. Updated all strings to
report MiB sizes. Fix to correctly show last time opened. Fix to EUID
detection and to installed manpage permissions.

## 2.1.1
### August 2015

Added translations to Italian and Swedish.
Minor documentation updates.


## 2.1
### July 2015

All users updating should close their tombs first, then update and
reopen them with this new version. However, lacking to do so will not
cause any data loss, just an unclean umount of tombs.

This new stable release including several bugfixes to smooth the user
experience in various situations. Documentation is reviewed and
extended and translations are updated.

More in detail, fixes to: mountpoint removal, language localization,
gtk-2 pinentry themeing, udisk2 compatibility (/run/media/$USER
mountpoint support), handling of key failures, kdf documentation,
swish-e file contents search and encrypted swap detection.

Deniability is improved by allowing any filename to be used for tombs
(also without .tomb extension). Code has been overall cleaned up.


## 2.0.1
### December 2014

Fix for usage with GnuPG 1.4.11, a problem affecting long term
GNU/Linux distribution releases like Ubuntu 12.04 and Mint 13.
Minor messaging fixes.

## 2.0
### November 2014

Tomb goes international: now translated to Russian, French, Spanish
and German.

The usability has improved: steganographed images can now be used
directly as keys using `-k`. Tomb now works also across ssh
connections: it is possible to pipe cleartext secrets from stdin using
`-k cleartext` but that requires the --unsafe flag.

The security is also improved by avoiding most uses of temporary
files. The privilege escalation model has been simplified and sudo is
called only when needed. All code has been refactored for readability
and integration with zsh features. Signal handlers are now in place,
global arrays are used to keep track of temp files. Namespace has been
revisioned and corrected, described in [HACKING](docs/HACKING.txt).

## 1.5.3
### June 2014

Various usability fixes and documentation updates. Password changing
and key changing procedures have been refactored and dev-mode
operation from scripts has been tested against a few new wrappers
being developed. A strings file is made available for translators.

## 1.5.2
### February 2014

Removed automatic guessing of key file besides tomb to encourage
users to keep tomb and key separated, but also to simplify the
code in key retrieval and avoid a bug occurring in the previous
version.

## 1.5.1
### February 2014

Fix to stdin piping of keys, which were not correctly processed
nor were deleted from volatile memory (tmpfs).

Version is now updated accordingly.

## 1.5
### January 2014

Minor bugfixes to documentation, error handling, support for
multiple and encrypted swap partitions and qr code engraving.

This release also includes some minor code refactoring of
load_key() and loop mount checks. Also the tray app is updated
to gtk-3 and works simply with a tomb name as argument.

Documentation was updated accordingly.

## 1.4
### June 2013

This release fixes an important bug affecting Tomb 1.3.* which
breaks backward compatibility with older tombs and invalidates
keys created using 1.3 or 1.3.1. For more information about it
read the file KNOWN_BUGS.

New features are also included:
indexing and search of file contents, engraving of keys into paper
printable QRCodes for backup purposes and improvements in key
encryption. A setkey command is added to change the key file that
is locking a Tomb.

This release restores backward compatibility
with tombs created before the 1.3 release series.

## 1.3.1 (DEPRECATED, see [KNOWN_BUGS](KNOWN_BUGS.md))
### June 2013

Major bugfixes following the recent refactoring.

This release fixes various advanced commands as search/index, KDF key
protection against dictionary attacks and steganographic hiding of
keys. It provides compatibility across GnuPG 1.4.11 and .12 which
broke the decoding of keys. Usage of commandline option is made
consistent and full paths are honored.

A new test suite is included and documentation is updated accordingly.

## 1.3 (DEPRECATED, see [KNOWN_BUGS](KNOWN_BUGS.md))
### May 2013

A refactoring of Tomb's main script internals was made, including
a new messaging system, machine parsable output, cleaner code and
updated compatibility to Debian 7. A new search feature lets users
index and run fast filename searches in their open tombs. Creation
of tombs is broken out in three steps (dig, forge and lock).

Source distribution includes experimental add-ons for a python
GUI, KDF key encryption and a key "undertaker". Documentation was
updated.


## 1.2
### Nov 2011

Includes an Important fix to password parsing for spaces and
extended chars, plus a new 'passwd' command to change a key's
password. Tomb now checks for swap to avoid its usage (see SWAP
section in manpage) and warns the user when the tomb is almost
full.

## 1.1
### May 2011

Fixes to mime types, icons and desktop integration.

A new 'list' command provides an overview on all tombs currently open.

Now a tomb cannot be mounted multiple times, the message console has
colors and better messages.

Different mount options (like read-only) can also be specified by hand on the commandline.

## 1.0
### March 2011

Clean and stable. Now passwords are handled exclusively using
pinentry. Also support for steganography of keys (bury and exhume)
was added to the commandline.

Commandline and desktop operations are well separated so that tomb can be used via remote terminal.

A new command 'slam' immediately closes a tomb killing all processes that keep it busy.

## 0.9.2
### February 2011

The tomb-open wizard now correctly guides you through the creation
of new tombs and helps when saving the keys on external USB
storage devices. The status tray now reliably closes its tomb.

## 0.9.1
### February 2011

Sourcecode cleanup, debugging and testing.

Integrated some feedback after filing Debian's ITP and RFS.

## 0.9
### January 2011

Tomb is now a desktop application following freedesktop standards:
it provides a status tray and integrates with file managers.

The main program has been thoroughly tested and many bugs were fixed.

## August 2010

The first usable version of Tomb goes public among hacker friends

## During the year 2009

Tomb has been extensively tested, perfectioned and documented
after being used by its author.

## Sometime in 2007

[MKNest](http://code.dyne.org/dynebolic/tree/dyneII/startup/bin/mknest)
was refactored to work on the Debian distribution and since
then renamed to Tomb. [dyne:bolic](http://www.dynebolic.org) specific dependencies where
removed, keeping Zsh as the shell script it is written with.

## Back in 2005

The "nesting" feature of [dyne:bolic](http://www.dynebolic.org)
GNU/Linux lets users encrypt their home in a file, using a shell script and a graphical
interface called Taschino.

Taschino included a shell script wrapping cryptsetup to encrypt
loopback mounted partitions with the algo AES-256 (cbc-essiv
mode): this script was called 'mkNest' and its the ancestor of
Tomb.