tomb

Create a new tomb with an initial size of 100 MB

$ tomb dig -s [100] [encrypted_directory.tomb]

$ tomb forge [encrypted_directory.tomb.key]

$ tomb forge [encrypted_directory.tomb.key] -f

$ tomb lock [encrypted_directory.tomb] -k [encrypted_directory.tomb.key]

$ tomb open [encrypted_directory.tomb] -k [encrypted_directory.tomb.key]

$ tomb close [encrypted_directory.tomb]

$ tomb slam all

$ tomb list

tomb action [options] [tomb_file] [key_file]
tomb list
tomb -h | --help
tomb -v | --version

dig tomb_file [key_file]
    Creates a new encrypted tomb file and its associated key file.

open tomb_file [key_file]
    Opens an existing tomb and mounts it as a directory, typically at /mnt/.tomb/<tomb_name>.

close tomb_file
    Closes (unmounts) an opened tomb, making its contents inaccessible.

bury key_file carrier_file
    Hides the key_file inside a carrier_file (e.g., an image) using steganography.

forge tomb_file [key_file]
    Generates a new key file for an existing tomb, prompting for the existing tomb's passphrase.

graft tomb_file new_key_file
    Attaches a new_key_file to an existing tomb, allowing it to be opened with this new key.

lock tomb_file
    Locks an open tomb, preventing accidental closure. Requires unlock to close.

unlock tomb_file
    Unlocks a previously locked tomb, allowing it to be closed.

chmould tomb_file
    Allows changing properties of a tomb, such as its size or underlying cryptographic settings. Can be used to resize.

resize tomb_file [new_size]
    Resizes an existing tomb to a new_size (e.g., 100M, 2G). Requires the tomb to be closed.

gkeys tomb_file
    Generates a new set of keys for an existing tomb, replacing the old ones.

list
    Lists all currently open tomb volumes on the system.

-h, --help
    Displays a brief help message for the tomb command or a specific action.

-v, --version
    Prints the current version of the Tomb tool.

-s size
    Specifies the size for dig or chmould operations (e.g., 500M, 2G).

-f, --force
    Forces an operation, overriding prompts or warnings that might otherwise stop it.

-n, --no-password
    Proceeds without requiring a password prompt for key generation or usage (use with extreme caution).

-k key_file
    Explicitly specifies the key file to use for an operation, if not the default.

-c config_file
    Uses an alternative configuration file instead of the default ~/.tomb/config.

Tomb is a free and open source command-line tool that allows users to create and manage encrypted volumes, also known as "tombs". It leverages Linux's dm-crypt and cryptsetup to provide strong encryption for sensitive data. A tomb is essentially an encrypted file that acts as a secure container. Users can dig a new tomb, open it to access its contents as a mounted directory, and close it to unmount and secure the data. Tomb is designed with plausible deniability in mind, allowing for hidden tombs where keys can be buried within other files using steganography, or by using a key file that is itself a GPG encrypted message. It streamlines the complex process of setting up and managing encrypted file systems, making it accessible for protecting privacy and sensitive information. Its features include resizing tombs, key management, and secure deletion of keys.

Tomb operations, especially opening and closing, typically require root privileges.
The security of a tomb depends entirely on the strength of its passphrase and the secrecy of its key file.
While Tomb offers features for plausible deniability (e.g., hidden keys), these are obfuscation techniques and not foolproof against determined forensic analysis.
Improper usage or system crashes during operations can lead to data loss or corruption if not handled carefully.

Tomb incorporates features for plausible deniability, allowing users to conceal the existence of encrypted volumes. This includes the ability to embed key files within innocuous carrier files (like images) using steganography, and support for multiple keys, where one key might reveal a decoy volume while another reveals the true sensitive data.

Tomb relies on several core Linux utilities and kernel modules. Essential dependencies include cryptsetup for disk encryption, dm-crypt kernel module, losetup for loop devices, and mount for filesystem operations. Optional dependencies for advanced features include gnupg for key encryption and steg_hide (from steghide package) for burying keys in other files.

By default, Tomb volumes are mounted under /mnt/.tomb/ in a directory named after the tomb file. To enhance security and prevent sensitive data from being written to unencrypted swap space, Tomb automatically creates and uses a temporary encrypted swap file inside the opened tomb itself, mitigating potential data leaks.

Tomb was originally created by Jaromil, a developer associated with the Dyne.org Foundation, known for its focus on free software and digital privacy. It emerged as a user-friendly wrapper around complex Linux cryptographic tools like dm-crypt and cryptsetup, aiming to simplify the process of creating and managing encrypted volumes. Its development has consistently focused on providing robust security features, including plausible deniability options, while maintaining a transparent and auditable codebase. Over the years, it has become a popular choice for privacy-conscious users seeking secure data storage on Linux systems.

cryptsetup(8), losetup(8), mount(8), gpg(1), steg_hide(1)