In this blog, I will show how you can utilise open-source data encryption software Tomb to protect your private data on your Linux server. This can be used to create a private folder than only you can open, which can be used as a Samba file share mount, to host your private data for OwnCloud/Nextcloud, or whatever you fancy (hey, no judgement here child).
Firstly, you need to install some pre-reqs:
apt-get -y install zsh pinentry-curses
Once install, grab the latest Tomb (this has probably changed, but 2.3 was the latest when i wrote this) and extract it:
cd /tmp wget https://files.dyne.org/tomb/Tomb-2.3.tar.gz tar xvfz Tomb-2.3.tar.gz cd Tomb-2.3
Next, lets go ahead and make Tomb, and test its working:
make install tomb -h
You should see an output showing you the commands of Tomb, such as:
[email protected]:/tmp/Tomb-2.3# tomb -h Tomb 2.3 - a strong and gentle undertaker for your secrets Copyright (C) 2007-2017 Dyne.org Foundation, License GNU GPL v3+ This is free software: you are free to change and redistribute it For the latest sourcecode go to <http://dyne.org/software/tomb> Syntax: tomb [options] command [arguments]
Next, we need to create a key that will be used to protect our data:
tomb forge secrets.tomb.key
This will ask for a password as below:
[email protected]:/tmp/Tomb-2.3# tomb forge secrets.tomb.key tomb . Commanded to forge key secrets.tomb.key with cipher algorithm AES256 tomb [W] This operation takes time, keep using this computer on other tasks, tomb [W] once done you will be asked to choose a password for your tomb. tomb [W] To make it faster you can move the mouse around. tomb [W] If you are on a server, you can use an Entropy Generation Daemon. 256+0 records in 256+0 records out 256 bytes copied, 397.618 s, 0.0 kB/s tomb (*) Choose the password of your key: secrets.tomb.key tomb . (You can also change it later using 'tomb passwd'.) tomb . Key is valid. tomb . Done forging secrets.tomb.key tomb (*) Your key is ready: -rw------- 1 root root 527 Apr 5 12:07 secrets.tomb.key
Now that our key is created, we need to create our ‘tomb’. The tomb is basically a container for your files that can only be mounted if the key (and thus password) and provided, meaning its super secure. To create the tomb, the ‘-s’ flag is used – and takes an integer as an input. This integer is the size of the tomb in MiB, so 100GB would be 95367MiB, for example. Below i’m just creating a small example to display what happens:
[email protected]:/tmp/Tomb-2.3# tomb dig -s 100 secrets.tomb tomb . Commanded to dig tomb secrets.tomb tomb (*) Creating a new tomb in secrets.tomb tomb . Generating secrets.tomb of 100MiB 100+0 records in 100+0 records out 104857600 bytes (105 MB, 100 MiB) copied, 9.08815 s, 11.5 MB/s -rw------- 1 root root 100M Apr 5 12:08 secrets.tomb tomb (*) Done digging secrets tomb . Your tomb is not yet ready, you need to forge a key and lock it: tomb . tomb forge secrets.tomb.key tomb . tomb lock secrets.tomb -k secrets.tomb.key [email protected]:/tmp/Tomb-2.3#
Now, as it says above, we need to now associate our created key with our newly created tomb, meaning only our key can open the tomb once locked:
[email protected]:/tmp/Tomb-2.3# tomb lock -k secrets.tomb.key secrets.tomb tomb . Commanded to lock tomb secrets.tomb tomb . Checking if the tomb is empty (we never step on somebody else's bones). tomb . Fine, this tomb seems empty. tomb . Key is valid. tomb . Locking using cipher: aes-xts-plain64:sha256 tomb . A password is required to use key secrets.tomb.key tomb . Password OK. tomb (*) Locking secrets.tomb with secrets.tomb.key tomb . Formatting Luks mapped device. tomb . Formatting your Tomb with Ext3/Ext4 filesystem. tomb . Done locking secrets using Luks dm-crypt aes-xts-plain64:sha256 tomb (*) Your tomb is ready in secrets.tomb and secured with key secrets.tomb.key [email protected]:/tmp/Tomb-2.3#
Success! We can now open and close our Tomb, as below:
[email protected]:/tmp/Tomb-2.3# tomb open -k secrets.tomb.key secrets.tomb tomb . Commanded to open tomb secrets.tomb tomb . Valid tomb file found: secrets.tomb tomb . Key is valid. tomb . Mountpoint not specified, using default: /media/secrets tomb (*) Opening secrets on /media/secrets tomb . This tomb is a valid LUKS encrypted device. tomb . Cipher is "aes" mode "xts-plain64:sha256" hash "sha1" tomb . A password is required to use key secrets.tomb.key tomb . Password OK. tomb (*) Success unlocking tomb secrets tomb . Checking filesystem via /dev/loop0 fsck from util-linux 2.27.1 secrets: clean, 11/25168 files, 8831/100352 blocks tomb (*) Success opening secrets.tomb on /media/secrets [email protected]:/tmp/Tomb-2.3# cd /media/secrets/ [email protected]:/media/secrets# ls lost+found [email protected]:/media/secrets# touch hello [email protected]:/media/secrets# ls hello lost+found [email protected]:/media/secrets#
In the above, I’ve gone into our tomb and created a file called ‘hello’ to show you can write to it. Now, if you want to close all off the tombs, simply use the command ‘tomb close all’, or alternatively if you are in a hurry, use ‘tomb slam’ – which is the equivalent of kicking the power out of the back.
[email protected]:/media# tomb close all tomb . Closing tomb [secrets] mounted on /media/secrets tomb . Closing tomb bind hook: /media/root/secrets losetup: /dev/loop0: detach failed: No such device or address tomb (*) Tomb [secrets] closed: your bones will rest in peace. [email protected]:/media# [email protected]:/media# ls cdrom [email protected]:/media#
The above shows the closing of the tomb, and a ‘ls’ shows that there is no trace remaining.
Now, if you want to use this for production purposes, i’d recommending further reading – you can do a LOT of cool things with Tomb such as QR Codes for authentication, hiding PIN numbers in images (steganography, oo), etc. You’ll also want to move your tomb from /tmp 🙂 Enjoy, and i hope this stokes some creative fires.