How to encrypt files on a Ubuntu server with Tomb

Looking for an easy to use, command line encryption tool for Linux? Jack Wallen walks you through the process of creating encrypted vaults with Tomb.

Image: Jack Wallen

Data security: Two words that cause more and more IT admins to lose their hair. With each passing week, it grows harder and harder to ensure your data is safe from malicious, prying eyes. To that end, you do everything you can to lock that data up. If some of your sensitive data is housed on a Linux server, what do you do? Fortunately, there are plenty of tools you can use to lock down that data. One such tool is Tomb.

Tomb is a free and open source tool used to generate encrypted storage vaults to be opened and closed using their associated keyfiles (keyfiles protected with a password chosen by the user). Although Tomb was designed to be used from the command line, it does have a GUI. However, I want to focus on the command line version of the tool, as I want to demonstrate Tomb's usage, as it pertains to a headless Linux server.

I'll be demonstrating on Ubuntu Server 16.04.


Tomb isn't found in the standard repositories, so we need to first create a list file for apt. To do this, issue the command sudo nano /etc/apt/sources.list.d/sparky-repo.list. Within this new file, add the following contents:

deb stable main
deb-src stable main
deb testing main
deb-src testing main

Save and close the file.

Before we update apt, we need to add the sparky repo keyfile with the command:

wget -O - | sudo apt-key add -

Once the above command completes, issue the following two command to install tomb:

sudo apt update
sudo apt install tomb

With Tomb installed, you're ready to create and use a new encrypted vault.

Do note that Tomb does install on most Linux systems. You can download and install from source, but you will need to make sure to install the following dependencies using your package manager:

  • zsh
  • sudo
  • gnupg
  • cryptsetup
  • pinentry-curses

Once you've installed the required packages, download the source into your ~/Downloads directory, unpack it, and issue the following commands from a terminal:

cd Downloads
tar xvfz Tomb*.tar.gz
cd Tomb-*sudo make install


The first thing that must be done is the creation of a new tomb. Let's create a tomb called Westminster that is 100MB in size. The command for this would be:

sudo tomb dig -s 100 Westminster.tomb

The output should look like that shown in Figure A.

Figure A

Figure A

Creating a tomb called Westminster.

Once the tomb has been created, a keyfile must be generated. In order to do this, swap must be turned off, otherwise the key creation operation will be aborted, due to a security risk--Figure B.

Figure B

Figure B

Tomb will not create a keyfile with an active swap partition.

To switch off swap, issue the command sudo swapoff -a.

With swap off, you can now create the keyfile with the command:

sudo tomb forge Westminster.tomb.key

You will be prompted to move the mouse around to create entropy. If you've used ssh to remote into this machine, you will probably have to remote into a second session and run some tasks, in order to create the necessary amount of entropy. Once that has completed, you will prompted to create a password for the key file (Figure C).

Figure C

Figure C

Creating a password for the keyfile.

NOTE: Once you're done, you can turn swap back on with the command sudo swapon -a.

Lock the new tomb with the command:

sudo tomb lock Westminster.tomb -k Westminster.tomb.key

You will be prompted for the password for the key file. The tomb will then be locked and ready to use. From this point on, you should move your key file for the tomb. Do not house that key in the same file as the actual tomb (because ... security!). Just for fun, we'll create a hidden directory called .abbey with the command mkdir ~/.abbey. Move the new key into that folder with the command mv Westminster.tomb.key ~/.abbey.

Let's unlock the tomb with the command:

sudo tomb open Westminster.tomb -k ~/.abbey/Westminster.tomb.key

You will be prompted for the key password. Upon successful authentication, the tomb will open (Figure D).

Figure D

Figure D

Opening our tomb.

With the tomb open, it will be mounted in /media. Issue the command cd /media/Westminster. At this point you can add files to the tomb (NOTE: You must have admin privileges to add, edit, or delete files within a tomb). Once you've added the necessary files, you can then close the tomb with the command:

sudo tomb close

The tomb will close and lock. All of the data within the tomb is locked away and cannot be accessed until the tomb is opened with the proper keyfile.

A solid choice for encryption

If you've been looking for a straightforward solution for creating encrypted vaults, you cannot go wrong with Tomb. It may take a bit of getting used to, but your efforts will be well worth the time involved.

Also See

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic, The New Stack, and Linux New Media. He's covered a variety of topics for over twenty years and is an avid promoter of open source. For more news about Jack Wallen, visit his website jackwallen....