Data security: Two words that cause more and more IT admins to lose their hair. With each passing week, it grows harder and harder to ensure your data is safe from malicious, prying eyes. To that end, you do everything you can to lock that data up. If some of your sensitive data is housed on a Linux server, what do you do? Fortunately, there are plenty of tools you can use to lock down that data. One such tool is Tomb.
Tomb is a free and open source tool used to generate encrypted storage vaults to be opened and closed using their associated keyfiles (keyfiles protected with a password chosen by the user). Although Tomb was designed to be used from the command line, it does have a GUI. However, I want to focus on the command line version of the tool, as I want to demonstrate Tomb's usage, as it pertains to a headless Linux server.
I'll be demonstrating on Ubuntu Server 16.04.
Tomb isn't found in the standard repositories, so we need to first create a list file for apt. To do this, issue the command sudo nano /etc/apt/sources.list.d/sparky-repo.list. Within this new file, add the following contents:
deb https://sparkylinux.org/repo stable main deb-src https://sparkylinux.org/repo stable main deb https://sparkylinux.org/repo testing main deb-src https://sparkylinux.org/repo testing main
Save and close the file.
Before we update apt, we need to add the sparky repo keyfile with the command:
wget -O - https://sparkylinux.org/repo/sparkylinux.gpg.key | sudo apt-key add -
Once the above command completes, issue the following two command to install tomb:
sudo apt update sudo apt install tomb
With Tomb installed, you're ready to create and use a new encrypted vault.
Do note that Tomb does install on most Linux systems. You can download and install from source, but you will need to make sure to install the following dependencies using your package manager:
Once you've installed the required packages, download the source into your ~/Downloads directory, unpack it, and issue the following commands from a terminal:
cd Downloads tar xvfz Tomb*.tar.gz cd Tomb-*sudo make install
The first thing that must be done is the creation of a new tomb. Let's create a tomb called Westminster that is 100MB in size. The command for this would be:
sudo tomb dig -s 100 Westminster.tomb
The output should look like that shown in Figure A.
Once the tomb has been created, a keyfile must be generated. In order to do this, swap must be turned off, otherwise the key creation operation will be aborted, due to a security risk—Figure B.
To switch off swap, issue the command sudo swapoff -a.
With swap off, you can now create the keyfile with the command:
sudo tomb forge Westminster.tomb.key
You will be prompted to move the mouse around to create entropy. If you've used ssh to remote into this machine, you will probably have to remote into a second session and run some tasks, in order to create the necessary amount of entropy. Once that has completed, you will prompted to create a password for the key file (Figure C).
NOTE: Once you're done, you can turn swap back on with the command sudo swapon -a.
Lock the new tomb with the command:
sudo tomb lock Westminster.tomb -k Westminster.tomb.key
You will be prompted for the password for the key file. The tomb will then be locked and ready to use. From this point on, you should move your key file for the tomb. Do not house that key in the same file as the actual tomb (because ... security!). Just for fun, we'll create a hidden directory called .abbey with the command mkdir ~/.abbey. Move the new key into that folder with the command mv Westminster.tomb.key ~/.abbey.
Let's unlock the tomb with the command:
sudo tomb open Westminster.tomb -k ~/.abbey/Westminster.tomb.key
You will be prompted for the key password. Upon successful authentication, the tomb will open (Figure D).
With the tomb open, it will be mounted in /media. Issue the command cd /media/Westminster. At this point you can add files to the tomb (NOTE: You must have admin privileges to add, edit, or delete files within a tomb). Once you've added the necessary files, you can then close the tomb with the command:
sudo tomb close
The tomb will close and lock. All of the data within the tomb is locked away and cannot be accessed until the tomb is opened with the proper keyfile.
A solid choice for encryption
If you've been looking for a straightforward solution for creating encrypted vaults, you cannot go wrong with Tomb. It may take a bit of getting used to, but your efforts will be well worth the time involved.
- How to use end-to-end encryption in the upcoming Nextcloud desktop client (TechRepublic)
- How to encrypt a USB flash drive with VeraCrypt (TechRepublic)
- How to install and use GPG Suite to encrypt email with Apple Mail (TechRepublic)
- How to sign a file on Linux with GPG (TechRepublic)
- How to use secure copy with ssh key authentication (TechRepublic)
- How to manage multiple GPG keys in Thunderbird (TechRepublic)
- Let's Encrypt disables TLS-SNI-01 validation (ZDNet)
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.