What’s the best TrueCrypt alternative for Linux? We’ll introduce you to Tomb, a tool that sits on top of open source encryption tools you can trust, that come built into every install of Linux.
Plus we’ll demo native Netflix working on Linux without any plugins, the big changes coming to Fedora…
AND SO MUCH MORE!
All this week on, The Linux Action Show!
— Show Notes: —
Tomb is 100% free and open source software to make strong encryption easy to use.
A tomb is like a locked folder that can be safely transported and hidden in a filesystem.
Keys can be kept separate: for instance the tomb on your computer and the key on a USB stick.
All dependencies used in Tomb are common GNU/Linux components, well peer reviewed and found in most distributions. Plus there is no cloud service connected and no network connection needed: Tomb works entirely off-line, of course.
Because dm-crypt is a block-level encryption layer, it only encrypts full devices, full partitions and loop devices. To encrypt individual files requires a filesystem-level encryption layer, such as eCryptfs or EncFS. See Disk encryption for general information about securing private data.
LUKS and Tomb:
The Linux Unified Key Setup or LUKS is a disk-encryption specification created by Clemens Fruhwirth in 2004 and originally intended for Linux.
While most disk encryption software implements different and incompatible, undocumented formats, LUKS specifies a platform-independent standard on-disk format for use in various tools. This not only facilitates compatibility and interoperability amongst different programs, but also assures that they all implement password management in a secure and documented manner.1
The reference implementation for LUKS operates on Linux and is based on an enhanced version of cryptsetup, using dm-crypt as the disk encryption backend.
dm-crypt and Tomb:
dm-crypt is a transparent disk encryption subsystem in Linux kernel versions 2.6 and later and in DragonFly BSD. It is part of the device mapper infrastructure, and uses cryptographic routines from the kernel’s Crypto API.
dm-crypt is implemented as a device mapper target and may be stacked on top of other device mapper transformations. It can thus encrypt whole disks (including removable media), partitions, software RAID volumes, logical volumes, as well as files. It appears as a block device, which can be used to back file systems, swap or as an LVM physical volume.
- Tomb needs a few programs to be installed on a system in order to work:
- steghide (not required, this is for stashing your key in a jpg)
- pinentry-curses (or -gtk or -qt as you prefer)
Most systems provide these tools in their package collection, for instance on Debian/Ubuntu one can use ‘apt-get install’ on Fedora and CentOS one can use ‘yum install’
- To install Tomb simply download the source distribution (the tar.gz file) and decompress it.
- Arch users can install from the AUR – tomb
- Then enter its directory and run ‘make install’ as root, this will install Tomb into /usr/local:
sudo make install
- After installation one can read the commandline help or read the manual:
man tomb(show the full usage manual)
- At this point one can proceed creating a tomb, for instance:
tomb dig -s 1000 secrets.tomb(be patient and wait a bit)
tomb forge -k secrets.tomb.key(be patient and follow instructions)
tomb lock -k secrets.tomb.key secrets.tomb
Mount your Tomb:
tomb open secret.tomb -k secret.tomb.key
- And after you are done:
Steganography helps here. Tomb offers the possibility to bury and exhume keys from jpeg images: if steghide is installed on a system then Tomb will offer this commands in its command-line help.
When securing your private data one of the bigger problems is represented by the fallacy of your memory: in some future you might forget where you left the keys.
This feature lets you keep in mind a certain picture rather than a position in a filesystem, much easy to remember. It also helps in hiding well the key and eventually communicating it without being suspicious, as it is very difficult to detect the presence of a key inside an image without knowing the password you used to seal it.
Hide the key
To hide the key inside an image file (jpeg):
tomb bury -k /path/to/key /path/to/file.jpg
To extract a pre-hidden key:
tomb exhume -k /path/to/newkeylocation /path/to/file.jpg
- steganography (to hide the key inside a jpeg/wav file)
- bind hooks: can mount some of its subdirectories as “bind” to some other. Suppose, for example, you would like to encrypt your .Mail, .firefox and Documents directories. Then you can create a tomb which contains these subdirectories (and others too, if you want) and create a simple configuration file inside the tomb itself; when you run
tomb openit will automatically bind that directories into the right places. This way you will easily get an encrypted firefox profile, or maildir.
- post hooks: commands that are run when the tomb is open, or closed. You can imagine lot of things for this: open files inside the tomb, put your computer in a “paranoid” status (for example, disabling swap), whatever.
Areas for improvement:
- Cleaner key management. IE not having to ever have the key sit on my file system.
Intergration with Yubikey
EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE
library and Linux kernel module to provide the filesystem interface.
You can find links to source and binary releases below. EncFS is open
source software, licensed under the GPL.
— PICKS —
- Over 22,000 People Are Watching A Fish Play Pokemon By Swimming Around Its Fish Bowl – Business Insider
At the time of writing, over 22,000 are currently watching Grayson play Pokemon, with a little under 50,000 total views.
Desktop App Pick
“Serman is a simple dialog-based systemd service manager. It provides an easy way to manage services with an overview of what is currently enabled, running, etc.
The package currently includes the original version of serman based on the dialog and a complete rewrite using Python’s ncurses library. The latter is installed as serman2 for testing. It will soon replace the current version of serman.”
How do you balance — and indeed encourage — a war between factions without letting either side obliterate the other? How do you rule over gods, creatures, and men who refuse to obey you? How do you build a landscape of villages when bandits and mythology are conspiring to tear it down?
Version 7.4.0 of KNOPPIX is based on the usual picks from Debian stable (wheezy) and newer Desktop packages from Debian/testing and Debian/unstable (jessie). It uses kernel 3.15.6 and xorg 7.7 (core 1.16.0) for supporting current computer hardware.
This is TalkingArch, a respin of the Arch Linux live CD/USB image modified to include speech and braille output for blind and visually impaired users.
is designed to be simple, lightweight and flexible. TalkingArch retains all the features of the Arch Linux live image, but adds speech and braille packages to make it possible for blind and visually impaired users to install Arch Linux eyes-free
— NEWS —
The city administrators calculated that, updating the licences for all the PCs running Windows products will cost them a whopping 22 million Euros over a period of 5 years! At the same time, adopting Linux and open source alternatives will actually save them 6 million Euros during the same period.
According to reader reports this Saturday morning, with just modifying the user-agent of the latest beta version of Google’s Chrome web browser, it’s possible to get Netflix running natively on Linux. Thanks to DRM support with HTML5 and Google’s Chrome developers moving quick to implement the support that’s backed by Netflix, you can today run Chrome and play Netflix videos without having to use Pipelight or any other plug-ins — the support simply works through having DRM’ed HTML5 video support.
Miloslav Suchy delivered a report on the state of Copr yesterday at Flock that demonstrated just how far a service can go in one year. Work on Copr, the lightweight build service for contributor packages that aren’t yet in Fedora officially, started less than a year ago. But the service is already hosting more than 250GB of data and has churned out more than 25,000 builds!
What’s Copr? In a nutshell, it’s a system for building packages and offering repositories for packages that aren’t yet in Fedora or aren’t ready for Fedora – for example, GNOME 3.12 built for Fedora 20 for users who want to go to the latest GNOME before the next Fedora release. Or experimental builds of packages.
Jasper St. Pierre presented an overview of GNOME’s Wayland support on July 28. St. Pierre’s talk started off with an atypical question-and-answer session as he debugged some last-minute problems with his current Wayland session in GNOME’s Mutter.
— FEEDBACK —
- The PC-BSD Tour | BSD Now 49
Add this to your queue
- The Xamarin Solution | CR 112 | A look at where the folks behind Mono are now
Anyone out there using owncloud/mozilla_sync with ownCloud 7?
— CHRIS’ STASH —
Hang in our chat room: