Tomb of Secrets | LAS 325

Tomb of Secrets | LAS 325

What’s the best TrueCrypt alternative for Linux? We’ll introduce you to Tomb, a tool that sits on top of open source encryption tools you can trust, that come built into every install of Linux.

Plus we’ll demo native Netflix working on Linux without any plugins, the big changes coming to Fedora…


All this week on, The Linux Action Show!

Thanks to:




HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Become a supporter on Patreon:


— Show Notes: —

Tomb :: The Crypto Undertaker

Tomb is 100% free and open source software to make strong encryption easy to use.
A tomb is like a locked folder that can be safely transported and hidden in a filesystem.
Keys can be kept separate: for instance the tomb on your computer and the key on a USB stick.

All dependencies used in Tomb are common GNU/Linux components, well peer reviewed and found in most distributions. Plus there is no cloud service connected and no network connection needed: Tomb works entirely off-line, of course.

Because dm-crypt is a block-level encryption layer, it only encrypts full devices, full partitions and loop devices. To encrypt individual files requires a filesystem-level encryption layer, such as eCryptfs or EncFS. See Disk encryption for general information about securing private data.

LUKS and Tomb:

The Linux Unified Key Setup or LUKS is a disk-encryption specification created by Clemens Fruhwirth in 2004 and originally intended for Linux.

While most disk encryption software implements different and incompatible, undocumented formats, LUKS specifies a platform-independent standard on-disk format for use in various tools. This not only facilitates compatibility and interoperability amongst different programs, but also assures that they all implement password management in a secure and documented manner.1

The reference implementation for LUKS operates on Linux and is based on an enhanced version of cryptsetup, using dm-crypt as the disk encryption backend.

dm-crypt and Tomb:

dm-crypt is a transparent disk encryption subsystem in Linux kernel versions 2.6 and later and in DragonFly BSD. It is part of the device mapper infrastructure, and uses cryptographic routines from the kernel’s Crypto API.

dm-crypt is implemented as a device mapper target and may be stacked on top of other device mapper transformations. It can thus encrypt whole disks (including removable media), partitions, software RAID volumes, logical volumes, as well as files. It appears as a block device, which can be used to back file systems, swap or as an LVM physical volume.

Installing Tomb:

  • Tomb needs a few programs to be installed on a system in order to work:
    • zsh
    • gnupg
    • cryptsetup
    • steghide (not required, this is for stashing your key in a jpg)
    • pinentry-curses (or -gtk or -qt as you prefer)

Most systems provide these tools in their package collection, for instance on Debian/Ubuntu one can use ‘apt-get install’ on Fedora and CentOS one can use ‘yum install’

Install Tomb
  • To install Tomb simply download the source distribution (the tar.gz file) and decompress it.
  • Then enter its directory and run ‘make install’ as root, this will install Tomb into /usr/local:

    sudo make install

  • After installation one can read the commandline help or read the manual:

    tomb -h
    man tomb (show the full usage manual)

  • At this point one can proceed creating a tomb, for instance:

    tomb dig -s 1000 secrets.tomb (be patient and wait a bit)
    tomb forge -k secrets.tomb.key (be patient and follow instructions)
    tomb lock -k secrets.tomb.key secrets.tomb

Mount your Tomb:

tomb open secret.tomb -k secret.tomb.key

  • And after you are done:

tomb close

Key Storage:

Steganography helps here. Tomb offers the possibility to bury and exhume keys from jpeg images: if steghide is installed on a system then Tomb will offer this commands in its command-line help.

When securing your private data one of the bigger problems is represented by the fallacy of your memory: in some future you might forget where you left the keys.

This feature lets you keep in mind a certain picture rather than a position in a filesystem, much easy to remember. It also helps in hiding well the key and eventually communicating it without being suspicious, as it is very difficult to detect the presence of a key inside an image without knowing the password you used to seal it.

imgurlArea 08-08-14  18_15_16.png

Hide the key

To hide the key inside an image file (jpeg):

tomb bury -k /path/to/key /path/to/file.jpg

Extractto the hidden key

To extract a pre-hidden key:

tomb exhume -k /path/to/newkeylocation /path/to/file.jpg

Advanced features

  • steganography (to hide the key inside a jpeg/wav file)
  • bind hooks: can mount some of its subdirectories as “bind” to some other. Suppose, for example, you would like to encrypt your .Mail, .firefox and Documents directories. Then you can create a tomb which contains these subdirectories (and others too, if you want) and create a simple configuration file inside the tomb itself; when you run tomb open it will automatically bind that directories into the right places. This way you will easily get an encrypted firefox profile, or maildir.
  • post hooks: commands that are run when the tomb is open, or closed. You can imagine lot of things for this: open files inside the tomb, put your computer in a “paranoid” status (for example, disabling swap), whatever.

Areas for improvement:

EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE
library and Linux kernel module to provide the filesystem interface.
You can find links to source and binary releases below. EncFS is open
source software, licensed under the GPL.


Runs Linux

Fish Who Plays Pokemon, Runs Linux – Twitch

  • Catherine and Patrick are two developers from the HackNY Fellows Class of 2014 that attend school at the University of Chicago and Columbia University, respectively. You can follow them on twitter at @catmoresco and @plfacheris.

At the time of writing, over 22,000 are currently watching Grayson play Pokemon, with a little under 50,000 total views.

Desktop App Pick

serman – Dialog-based systemd service management.

“Serman is a simple dialog-based systemd service manager. It provides an easy way to manage services with an overview of what is currently enabled, running, etc.

The package currently includes the original version of serman based on the dialog and a complete rewrite using Python’s ncurses library. The latter is installed as serman2 for testing. It will soon replace the current version of serman.”

Skyward Collapse on Steam

How do you balance — and indeed encourage — a war between factions without letting either side obliterate the other? How do you rule over gods, creatures, and men who refuse to obey you? How do you build a landscape of villages when bandits and mythology are conspiring to tear it down?

Weekly Spotlight


Version 7.4.0 of KNOPPIX is based on the usual picks from Debian stable (wheezy) and newer Desktop packages from Debian/testing and Debian/unstable (jessie). It uses kernel 3.15.6 and xorg 7.7 (core 1.16.0) for supporting current computer hardware.

TalkingArch – Home

This is TalkingArch, a respin of the Arch Linux live CD/USB image modified to include speech and braille output for blind and visually impaired users.
Arch Linux
is designed to be simple, lightweight and flexible. TalkingArch retains all the features of the Arch Linux live image, but adds speech and braille packages to make it possible for blind and visually impaired users to install Arch Linux eyes-free

— NEWS —

Turin becomes the first Italian city to adopt Ubuntu and Open Office, saves millions of Euros!

The city administrators calculated that, updating the licences for all the PCs running Windows products will cost them a whopping 22 million Euros over a period of 5 years! At the same time, adopting Linux and open source alternatives will actually save them 6 million Euros during the same period.

It’s Now Possible To Play Netflix Natively On Linux Without Wine Plug-Ins

According to reader reports this Saturday morning, with just modifying the user-agent of the latest beta version of Google’s Chrome web browser, it’s possible to get Netflix running natively on Linux. Thanks to DRM support with HTML5 and Google’s Chrome developers moving quick to implement the support that’s backed by Netflix, you can today run Chrome and play Netflix videos without having to use Pipelight or any other plug-ins — the support simply works through having DRM’ed HTML5 video support.

Flock 2014 Day One: The State of Copr

Miloslav Suchy delivered a report on the state of Copr yesterday at Flock that demonstrated just how far a service can go in one year. Work on Copr, the lightweight build service for contributor packages that aren’t yet in Fedora officially, started less than a year ago. But the service is already hosting more than 250GB of data and has churned out more than 25,000 builds!

What’s Copr? In a nutshell, it’s a system for building packages and offering repositories for packages that aren’t yet in Fedora or aren’t ready for Fedora – for example, GNOME 3.12 built for Fedora 20 for users who want to go to the latest GNOME before the next Fedora release. Or experimental builds of packages.

Wayland in GNOME

Jasper St. Pierre presented an overview of GNOME’s Wayland support on July 28. St. Pierre’s talk started off with an atypical question-and-answer session as he debugged some last-minute problems with his current Wayland session in GNOME’s Mutter.


Add this to your queue


Hang in our chat room: #jupiterbroadcasting


Find us on Google+

Find us on Twitter

Follow the network on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

Question? Comments? Contact us here!