How to Encrypt Files in Linux with Tomb

Tomb Encrypt Files 00 Featured Image

Tomb is a simple shell script that allows you to encrypt files in Linux. Unlike full disk encryption, Tomb enables you to only include the files and folders that you want to encrypt. Here we show you how to install and use Tomb on Ubuntu.

Why Use Tomb to Encrypt Files in Linux

One of the biggest advantages of Tomb is that it does not require any additional software to install and use. This means that it is possible to use it in an existing system without any internet connection. This can be helpful in situations where you want to quickly encrypt a file in live systems such as Kali Linux.

Tomb heavily relies on programs and utilities that come by default in most popular Linux distributions. For example, Tomb uses both GNU Privacy Guard to handle its encryption and dd to wipe and format its virtual partitions.

Tomb Encrypt Files 02 Gnupg Website

This means that Tomb will always use the latest encryption and programming techniques when maintaining its files. This approach also allows the program to focus on integrating itself to your system rather than create its own environment. As a result, you can easily adapt Tomb and its files to work with any custom shell script that you made in your machine.

Tomb Encrypt Files 03 Help Screen

Lastly, a Tomb file is also highly flexible. It allows you to seamlessly modify its properties without affecting its contents. Because of that, you can also use it as a simple encrypted backup storage.

Installing Tomb in Ubuntu

  1. Make sure that all of Tomb’s dependencies are present in your system. You can double check this by running the following command:
sudo apt install zsh file gnupg cryptsetup pinentry-curses wget make steghide mlocate
Tomb Encrypt Files 04 Installing Dependencies
  1. Download a copy of Tomb from the developer’s website:
wget https://files.dyne.org/tomb/releases/Tomb-2.9.tar.gz
Tomb Encrypt Files 05 Wget Download Tomb
  1. Unpack the Tomb utility to your home directory. You can do this by running the following command:
tar xvzf ./Tomb-2.9.tar.gz
Tomb Encrypt Files 06 Extract Tomb Files
  1. Go inside the Tomb directory and install it to your system using make:
cd Tomb-2.9
sudo make install
Tomb Encrypt Files 07 Make Install

This command will automatically copy Tomb to “/usr/local/bin” and set the correct permissions for it to work. You can also check whether you have properly installed the program by running man tomb.

Tomb Encrypt Files 08 Tomb Manual

Creating Your First Tomb to Encrypt Files

With the program installed, you can start to use Tomb to encrypt file. Tomb works by allocating a set amount of space that it will encrypt beforehand. You can copy your files to this space later and Tomb will encrypt them on the fly.

To allocate the space for your first Tomb, you need to use the dig subcommand. The following command creates a 100MB Tomb file with the name “first.tomb.”

tomb dig -s 100 first.tomb
Tomb Encrypt Files 09 Create Tomb Files

Next, you need to create a key for your new tomb file:

tomb forge -k first.tomb.key

It is important to note that running this command can be resource intensive to your machine. This is because the forge subcommand tries to generate as much random data as possible for its keys. You can alleviate this issue by constantly moving the mouse cursor during this process.

Tomb Encrypt Files 10 Create Key

Once you have your key, you can now link it to your new tomb file. To do this, you can run the lock subcommand:

tomb lock -k first.tomb.key first.tomb
Tomb Encrypt Files 11 Link Key

Lastly, you can open your newly locked tomb by running the open subcommand:

tomb open -k first.tomb.key first.tomb
Tomb Encrypt Files 12 Open New Tomb Key

Running this command will prompt you for your Tomb’s password (in case you can’t remember your password, check out these password managers for Linux). After which, it will then automatically mount your file as a separate partition in your system.

Tomb Encrypt Files 13 Tomb File Manager Open

Creating an Image Key to Encrypt Files

Aside from creating simple password keys, you can also use images to unlock your tomb files. This can be helpful if you want to share your tomb to others without directly sharing your password.

To create an image key, you need to use the bury subcommand. For example, running the following command will combine my “first.tomb.key” file with my “image.jpg” file.

tomb bury -k first.tomb.key image.jpg
Tomb Encrypt Files 14 Create Image Key

Once that is done, you can now use your image to open the tomb file. The following command opens the “first.tomb” file using my new image key.

tomb open -k image.jpg first.tomb
Tomb Encrypt Files 15 Open Tomb With Image Key

Closing and Slamming Your Tomb

Unlike a regular encrypted drive, a Tomb file does not work as a separate device in your system. Instead, it behaves as an isolated partition within your file system.

Tomb Encrypt Files 16 Show Tomb Partition

One issue with this approach is that you need to use program-specific subcommands to cleanly unmount tombs. For example, running the following command will reencrypt a tomb’s contents and cleanly unmount it from your current session:

tomb close
Tomb Encrypt Files 17 Close Open Tombs

Aside from that, you can also force close any mounted tombs in your system. This is useful if you have a misbehaving application that does not want to terminate.

However, it is important to note that forcing an unmount can potentially damage the data inside your tombs. Knowing that, you can do a force close by running the slam subcommand:

tomb slam
Tomb Encrypt Files 18 Force Close All Tombs

Expanding and Indexing Your Tomb

It is also possible to increase the amount of storage for your tomb files. This can be helpful for users that wanted to store more data but do not want to encrypt a new partition for their data.

To do this, you need to use the resize subcommand. For example, running the following command will expand the size of my first.tomb file from 100MB to 1GB:

tomb resize -k first.tomb.key -s 1000 first.tomb
Tomb Encrypt Files 19 Increase Current Tomb Size

Searching Your Tombs

Lastly, you can also create easily searchable indexes for your currently open tomb files. This is useful for users that want to have a quick way to manage multiple encrypted partitions.

In order to search through your tomb files, you need to first build an index of it. To do this, you need to run the following command:

tomb index
Tomb Encrypt Files 20 Index All Active Tombs

Next, you can now search through all of the currently open tomb files by running the search subcommand. For example, running the following will look for every file that contains the word “test”:

tomb search test
Tomb Encrypt Files 21 Search All Tombs

Frequently Asked Questions

Can you use Tomb on a different Linux distribution?

Tomb is a highly portable script that only relies on a small set of Linux utilities. This means that it is likely that the program will run on your machine as long as you have the right dependencies. For example, both zsh and GNU Privacy Guard are programs that are often present in any distribution repository.

Can you link a single key to multiple tombs?

Yes. Similar to publishing an SSH key pair, it is possible to use a single key to manage multiple tomb files. To do this, you need to create your new file by running: tomb dig -s 100 test2.tomb.

Next, you need to link your new tomb file by using the lock subcommand. For example, running the following will link my new test2.tomb to my existing test.tomb.key: tomb lock test2.tomb -k test.tomb.key.

Is it possible to reduce the size of a tomb file in Linux?

No. The developers of Tomb designed their encrypted filesystems to only grow in size. This is mostly due to the way both the encryption and resizing works between cryptsetup and resize2fs.

The only way to “shrink” a tomb file is to create a new tomb with a smaller size using the dig subcommand. After that, you can link this new tomb file to your existing key using the lock subcommand.

Image credit: Unsplash. All screenshots and alterations by Ramces Red.

Is this post useful?
Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Ramces Red
Ramces Red - Staff Writer

Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.