tomb

the crypto undertaker
git clone git://parazyd.org/tomb.git
Log | Files | Refs | README | LICENSE

commit fa145074f82af74dc4eee2ed87ebcf35e4cc9e82
parent 843b7fdfc4c125065d31cc11cff8a994ed680bd4
Author: Jaromil <jaromil@dyne.org>
Date:   Mon,  2 Jan 2017 12:02:23 +0100

documentation updates and reorganisation

Added two new sections to the manpage: deniability and password.
Small actualisation of the install instructions.

Diffstat:
MAUTHORS.md | 4++--
MChangeLog.md | 2+-
MINSTALL.md | 63+++++++++++++++++----------------------------------------------
Mdoc/tomb.1 | 68+++++++++++++++++++++++++++++++++++++++-----------------------------
4 files changed, 59 insertions(+), 78 deletions(-)

diff --git a/AUTHORS.md b/AUTHORS.md @@ -21,8 +21,8 @@ Augello and Swedish translation by PLJ / Kosovoper. Testing, reviews and documentation contributed by Dreamer, Vlax, Shining the Translucent, Mancausoft, Asbesto Molesto, Nignux, TheJH, The Grugq, Reiven, GDrooid, Alphazo, Brian May, fsLeg, JoelMon, -Narrat, x3nu, Jim Turner, Maxime Arthaud, RobertMX, and... -the Linux Action Show! +Narrat, x3nu, Jim Turner, Maxime Arthaud, RobertMX, mhogomchungu +and... the Linux Action Show! Tomb includes an implementation of the "Password-Based Key Derivation Function v2" based on GCrypt and written by Anthony Thyssen. diff --git a/ChangeLog.md b/ChangeLog.md @@ -1,7 +1,7 @@ # Tomb ChangeLog ## 2.3 -### December 2016 +### January 2017 Fix to bug occurring when using ZSh version 5.3 or higher. Fix to inclusion of final newline in keys generated with 2.2. Enhanced diff --git a/INSTALL.md b/INSTALL.md @@ -20,12 +20,12 @@ To install Tomb simply download the source distribution (the tar.gz file) from https://files.dyne.org/tomb and decompress it. From a terminal: cd Downloads - tar xvfz Tomb-2.0.1.tar.gz (correct with actual file name) + tar xvfz Tomb-2.3.tar.gz (correct with actual file name) Then enter its directory and run 'make install' as root, this will install Tomb into /usr/local: - cd Tomb-2.0.1 (correct with actual directory name) + cd Tomb-2.3 (correct with actual directory name) sudo make install After installation one can read the commandline help or read the manual: @@ -60,36 +60,7 @@ There are some more things that tomb can do for you, make sure you have a look at the manpage and at the commandline help to find out more. -## Basic usage notes - -Here we collect notes on common issues users may or may not experience -and the commonly working solutions found. - -### Pinentry issues - -If pinentry has problems dealing with the password because of language -or tty settings on your system, try running `gpg-agent` by launching it -from the session initialization (~/.xsession or ~/.xinitrc) with this -command: -``` -eval $(gpg-agent --daemon --write-env-file "${HOME}/.gpg-agent-info") -``` - -### Deleting history - -To improve deniability one has to avoid that tomb commands are -recorded in the shell history. In order to do so the -`HISTIGNORESPACE=1` environment setting of Zsh comes handy. Anywhere -in the `.zshrc` put: -``` -export HISTIGNORESPACE=1 -alias tomb=' tomb' -``` - - -# Advanced usage - -## Install optional tools +# Optional tools Tomb can use some optional tools to extend its functionalities: @@ -110,12 +81,12 @@ the packages provided by each distribution. Once any of the above is installed Tomb will find the tool automatically. -## Install Tomb Extras +# Extras Tomb comes with a bunch of extra tools that contribute to enhance its functionality or integrate it into particular system environments. -### extras/gtk-tray +## extras/gtk-tray The Gtk tray adds a nifty tomb skull into the desktop toolbar: one can use it to close, slam and explore the open tomb represented by it. @@ -132,13 +103,13 @@ To have it change directory `extras/gtk-tray` then Of cource one can include the launch of tomb-gtk-tray scripts. -### extras/qt-tray +## extras/qt-tray The QT tray adds a tomb tray in a QT desktop toolbar. It requires at least QT libraries of version 5.4 or above. Build with 'qmake' and then 'make'. -### extras/kdf-keys +## extras/kdf-keys The KDF wrapper programs allows one to use KDF rounds on passwords in order to obstruct dictionary based and similar brute-forcing attacks. @@ -165,7 +136,7 @@ Please note that it doesn't makes much sense to use KDF keys and steganography, since the latter will invalidate the brute-forcing protection. For details on the issue see [KNOWN_BUGS.md](KNOWN_BUGS). -### extras/translations/ +## extras/translations/ There are translations available for Tomb and they are installed by default. If you wish to update them manually navigate to extras/po @@ -174,7 +145,7 @@ and run 'make install' as root: cd extras/translations sudo make install -### extras/gtomb/ +## extras/gtomb/ This is a minimalistic graphical user interface scripted in ZSh depending from Zenity to display dialog boxes. It covers all basic @@ -204,6 +175,14 @@ other people logged on the same system can easily log your passwords while such commands are executing. We only recommend using the pinentry to input your passwords. +At the time of writing another free software graphical application +supports opening and closing Tombs via a plugin installed by +default: [zuluCrypt](https://mhogomchungu.github.io/zuluCrypt/). One +needs to activate the Tomb plugin included in the zuluCrypt source to +be able to create, open and close tombs. Beware zuluCrypt may miss +advanced Tomb functionalities that are only available from the +command-line. + ## Python ![](extras/images/python_for_tomb.png) @@ -212,14 +191,6 @@ A Python wrapper is under development and already usable, but it introduces some vulnerabilities mentioned above. Find it in `extras/tomber`. For more information see [PYTHON](extras/PYTHON.md). -## Graphical applications - -So far the only graphical application supporting Tomb volumes is -[ZuluCrypt](https://github.com/mhogomchungu/zuluCrypt). One needs to -activate the Tomb plugin included in its source and will be able to -create, open and close tombs. It might still miss advanced Tomb -functionalities that are only available from the command-line. - ## Let us know! If you plan to develop any kind of wrapper for Tomb you are welcome to diff --git a/doc/tomb.1 b/doc/tomb.1 @@ -327,6 +327,36 @@ If you don't need swap, execute \fI swapoff -a\fR. If you really need it, you could make an encrypted swap partition. Tomb doesn't detect if your swap is encrypted, and will complain anyway. +.SH DENIABILITY + +The possibility to have an encrypted volume which is invisible and +cannot be detected is called "deniability". The cryptographic layer of +the device mapper in Linux (dm-crypt) does not implement +deniability. Tomb is just a wrapper on top of that and it doesn't add +cryptographic deniability. However a certain way of using tomb can +facilitate a weak sort of deniability outside of the scenario of +seized devices and forensic analysis of files and blocks on disc. + +For instance to eliminate any trace of tomb usage from the shell +history ZSh users can activate the "HISTIGNORESPACE" feature and +prefix all invokations of tomb with a blank space, including two lines +in ".zshrc": + +.EX +export HISTIGNORESPACE=1 +alias tomb=' tomb' +.EE + +.SH PASSWORD INPUT + +Tomb uses the external program "pinentry" to let users type the key password into a terminal or a graphical window. This program works in conjunction with "gpg-agent", a daemon running in background to facilitate secret key management with gpg. It is recommended one runs "gpg-agent" launching it from the X session initialization ("~/.xsession" or "~/.xinitrc" files) with this command: + +.EX +eval $(gpg-agent --daemon --write-env-file "${HOME}/.gpg-agent-info") +.EE + +In the future it may become mandatory to run gpg-agent when using tomb. + .SH EXAMPLES .IP \(bu @@ -410,26 +440,8 @@ Please report bugs on the Github issue tracker at .UR https://github.com/dyne/Tomb/issues .UE -One can also try to get in touch with developers via the #dyne chat channel on \fIhttps://irc.dyne.org\fR. - -.SH AUTHORS - -Tomb is designed, written and maintained by Denis Roio aka Jaromil. - -Tomb includes code by Anathema, Boyska, Hellekin O. Wolf and GDrooid. - -Tomb's artwork is contributed by Jordi aka Mon Mort and Logan VanCuren. - -Gettext internationalization and Spanish translation is contributed by -GDrooid, French translation by Hellekin, Russian translation by fsLeg, -German translation by x3nu. - -Testing, reviews and documentation are contributed by Dreamer, Shining -the Translucent, Mancausoft, Asbesto Molesto, Nignux, Vlax, The Grugq, -Reiven, GDrooid, Alphazo, Brian May, TheJH, fsLeg, JoelMon and the -Linux Action Show! - -Cryptsetup was developed by Christophe Saout and Clemens Fruhwirth. +One can also try to get in touch with developers via the #dyne chat +channel on \fIhttps://irc.dyne.org\fR. .SH COPYING @@ -454,15 +466,13 @@ documentation is available for download from its website on .B .IP cryptsetup(8) +.B +.IP pinentry(1) +.B +.IP gpg-agent(1) -GnuPG website: -.br -https://www.gnupg.org +GnuPG website: https://www.gnupg.org -DM-Crypt website: -.br -https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt +DM-Crypt website: https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt -LUKS website: -.br -https://gitlab.com/cryptsetup/cryptsetup/wikis/home +LUKS website: https://gitlab.com/cryptsetup/cryptsetup/wikis/home