What is Tomb? #
Tomb is a free and open-source encryption tool for GNU/Linux that allows users to create encrypted storage containers (called tombs) and protect their keys with GnuPG. Itβs designed to be scriptable, lightweight, and secure, making it ideal for privacy-focused users who prefer the terminal.
Created by Dyne.org, Tomb uses LUKS (Linux Unified Key Setup) for strong encryption and GnuPG for key management.
Key Features #
- π Strong encryption using LUKS and dm-crypt
- π GnuPG integration for securing keys with public-key cryptography
- π¦ Portable containers that can be safely backed up or moved
- π§ͺ Scriptable CLI interface, perfect for automation
- π Key and data separation β keys can be stored offline
- π§Ή Self-destruct and forget options to erase keys or wipe data
How Tomb Works #
Tomb separates the container (the encrypted file) from the key (used to unlock it):
-
Create a tomb (container):
tomb dig secret.tomb -s 100
This creates a 100MB encrypted file. -
Forge a key:
tomb forge secret.key
Optionally protect the key with a GPG identity. -
Lock the tomb with the key:
tomb lock secret.tomb -k secret.key -
Open the tomb (decrypt and mount):
tomb open secret.tomb -k secret.key -
Close the tomb:
tomb close
You can now securely store private files inside the mounted volume.
Basic to Advanced Usage Examples #
π° Basic Usage #
Create a Tomb Container #
tomb dig secrets.tomb -s 100
Generate a Key #
tomb forge secrets.key
Bind the Key to the Tomb #
tomb lock secrets.tomb -k secrets.key
Open the Tomb #
tomb open secrets.tomb -k secrets.key
Close the Tomb #
tomb close
π οΈ Intermediate Usage #
Use GPG Keys to Protect the Tomb Key #
gpg --gen-key
tomb forge secrets.key -g your.name@domain.com
Bury an Executable or Script #
tomb bury my_script.sh -k secrets.key
Auto-Open on Login #
if [ -f ~/.keys/secrets.key ]; then
tomb open ~/vaults/secrets.tomb -k ~/.keys/secrets.key
fi
π§ Advanced Usage #
Share Tomb Between Multiple GPG Users #
tomb forge team.key -g alice@example.com -g bob@example.com
Forget Tomb Key from Memory #
tomb forget secrets.key
Permanently Destroy a Key #
tomb bury /dev/urandom -k secrets.key
List Open Tombs #
tomb list
Use Custom Mount Point #
tomb open secrets.tomb -k secrets.key -d /mnt/secure
Use Cases #
- π΅οΈ Personal document encryption
- π Portable encrypted USB containers
- π‘οΈ Secure backups and archiving
- π₯ Shared encrypted storage among trusted GPG identities
- π Keeping secrets out of cloud storage systems
Pros and Cons #
Pros:
- Simple and lightweight
- Fully open-source
- No proprietary dependencies
- Flexible and script-friendly
- Separation of concerns (data vs key)
Cons:
- Command-line only (no GUI)
- GnuPG usage can be complex for new users
- Requires root privileges for some operations
Installation #
On Debian/Ubuntu-based systems:
sudo apt install tomb
On Arch Linux:
yay -S tomb
You can also install from source via the Tomb GitHub repository.
Final Thoughts #
Tomb offers a clean, minimal approach to file encryption for Linux users who are comfortable with the terminal. Its separation of key and data makes it particularly suitable for advanced users and those with strict security requirements.
While it may not be beginner-friendly, Tomb shines in its simplicity, portability, and power. If you’re looking for a trusted CLI encryption tool, Tomb is definitely worth exploring.
Want to learn more? Visit the official Tomb website at https://www.dyne.org/software/tomb or check out the Tomb GitHub repo.