Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tomb, a Successor To TrueCrypt For Linux Geeks

Posted by timothy on from the tomb-is-a-nice-friendly-word dept.

jaromil writes: Last day we released Tomb version 2.1 with improvements to stability, documentation and translations. Tomb is just a ZSh script wrapping around cryptsetup, gpg and other tools to facilitate the creation and management of LUKS encrypted volumes with features like key separation, steganography, off-line search, QRcode paper backups etc. In designing Tomb we struggle for minimalism and readability, convinced that the increasing complexity of personal technology is the root of many vulnerabilities the world is witnessing today — and this approach turns out to be very successful, judging from the wide adoption, appreciation and contributions our project has received especially after the demise of TrueCrypt.

As maintainer of the software I wonder what Slashdot readers think about what we are doing, how we are doing it and more in general about the need for simplicity in secure systems, a debate I perceive as transversal to many other GNU/Linux/BSD projects and their evolution. Given the increasing responsibility in maintaining such a software, considering the human-interface side of things is an easy to reach surface of attack, I can certainly use some advice and criticism.

4 of 114 comments (clear)

  1. VeraCrypt by Sigma+7 · · Score: 5, Informative

    The successor for TrueCrypt is VeraCrypt, as it is a direct fork.

    Also, a "linux geek" would have already have taken dm-crypt as an alternative, or performed the instructions in some Full Disk Encryption Howto.

    1. Re:VeraCrypt by Anonymous Coward · · Score: 3, Informative

      You can encrypt everything but bootloader + kernel + initramfs using a typical good distro installer (including Debian's latest).

      You can encrypt even that, if you use a bootloader capable of decription, but the bootloader will remain unencrypted.

      You can encrypt everything if you use a storage device capable of DRM+crypto, TCG style. But you cannot trust that kind of crap to even operate correctly, let alone implement the crypto (and everything else!) correctly and safely.

      So, usually, one tries to use secure platform mode to attest up to the bootloader and its config, and encrypt-and-authenticate (luks can do this) everything else.

    2. Re:VeraCrypt by mlts · · Score: 4, Informative

      There were two forks coming from TC. CipherShed was another, but it hasn't been updated since pre-alpha, so it is probably good to pronounce it dead, so VeraCrypt is arguably the successor for TrueCrypt as of now.

      If I were only worrying about Linux, I'd either use LUKS or perhaps a filesystem based encryption process like EncFS. EncFS doesn't provide as much protection (it does let an attacker know file sizes in a directory), but it is definitely a lot more flexible, and the encrypted files can be backed up and restored with ease.

  2. Re:Don't try to piggyback on TrueCrypts popularity by ncc74656 · · Score: 4, Informative

    If its Linux only don't present it as a successor to TrueCrypt. A very important feature of TrueCrypt is(was) that it targets Linux, Mac OS X and MS Windows. Any archive being available to any of the three platforms.

    I don't know about Mac support, but if Tomb is just a wrapper around LUKS, the volumes it creates should be accessible on Windows as long as you use a filesystem Windows knows about. Ext2IFS doesn't work on anything newer than Windows Vista, so you're most likely looking at FAT32, exFAT, or NTFS if you want your LUKS volume to be portable.

    Assuming a suitable LUKS volume, you can mount it on Windows with LibreCrypt, which is the successor to FreeOTFE (by way of DoxBox). My work machine still has FreeOTFE on it, but I just installed LibreCrypt on Windows 10 at home and the encrypted volume on my flashstick mounted right up.

    --
    20 January 2017: the End of an Error.