Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tomb, a Successor To TrueCrypt For Linux Geeks

Posted by timothy on from the tomb-is-a-nice-friendly-word dept.

jaromil writes: Last day we released Tomb version 2.1 with improvements to stability, documentation and translations. Tomb is just a ZSh script wrapping around cryptsetup, gpg and other tools to facilitate the creation and management of LUKS encrypted volumes with features like key separation, steganography, off-line search, QRcode paper backups etc. In designing Tomb we struggle for minimalism and readability, convinced that the increasing complexity of personal technology is the root of many vulnerabilities the world is witnessing today — and this approach turns out to be very successful, judging from the wide adoption, appreciation and contributions our project has received especially after the demise of TrueCrypt.

As maintainer of the software I wonder what Slashdot readers think about what we are doing, how we are doing it and more in general about the need for simplicity in secure systems, a debate I perceive as transversal to many other GNU/Linux/BSD projects and their evolution. Given the increasing responsibility in maintaining such a software, considering the human-interface side of things is an easy to reach surface of attack, I can certainly use some advice and criticism.

5 of 114 comments (clear)

  1. VeraCrypt by Sigma+7 · · Score: 5, Informative

    The successor for TrueCrypt is VeraCrypt, as it is a direct fork.

    Also, a "linux geek" would have already have taken dm-crypt as an alternative, or performed the instructions in some Full Disk Encryption Howto.

    1. Re:VeraCrypt by mlts · · Score: 4, Informative

      There were two forks coming from TC. CipherShed was another, but it hasn't been updated since pre-alpha, so it is probably good to pronounce it dead, so VeraCrypt is arguably the successor for TrueCrypt as of now.

      If I were only worrying about Linux, I'd either use LUKS or perhaps a filesystem based encryption process like EncFS. EncFS doesn't provide as much protection (it does let an attacker know file sizes in a directory), but it is definitely a lot more flexible, and the encrypted files can be backed up and restored with ease.

  2. Don't try to piggyback on TrueCrypts popularity by perpenso · · Score: 5, Insightful

    If its Linux only don't present it as a successor to TrueCrypt. A very important feature of TrueCrypt is(was) that it targets Linux, Mac OS X and MS Windows. Any archive being available to any of the three platforms.

    The successor to TrueCrypt will most likely be something derived from the audited TrueCrypt source code. You just won't compare favorably given the single supported platform. You are just going to create a reputation of being one of the lessor choices, which may be entirely unfair.

    Don't handicap yourself. Promote your software on its own merits, don't try to piggyback on TrueCrypts popularity, such a strategy will likely backfire.

    1. Re:Don't try to piggyback on TrueCrypts popularity by ncc74656 · · Score: 4, Informative

      If its Linux only don't present it as a successor to TrueCrypt. A very important feature of TrueCrypt is(was) that it targets Linux, Mac OS X and MS Windows. Any archive being available to any of the three platforms.

      I don't know about Mac support, but if Tomb is just a wrapper around LUKS, the volumes it creates should be accessible on Windows as long as you use a filesystem Windows knows about. Ext2IFS doesn't work on anything newer than Windows Vista, so you're most likely looking at FAT32, exFAT, or NTFS if you want your LUKS volume to be portable.

      Assuming a suitable LUKS volume, you can mount it on Windows with LibreCrypt, which is the successor to FreeOTFE (by way of DoxBox). My work machine still has FreeOTFE on it, but I just installed LibreCrypt on Windows 10 at home and the encrypted volume on my flashstick mounted right up.

      --
      20 January 2017: the End of an Error.
  3. Nope. by ledow · · Score: 4, Insightful

    Tomb isn't a successor to TrueCrypt, for me at least. Not even close.

    TrueCrypt's selling point is NOT an encrypted container. We can do that any number of ways, not least just encrypted loopback, but all of them leak the same amount of information.

    Truecrypt's selling point was full disk encryption and a bootloader that hook BIOS interrupts to allow live, in-memory, OS-agnostic transparent decryption. That's not something you can do with a shell-script.

    Anything not full-disk-encryption is worthless is the machine is stolen - it probably takes minutes to find the key in swap-files and unlock the containers if they've been used recently. The plain-text is probably still lurking around on disk as temporary files etc.

    The only reason I used TrueCrypt was that you could full-disk encrypt and nobody could get in without modifying the hardware of the machine and then getting me to enter my passphrase. Not something that a thief was going to be able to do. It means it was Data Protection compliant, that you could afford to lose the entire machine and not worry, and that it didn't matter what you did with the machine underneath, what OS, what partitioning, etc. even fake partitions with false copies of Windows, etc. in them.

    Sorry, but your slashvertisement is exactly what it says - a shell script around some basic command line utilities. It's nowhere close to a TrueCrypt replacement unless your use-case is extremely trivial and - actually - not that secure at all.

    As it is, I don't think there's currently a product I can use that I can trust complete boot-time control of, except for TrueCrypt and it's directly-compatible replacements. I will look at various projects as they evolve but, for me, the winner will be whoever gets a UEFI bootloader first.