Tomb: wrappers for LUKS encryption

tomb_compTomb is a Linux encryption API wrapper script providing a simple cmdline interface for end users who want to encrypt their files. Tomb manages encrypted directories protected by encrypted key files in addition to a password. While Ubuntu provides a very easy interface for volume encryption, using the cmdline to create and manage encrypted directories is still not easy for the average user. Tomb is a Zsh script which does all the work by encapsulating intimidating commands and procedures. It also provides an optional system tray icon.


  • Uses standard filesystem tools
  • Supports cryptsetup and LUKS using cryptographic API of the Linux kernel
  • Can generate machine parsable output for use inside graphical applications
  • Create, open, close, delete tombs (encrypted directories)
  • Forge keys protected by a password (GnuPG symmetric encryption) which can be stored in separate media
  • Once open, the tombs are just like normal folders and can contain different files, plus they offer advanced functionalities like bind and execution hooks and fast search, or they can be slammed close even if busy
  • Use multiple tombs simultaneously, directories and files inside them can be bound to files and directories inside home directory
  • Both the secure key and a password are required to open a tomb
  • Takes care of several details to improve user’s behaviour and the security of tombs in everyday usage
  • Open source and free


Tomb requires the following packages (available in the default repositories of most major distributions):

  • zsh
  • sudo
  • gnupg
  • cryptsetup
  • pinentry-curses (and/or -gtk-2, -x11, -qt)

Download the latest stable version of Tomb. Then execute the following commands:

$ tar -xvf Tomb-$version.tar.gz
$ cd Tomb-$version
$ sudo make install

To install a Gtk-tray skull icon for managing tombs change to directory extras/gtk-tray. Then,

  1. make sure libnotify and gtk+-3.0 dev packages are available
  2. run make inside the directory to build tomb-gtk-tray
  3. run sudo make install (default PREFIX is /usr/local)
  4. start tomb-gtk-tray tombname after the tomb is open


  • Create a 100MB tomb, generate key and lock it
    $ tomb dig -s 100 secret.tomb
    $ tomb forge secret.tomb.key
    $ tomb lock secret.tomb -k secret.tomb.key
  • Open a tomb
    $ tomb open secret.tomb -k secret.tomb.key
  • Close a tomb
    $ tomb close
  • Close all open tombs immediately, killing all applications using them
    $ tomb slam all
  • Hide a key inside an image and extract it later
    $ tomb bury -k secrets.tomb.key nosferatu.jpg
    $ tomb open -k nosferatu.jpg secrets.tomb

Full list of tomb commands and options:

Syntax: tomb [options] command [arguments]


// Creation:
dig     create a new empty TOMB file of size -s in MB
forge   create a new KEY file and set its password
lock    installs a lock on a TOMB to use it with KEY

// Operations on tombs:
open    open an existing TOMB
index   update the search indexes of tombs
search  looks for filenames matching text patterns
list    list of open TOMBs and information on them
close   close a specific TOMB (or 'all')
slam    slam a TOMB killing all programs using it
resize  resize a TOMB to a new size -s (can only grow)

// Operations on keys:
passwd  change the password of a KEY (needs old pass)
setkey  change the KEY locking a TOMB (needs old key and pass)

// Backup on paper:
engrave makes a QR code of a KEY to be saved on paper

// Steganography:
bury    hide a KEY inside a JPEG image (for use with -k)
exhume  extract a KEY from a JPEG image (prints to stout)

-s     size of the tomb file when creating/resizing one (in MB)
-k     path to the key to be used ('-k -' to read from stdin)
-n     don't process the hooks found in tomb
-o     mount options used to open (default: rw,noatime,nodev)
-f     force operation (i.e. even if swap is active)
--kdf  generate passwords armored against dictionary attacks

-h     print this help
-v     print version, license and list of available ciphers
-q     run quietly without printing informations
-D     print debugging information at runtime

Webpage: Tomb

Leave a Reply

Your email address will not be published. Required fields are marked *