Tomb-file how to
Tomb-file creation
In R.I.S.K.S. coffin-files are just for GPG-files while tomb-files are for all the other situations.
Now that GPG is fully functional I’m able to create a tomb-file.
This is the standard procedure:
Global vars
I set some global variables:
IDENTITY="joe"
RECIPIENT="joe@foo.bar"
LABEL="label_here"
TOMBID="${IDENTITY}-${LABEL}"
SIZE=15
The size is expressed in MB.
Open identity
I make sure that I’m using the right GPG configuration:
risks open gpg ${IDENTITY}
Tomb creation
I create the tomb-file which is where secrets are stored:
tomb dig -s ${SIZE} ${GRAVEYARD}/${TOMBID}.tomb
Key creation
I produce its key and make it immutable:
risks rw hush
tomb forge -g -r ${RECIPIENT} ${HUSH_DIR}/${TOMBID}.key
sudo chattr +i ${HUSH_DIR}/${TOMBID}.key
risks ro hush
This key is a regular binary key randomly generated by tomb
but it’s also encrypted using GPG. This adds an additional layer of security to the key: it can not be used until it’s decrypted via GPG which, of course, requires the GPG passphrase to do so.
Tomb-Key bonding
I bond the tomb-file with its key (I’m asked for the GPG password):
tomb lock -g -k ${HUSH_DIR}/${TOMBID}.key ${GRAVEYARD}/${TOMBID}.tomb
This step completes the creation of any tomb-file.
Tomb-file initialization
Now I can manually open the tomb and mount it on a temporary directory:
DIR="${TMP}/mount"
mkdir ${DIR} &> /dev/null
tomb open -g -k ${HUSH_DIR}/${TOMBID}.key ${GRAVEYARD}/${TOMBID}.tomb ${DIR}
or I can use risks
:
risks open ${LABEL} ${IDENTITY}
I add some tomb-specific files and close it:
touch ${DIR}/.uid
touch ${DIR}/.tty
touch ${DIR}/.host
touch ${DIR}/.last
tomb close ${TOMBID}
Recap for copy & paste
These are the command required to create a tomb-file:
IDENTITY="joe"
RECIPIENT="joe@foo.bar"
LABEL="label_here"
TOMBID="${IDENTITY}-${LABEL}"
SIZE=15
risks open gpg ${IDENTITY}
tomb dig -s ${SIZE} ${GRAVEYARD}/${TOMBID}.tomb
risks rw hush
tomb forge -g -r ${RECIPIENT} ${HUSH_DIR}/${TOMBID}.key
sudo chattr +i ${HUSH_DIR}/${TOMBID}.key
risks ro hush
tomb lock -g -k ${HUSH_DIR}/${TOMBID}.key ${GRAVEYARD}/${TOMBID}.tomb
Initialization and management:
risks open ${LABEL} ${IDENTITY}
touch ${DIR}/.uid
touch ${DIR}/.tty
touch ${DIR}/.host
touch ${DIR}/.last
risks close ${LABEL} ${IDENTITY}