Tomb-file creation

In R.I.S.K.S. coffin-files are just for GPG-files while tomb-files are for all the other situations.

Now that GPG is fully functional I’m able to create a tomb-file.

This is the standard procedure:

Global vars

I set some global variables:

IDENTITY="joe"
RECIPIENT="joe@foo.bar"
LABEL="label_here"
TOMBID="${IDENTITY}-${LABEL}"
SIZE=15

The size is expressed in MB.

Open identity

I make sure that I’m using the right GPG configuration:

risks open gpg ${IDENTITY}

Tomb creation

I create the tomb-file which is where secrets are stored:

tomb dig -s ${SIZE} ${GRAVEYARD}/${TOMBID}.tomb

Key creation

I produce its key and make it immutable:

risks rw hush

tomb forge -g -r ${RECIPIENT} ${HUSH_DIR}/${TOMBID}.key

sudo chattr +i ${HUSH_DIR}/${TOMBID}.key

risks ro hush

This key is a regular binary key randomly generated by tomb but it’s also encrypted using GPG. This adds an additional layer of security to the key: it can not be used until it’s decrypted via GPG which, of course, requires the GPG passphrase to do so.

Tomb-Key bonding

I bond the tomb-file with its key (I’m asked for the GPG password):

tomb lock -g -k ${HUSH_DIR}/${TOMBID}.key ${GRAVEYARD}/${TOMBID}.tomb

This step completes the creation of any tomb-file.

Tomb-file initialization

Now I can manually open the tomb and mount it on a temporary directory:

DIR="${TMP}/mount"
mkdir ${DIR} &> /dev/null
tomb open -g -k ${HUSH_DIR}/${TOMBID}.key ${GRAVEYARD}/${TOMBID}.tomb ${DIR}

or I can use risks:

risks open ${LABEL} ${IDENTITY}

I add some tomb-specific files and close it:

touch ${DIR}/.uid
touch ${DIR}/.tty
touch ${DIR}/.host
touch ${DIR}/.last
tomb close ${TOMBID}

Recap for copy & paste

These are the command required to create a tomb-file:

IDENTITY="joe"
RECIPIENT="joe@foo.bar"
LABEL="label_here"
TOMBID="${IDENTITY}-${LABEL}"
SIZE=15
risks open gpg ${IDENTITY}
tomb dig -s ${SIZE} ${GRAVEYARD}/${TOMBID}.tomb
risks rw hush
tomb forge -g -r ${RECIPIENT} ${HUSH_DIR}/${TOMBID}.key
sudo chattr +i ${HUSH_DIR}/${TOMBID}.key
risks ro hush
tomb lock -g -k ${HUSH_DIR}/${TOMBID}.key ${GRAVEYARD}/${TOMBID}.tomb

Initialization and management:

risks open ${LABEL} ${IDENTITY}
touch ${DIR}/.uid
touch ${DIR}/.tty
touch ${DIR}/.host
touch ${DIR}/.last
risks close ${LABEL} ${IDENTITY}