Bury your secrets with Tomb
Tomb is a handy linux utility that enables you to create storage vaults that are locked with a private key, which is itself encrypted with a password. You can then distribute those vault files wherever you want, online or offline, with access to the contents only possible to someone with the decrypted keyfile.
In the modern age, data security is paramount – and never more so than when dealing with digital value. Even a seemingly trivial mistake can lead to the loss of large amounts of money. If a private key is wrongly exposed to the web, the funds in that address are vulnerable. This raises the question of how to store your private keys and wallet files securely.
Cold storage – holding your keys offline – is one option. It’s highly secure if set up properly, but can be difficult to deal with. And even if you do keep files on USBs or flash drives, it’s still a good idea to encrypt them.
Tomb is a great linux utility that allows you to create ‘tombs’ – encrypted folders that act as storage vaults for your data. They are encrypted with private keys, much like the private keys that control your crypto addresses, and so they are incredibly secure. You can create a tomb, save sensitive data in it, then close it so it is secured by that private key. The keyfile itself is encrypted with a password. You can then save that tomb anywhere, online or off – it’s so heavily encrypted that it doesn’t matter. Meanwhile you can also keep the encrypted keyfile in a variety of places, ideally offline, since it’s protected only by a regular password.
Getting set up – this will require knowledge of terminal commandline
To install Tomb on Ubuntu, follow the instructions here. Tomb isn’t in the standard repos, so there are a couple of extra steps. It’s no big deal though, even for beginners.
Once you’ve done that, you can create a new tomb easily, with the command dig, a parameter for the size of the vault in MB, and the name of the tomb (‘crypto’):
sudo tomb dig -s 100 crypto.tomb
Next step: create a keyfile to lock this tomb. For security reasons, you’ll need to turn off swap with sudo swapoff -a (it will prompt you if you haven’t done that). You can turn swap back on with sudo swapon -a when you’re done.
sudo tomb forge crypto.tomb.key
It will ask you to enter a password for the keyfile. Note that you can’t choose your own key, so you can’t use, say, a bitcoin private key to lock a tomb.
Now, lock the tomb with that key:
sudo tomb lock crypto.tomb -k crypto.tomb.key
Your tomb is now ready to use. At this stage, you should move the keyfile so it’s in another place to the tomb itself, just to be on the safe side.
To open a tomb:
sudo tomb open crypto.tomb -k crypto.tomb.key
(This assumes that you haven’t moved your keyfile – if you have, make sure you include its new path in the command.)
And to close it again:
sudo tomb close
When a tomb is open you can find it in /media:
You can save and edit files there, and then close it when you’re done – at which point the tomb will just be another file on the drive, filled with your secrets but inaccessible unless you have the keyfile and it’s password.