tcontinuing manual documentation - tomb - the crypto undertaker
(HTM) git clone git://parazyd.org/tomb.git
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
(DIR) commit 6bda7e914e38fbbdad8ce83b0f829becab90662c
(DIR) parent d769a09d258ad9ab96d64ba0a5eac37280655445
(HTM) Author: Jaromil <jaromil@dyne.org>
Date: Tue, 16 Apr 2013 18:11:26 +0200
continuing manual documentation
Diffstat:
M doc/Tomb_User_Manual.org | 99 ++++++++++++++++++++++++-------
1 file changed, 76 insertions(+), 23 deletions(-)
---
(DIR) diff --git a/doc/Tomb_User_Manual.org b/doc/Tomb_User_Manual.org
t@@ -70,6 +70,8 @@ resistance to omologation.
** Who needs Tomb
+[[file:tomb_and_bats.png]]
+
Tomb improves the usability patterns of every-day cryptography and
relies on military-grade algorithms to grant a level of secrecy for
stored data that is very hard to break by most military organisations
t@@ -124,7 +126,7 @@ Home directory of users and have it ready for use on different
machines. At that time, Tomb was the first secure implementation of
what nowadays we call /persistent storage/ in live operating systems.
-[[images/foster_privacy.png]]
+[[file:foster_privacy.png]]
Later on we've felt the urgency to publishing this mechanism for other
operating systems than dyne:bolic since the current situation in
t@@ -216,62 +218,113 @@ This will autodetect the capabilities of the system and build binary helper appl
** Installation
-After running the configure-make combo to compile binaries it is possible to simply use *make install* to copy several files in place, including the main tomb script, image resources for the gtk pinentry and manuals.
+After running the configure-make combo to compile binaries it is
+possible to simply use *make install* to copy several files in place,
+including the main tomb script, image resources for the gtk pinentry
+and manuals.
Assuming the prefix is /usr/local paths for installation are:
- /usr/local/bin/tomb
- /usr/local/share/tomb
-When installed on a multi-user system, Tomb can be made available to all users even without granting them root access. Simply add this line to */etc/sudoers* (using the visudo command as root) for each user you like to enable to build and use tombs:
+
+*** Multi-user systems
+
+When installed on systems used by multiple users, Tomb can be made
+available to all of them even without granting root access. Simply add
+this line to */etc/sudoers* (using the visudo command as root) for
+each user you like to enable to build and use tombs:
: username ALL=NOPASSWD: /usr/local/bin/tomb
-Tomb is built with this possibility in mind and its code is reviewed to make this setup safe, so that a user cannot escalate to the privilege of a full root shell on the system, but just handle Tombs.
+Tomb is built with this possibility in mind and its code is reviewed
+to make this setup safe, so that a user cannot escalate to the
+privilege of a full root shell on the system, but just handle Tombs.
* Tombs in your pockets
* Tombs in the clouds
+** Server requirements
-
-when creating a tomb make sure the device mapper is loaded among kernel modules
+When creating a tomb make sure the device mapper is loaded among kernel modules
or creation will fail and leave you in the dust.
modprobe dm_mod
modprobe dm_crypt
-to create a tomb on a server (even VPS) is possible, but the problem becomes the little
-available entropy. in order to fix this one can use EGD the Entropy Gathering Daemon.
+** Automatic doors
+
+When logging out of a server it is very easy to forget and leave behind open tombs.
-on Debian, do:
+Using a simple cronjob will make sure that all tombs on server are
+closed automatically if the user who opened them is no more logged in:
-sudo aptitude install libdigest-sha1-perl
-sudo aptitude install ekeyd-egd-linux
+#+BEGIN_EXAMPLE
+#!/bin/zsh
+PATH=$PATH:/usr/local/bin
+tombs=`find /media -name "*tomb"`
+for i in ${(f)tombs}; do
+ { test -r ${i}/.tty } && {
+ tty=`cat ${i}/.tty`
+ uid=`cat ${i}/.uid`
+ if [ -r ${tty} ]; then
+ ttyuid=`ls -ln ${tty} | awk '{print $3}'`
+ { test "$ttyuid" = "$uid" } || { tomb close ${i} }
+ else tomb close ${i}; fi
+ }
+done
+return 0
+#+END_EXAMPLE
-/etc/default/ekeyd-egd-linux
+This script assumes all tombs are opened inside the /media folder and
+that the 'tomb' script is included in root's PATH. Feel free to adapt
+it to your needs and then add it to root's cronjob so that it is run
+every minute.
-wget http://egd.sourceforge.net/
+** Lack of entropy
-perl ./egd.pl
+To create a tomb on a server (especially VPS) the problem becomes the
+lack of available entropy. Generating keys on a desktop (using
+the *forge* command) is the best choice, since entropy can be gathered
+simply moving the mouse. Anyway, in case there is no GNU/Linux desktop
+available with the tomb script installed, one can try generating keys
+directly on the server in a reasonable time usi EGD, the Entropy
+Gathering Daemon.
-/etc/init.d/ekeyd-egd-linux start
+On Debian/Ubuntu, install these packages:
+: # apt-get install libdigest-sha1-perl
+: # apt-get install ekeyd-egd-linux
+Then check ekeyd's default configuration in:
-* Advanced techniques
+: /etc/default/ekeyd-egd-linux
-* Credits
+Then download EGD from its website http://egd.sourceforge.net and
+finally start both EGD and ekeyd:
+
+: perl ./egd.pl # from inside EGD source directory
+: /etc/init.d/ekeyd-egd-linux start # as root on debian
+
+You should see both daemons running, they will feed as much entropy as
+they can gather from various sources. Usually one will experience a
+burst of entropy when they are launched, then the stream keeps going
+rather slow anyway.
+
+
+* Acknowledgments
The development of Tomb was not supported by any governative or
non-governative organization, its author and maintainer is an European
-citizen residing in the Netherlands. Test cases for the development
-Tomb have been analyzed through active exchange with the needs of
-various activist communities, in particular the Italian [[http://www.hackmeeting.org][Hackmeeting
-community]] and the mestizo community of southern Mexico, Chapas and
-Oaxaca.
+citizen residing in the Netherlands.
+
+Test cases for the development Tomb have been analyzed through active
+exchange with the needs of various activist communities, in particular
+the Italian [[http://www.hackmeeting.org][Hackmeeting community]] and the mestizo community of
+southern Mexico, Chapas and Oaxaca.
-* Remote tombs
* Alphabetic Index