Skip to Content

Making Tombs

 — #cryptography#privacy#cybersecurity

If you want to use store stuff data, put it in a Tomb, the crypt undertaker. For remote SSHFS can help you. An SSH server is a pretty common piece of software, by default on all Linux hosts and SSHFS allows you to mount the remote filesystem via SSH.

You may skip and rather how to get started

The good

It's encryption, and can burry things into all sort of non usual suspect files too.

Old Encryption

  • Easy to Set Up: Even to facilitates syncing Tomb between computers.

The bad

  • Not Suitable for Real-Time Sharing: The same Tomb cannot be opened by two different computers in read/write mode simultaneously.

The ugly

  • Not many seem to know about it.


  1. Copy your Tomb to the remote server via SCP:

    scp /path/to/yourthings.tomb
  2. Install SSHFS on your system. For example, on Debian:

    sudo apt-get install sshfs
  3. Mount the remote file system locally:

    sshfs -o allow_root /local/mountpoint/
  4. Open your Tomb:

    tomb open /local/mountpoint/yourthings.tomb -k /path/to/key

That is it. keep going for autosync, or skip to how to get started.

Tomb Autosync via SSHFS

some other stegano


The code in this section is for users who understand it and are willing to debug.


Have two laptops: a big one and a netbook, and we need to share a Tomb with personal settings and data.


We can't use a "shared" Tomb because it cannot be mounted by more than one computer simultaneously. Tomb has no built-in locking mechanism, so we need an external lock.


  1. Acquire the lock
  2. Mount the remote Tomb
  3. Use Unison to sync
  4. Unmount
  5. Release the lock

The (not so) HORRIBLE bashing

Login Script


imgpath=$(zenity --file-selection --text='Choose an image file with an embedded key' --title='Select File')
tomb exhume /tmp/local.tomb $imgpath

(flock 5
if ! tomb open /path/to/local.tomb -k /tmp/local.tomb.key; then
    zenity --error --text='Impossible to mount local tomb!' --title='Horror!'
    return 1
    zenity --notification --text='Local tomb correctly mounted'

if sshfs remote.server:/ /local/mountpoint/; then
    tomb open /local/mountpoint/remote.tomb -k /tmp/local.tomb.key
    zenity --notification --text='Remote tomb correctly mounted'
    zenity --error --text='Impossible to mount remote tomb!' --title='Horror!'
    return 1
) 5> $lockfile

Post-Hook in Remote Tomb



if unison $remotetomb $localtomb; then
    zenity --notification --text='Data sync success'
    zenity --error --text='Data sync failed!' --title='Horror!'
    return 1

Logout Script


wipe -f -s /tmp/local.tomb.key

(flock 5
if tomb close all; then
    zenity --notification --text='Tombs closed, your bones will rest in peace.'
    zenity --error --text='Problems closing tombs!' --title='Horror!'
    return 1
) 5> $lockfile

Cron Script



(flock 5
if !ping -c 1 remote.server; then
    return 1
elif !mountpoint /local/mountpoint/; then
    if sshfs remote.server:/ /local/mountpoint/; then
        tomb open /local/mountpoint/remote.tomb -k /tmp/local.tomb.key
        unison $remotetomb $localtomb
) 5> $lockfile

Using Tomb with Cloud Storage: TombDropbox

Using Tomb with Dropbox to securely store data in the cloud is coo, but has some limitations. Some are Tomb's fault, others Dropbox's.


  • Cannot open a Tomb from two different places simultaneously.
  • Syncing changes to Dropbox is slow because Dropbox doesn't handle deltas well. This limitation is mitigated when using programs like SSHFS, rsync, or SparkleShare.


The cloud can be useful, but storing personal data on remote servers can compromise privacy. Using Tomb with Dropbox can help you benefit from cloud storage without sacrificing privacy.


  1. Create a Tomb:

    tomb create -s X <tomb-name>
  2. Move the Tomb encryption key to a secure place:

    mv <tomb-name>.tomb.key /secure/place/
  3. Move the Tomb file to a Dropbox shared directory:

    mv <tomb-name>.tomb /dropbox/shared/directory/
  4. To access the Tomb:

    tomb -k /secure/place/<tomb-name>.tomb.key open /dropbox/shared/directory/<tomb-name>.tomb

Your Tomb will be accessible in the media directory:


Enjoy secure cloud storage!

Hide secrets in photos

  • Hide the Key
  • Extract a Hidden Key
  • Hooks
  • Bind Hooks
  • Post Hooks
  • Other avanced features

Hide the Key

To hide the key inside an image file (JPEG):

tomb bury -k /path/to/key /path/to/file.jpg

Extract a Hidden Key

To extract a pre-hidden key:

tomb exhume -k /path/to/key /path/to/file.jpg


Hooks are special files that trigger actions when a Tomb is opened or closed.

Bind Hooks

To securely store directories in a Tomb while keeping them in their original locations:

  1. Move the directories to the Tomb's root.
  2. Create a bind-hooks file in the Tomb's root with paths relative to the Tomb and $HOME.

Example bind-hooks files:

mail     Mail     documents     Documents

Post Hooks

To execute a script or binary after opening a Tomb, create a post-hooks file in the Tomb's root.

Example post-hooks file:

<your preferred text editor> todolist.txt

Now that you know how to do cool things with Tomb, here is how to get started

How Tomb Works

Tomb’s hidden file encryption generates encrypted storage folders opened and closed using key files protected by a user-chosen password. Tomb files are indistinguishable and can be safely renamed, transported, and hidden.

stagano encryption 02

The keys should be kept separate, e.g., Tomb file on the hard disk and key files on a USB stick. Once open, a Tomb looks like a folder.

Getting Started

Tomb works on GNU/Linux systems and WSL2 on Windows 11. Also works on OSX thanks to MacTomb.


To install manually:

Clone the github repo, then:

make install

This copies Tomb into /usr/local/bin along with its manpage.


To create a 100MB Tomb called "secret":

tomb dig -s 100 secret.tomb
tomb forge secret.tomb.key
tomb lock secret.tomb -k secret.tomb.key

To open it:

tomb open secret.tomb -k secret.tomb.key

To seal it:

tomb close

To seal all Tombs immediately:

tomb slam all

Advanced Usage

  • Protect passwords from keyloggers.
  • Deniable Key Storasge with Steganography.
  • Use multiple Tombs simultaneously.
  • Resize Tombs.
  • Back to how to SSHFS

This article started with ready to use tomb script to takes care of the incantations to improve a user’s behaviour and the security of tombs in everyday usage: it protects the typing of passwords from keyloggers, facilitates hiding keys inside images, mounts directories in place without copying delicate files around, allows a user to kill all running processes and slam close a tomb in a straightforward command, warns the user about free space and last-time usage, etc.

One can use multiple tombs simultaneously on the same system and list them using tomb list.

Old Encryption

Using tomb resize, one can expand tombs to have more space (but cannot shrink them).

When it is open, a tomb can bind contents inside the user’s $HOME folder using bind-hooks. For instance, .gnupg will only be found inside your $HOME when the tomb opens.

A tomb can be used on a local machine with keys on a server and never stored on the same device:

ssh 'cat my.tomb.key' | tomb open my.tomb -k  
# -k - tells tomb to take the key from stdin.


Mount a Tomb stored on a cloud service:

sshfs -o allow_root /mnt/cloud/
tomb open /mnt/cloud/my.tomb -k my.key

Deniable Key Storage

Colorful stegano Encryption

Hide keys using steganography:

tomb bury
tomb exhume

Backup Keys as QR Codes

Some stago Encryption

Engrave keys to be hidden between book pages:

tomb engrave

Security and Compliance

Tomb is secure because it is minimal, open-source, and works offline. It is compliant with several industry standards, including FIPS 197.

Manual Access

To access a Tomb without the Tomb script:

lo=$(losetup -f)
losetup -f secret.tomb
gpg -d secret.key | head -c -1 | cryptsetup --key-file - luksOpen $lo secret
mount /dev/mapper/secret /mnt

To close it:

umount /

cryptsetup luksClose secret
losetup -d $lo


All I know is what the words know, and dead things, and that makes a handsome little sum, with a beginning and a middle and an end, as in the well-built phrase and the long sonata of the dead.

Samuel Beckett