documentation updates for release

known bugs, changelog and manual for sphinx

ChangeLog.md

@@ -1,5 +1,19 @@
 # Tomb ChangeLog
 
+## 2.6
+### May 2019
+
+This release adds new features and provides an important fix for usage
+of Tomb with cryptsetup 2.1 and future versions; it also fixes a
+whitespace bug in KDF passwords, all fixes are documented in
+KNOWN_BUGS. A notable new feature is the libsphinx integration for
+password-authenticated key agreement (PAKE). Another feature is the
+integration of cloakify to support new cloak/uncloak commands that
+hide keys inside long text files. Also support for gpg sub-keys has
+been added and overall gpg asymmetric key protection is improved.
+
+
+
 ## 2.5
 ### January 2018
 

KNOWN_BUGS.md

@@ -1,3 +1,14 @@
+# Cryptsetup change of default to luks2
+## Issue opening tombs with cryptsetup >2.0
+
+Tomb uses the cryptsetup LUKS volume header default to type luks1
+which has been for long the default in cryptsetup. But starting from
+cryptsetup v2.1 a new default has been introduced (luks2) and the
+--type option added to specify the old luks1.
+
+Using Tomb version 2.6 (and future releases) the problem opening tombs
+using recent GNU/Linux distributions is fixed.
+
 # Whitespaces in KDF passwords
 ## Issue affecting passwords used with PBKDF2 keys (<2.6)
 

README.md

@@ -289,7 +289,7 @@ IRC on https://irc.dyne.org channel **#dyne** (or direct port 9999 SSL)
 
 # Licensing
 
-Tomb is Copyright (C) 2007-2018 by the Dyne.org Foundation and
+Tomb is Copyright (C) 2007-2019 by the Dyne.org Foundation and
 maintained by Denis Roio <[email protected]>. More information on all
 the developers involved is found in the [AUTHORS](AUTHORS.md) file.
 

doc/tomb.1

@@ -268,6 +268,18 @@ key: forces a delay of \fI<itertime>\fR times every time this key is
 used. The actual time to wait depends on the CPU speed of the
 computer where the key is used. Using 5 or 10 is a sane amount for
 modern computers, the value is multiplied by 1 million.
+.B
+.IP "--sphx-user \fI<username>\fR"
+Activate the SPHINX feature for password-authenticated key agreement.
+This option indicates the \fI<username>\fR used to retrieve the
+password from a sphinx oracle key reachable via TCP/IP.
+
+.IP "--sphx-host \fI<domain>\fR"
+Activate the SPHINX feature for password-authenticated key agreement.
+This option indicates the \fI<domain>\fR used to retrieve the password
+from a sphinx oracle daemon reachable via TCP/IP. This is not the
+network address of the daemon, which is configured in /etc/sphinx
+
 .B
 .IP "-h"
 Display a help text and quit.
@@ -444,6 +456,24 @@ its copies are destroyed. The \fI-r\fR option can be used in the tomb
 commands: \fIopen\fR, \fIforge\fR \fIsetkey\fR, \fIpasswd\fR,
 \fIbury\fR, \fIexhume\fR and \fIresize\fR.
 
+.SH SPHINX (PAKE)
+
+Using the package libsphinx
+.UR https://github.com/stef/libsphinx
+.UE
+and its python client/daemon implementation pwdsphinx 
+.UR https://github.com/stef/pwdsphinx
+.UE
+is possible to store and retrieve safely the password that locks the
+tomb. Using this feature will make it impossible to retrieve the
+password without the oracle sphinx server running and reachable. Each
+key entry needs a username and a domain specified on creation and
+a password that locks it.
+
+SPHINX makes it impossible to mailiciously retrieve the password
+locking the tomb key without an attacker accessing both the
+server, the sphinx password and the tomb key file.
+
 .SH EXAMPLES
 
 .IP \(bu

tomb

@@ -7,7 +7,7 @@
 
 # {{{ License
 
-# Copyright (C) 2007-2018 Dyne.org Foundation
+# Copyright (C) 2007-2019 Dyne.org Foundation
 #
 # Tomb is designed, written and maintained by Denis Roio <[email protected]>
 #
@@ -44,8 +44,8 @@
 
 # {{{ Global variables
 
-typeset VERSION="2.5"
-typeset DATE="Jan/2018"
+typeset VERSION="2.6"
+typeset DATE="May/2019"
 typeset TOMBEXEC=$0
 typeset TMPPREFIX=${TMPPREFIX:-/tmp}
 # TODO: configure which tmp dir to use from a cli flag