Skip to content
Mac OS X semi-implementation of Tomb
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


MacTomb is a kind of Tomb porting for Mac OS X. It allows you to create encrypted DMG file (called mactomb), copy files and folders into it and setup a couple of scripts needed to easily mount & run apps that use files stored inside the mactomb.

Read about MacTomb on dyne and Lost in ICT blog

What's new? (v.1.4)

  • added encrypt command: you can now encrypt an unencrypted tomb
  • rename command now updates also the bash script (if specified)
  • added the -t flag: you can specify two types of image format: SPARSEBUNDLE (default) and DMG
  • nicer output
  • moar checks

What's new? (v.1.3)

  • added rename command: you can now change your volume label within mactomb and by specify the flag -b also in the bash script (N.B. you may need to replace the volume label in other files like, in example, Firefox or Thunderbird profiles)
  • more robust checks to ensure everything works fine

What's new? (v.1.2)

  • compression/decompression support: mactomb is able to compress and decompress mactomb files. See the related section
  • list command: it will list all the open mactombs
  • change password: with chpass you can change your mactomb's password
  • bug fixes and improvements

What's new? (v.1.1)

  • changing flags (again!): now -n specify the name of the volume (the famous $VOLNAME) while -v enables Mac OS X notification
  • now the bash script umount the mactomb when closing the application. It means that when you close the Automatr App, the mactomb will be umounted
  • added strong checks to verify if bash script and Automator App already exist or they are a directory
  • added a check for the filename to ensure it contains/adds the .dmg extension
  • better error messages

What's new? (v.1.0)

Version 1.0 released! Yes, from 0.1 to 1.0. Why? Big improvements has been made. Read below:

  • there was a conflict between two -s options (size and Automator app). Now the Automator app has the -o flag and the bash script (that previously was -o) becomes -b.
  • possibility to call forge without automatically fire create and app. This means: you can use forge to create only the Automator app. For a better explaination on forge, see the related paragrah
  • you can now specify a command (binary + arguments) with the -a flag, that will be outputted in the bash script created with the -b flag
  • -o ensure the Automator app has .app extension so Mac OS X can recognise it (you don't need to specify it via command line)
  • introduced the VOLNAME variable (line 305). By default, the encrypted DMG is labeled untitled. You can rename it by changing the value of that variable.
  • the VOLNAME variable can be used also inside the -a argument to specify an action that has to access file(s) inside the mactomb. As in example, the following line works: -a /Applications/ \$VOLNAME/index.html (will tell Firefox to open /Volumes/$VOLNAME/index.html). Please note the \$VOLNAME: it will be automatically translated to the value of the VOLNAME variable defined in the script
  • more robust errors checking

What exactly it does?

The help is quite explicit:

$ bash help
..:: MacTomb v.1.3 ::..
by Davide Barbato


   list all opened mactombs

  -f <file>   Change passphrase of mactomb <file>

  -f <file>   Compress a mactomb <file> (will make it read-only)

  -f <file>   Decompress a mactomb <file>

  -f <file>       mactomb file (already created)
    -n <volname>  Specify the new volume name to assign to the mactomb <file> (default is "untitled")
    -b <script>\tThe bash script in which replaces all the occurence of the old volum name with the new one

  -f <file>        File to create (the mactomb file)
  -s <size[m|g|t]  Size of the file (m=mb, g=gb, t=tb)
    -p <profile>   Folder/file to copy into the newly created mactomb <file>
    -c             Create a zlib compressed mactomb <file> (will make it read-only)
    -n <volname>   Specify the volume name to assign to the mactomb <file>

  -f <file>   Encrypted DMG to use as mactomb file (already created)
  -a <app>    Binary and arguments of the app you want to use inside the mactomb file
  -b <output> The bash script used to launch the <app> inside the mactomb file <file>

  Will call both "create" and "app" if all flags are specified. Can be called on already created files, in this case skipping "create" and/or "app"
    -o <output> The Automator app used to launch the bash <output> script by Mac OS X

What is the goal? What are you trying to do?

Ok, let's imagine this situation: you want to run Thunderbird or Firefox with a profile inside your mactomb. And since you're on a Mac, you want to do it in a fancy way and easily, painless. What the script does for you with the forge command (including all the optional parameters) is to:

  • create an encrypted DMG file
  • copy the Thunderbird/Firefox profile folder
  • creating a bash script that will mount the mactomb and run the app (selecting the profile inside the mactomb if not already done)
  • create the Automator script that call the previously created bash script, so all you need to do is clicking on this script.

In this way with a simple click you can enjoy your app with sensitive data stored inside an encrypted AES256 CBC container, ready to be uploaded on some cloud storage provider to have a backup and portable data backup.

You can drag the Automator app in the Dock and add an icon, so it will looks like a normal app.

The forge command

The forge command is most likely the command you want to use or you'll use mostly. If you need to create your mactomb from scratch and use an app inside, this command will be your first choice, since it avoids you to call create and app. Plus, forge creates the Automatr app that it's useful if you want to run your bash script (created with app) in a Mac OS X way. A good use of forge is the following:

$ bash forge -f ~/mytomb.dmg -s 100m -a "/Applications/ -p test" -b ~/ -o ~/

With the command above we're creating a mactomb file of 100 MB, a bash script ( that will mount the mactomb and will call /Applications/ -p test, and the Automator app that will call To make a sense of this command, you probably want to create the Firefox profile test inside the mactomb, so everytime you run you'll use Firefox with a profile that runs inside an encrypted container.

Now, what if you have already created a mactomb with create or app but you need to create the Automator app. The following command will be handy (new in version 1.0):

$ bash forge -b ~/ -o ~/

That command can be used even outside the mactomb concept: it can be used to create an Automator app that will call any bash script passed as -b argument.

Compression / Decompression

New in version 1.2, you are now able to compress and decompress your mactomb. Compressing a mactomb will help you save some space: it uses zlib compression at the higest level (9).

Please note that compressing a mactomb will make it read-only

While this can be seen as a disadvantage, it can be quite useful in the following scenarios:

  • you need to transfer a big mactomb and don't have much space/bandwith available
  • you need only to read the mactomb's content, so there is no need for writing support

mactomb provides also a decompress command that decompress a compressed mactomb file, making it read-write

How to update

If you have your original folder, move there and type git pull. If not, you'd do better to clone the repository or download the zip file.

Jiucy stuff

Using the -v flag, you can have the final result printed as a Mac OS X notification.

Technical details

MacTomb uses hdiutil to create the encrypted DMG. The parameters are specified at the bottom of the script. As previously stated, it uses AES256 and by default hdiutil uses CBC mode. The file system is HFS+, the native and well supported one by Mac OS X. The directory is used to create the Automator script. If you don't know what Automator is, this is a good start:

You can’t perform that action at this time.