How does tomb work
The tomb is just a file containing luks with an ext3 filesystem inside. The only way to open the luks device is through a keyfile to be used as key material. Let's call this file LuksKey.
LuksKey is itself symmetrically encrypted using gpg -c using user passphrase
A random file is created. It's added to luks as a keyfile. It's then encrypted with gpg -c: this is the tombkey
the tombkey is decripted using gpg -d; the password is provided by the user. The output of gpg is LuksKey; it is passed to luks as --key-file