diff --git a/gnu/packages/crypto.scm b/gnu/packages/crypto.scm
index ebd1821156b6949b7e17573351e38df54a6ddc80..559a3c051a405fbfc6cc0982f382dd1e40b7667c 100644
--- a/gnu/packages/crypto.scm
+++ b/gnu/packages/crypto.scm
@@ -365,6 +365,10 @@ (define-public tomb
        ("util-linux" ,util-linux)))
     (arguments
      `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
+       ;; The "sudo" input is needed only to satisfy dependency checks in the
+       ;; 'check' phase.  The "sudo" used at runtime should come from the
+       ;; system's setuid-programs, so ensure no reference is kept.
+       #:disallowed-references (,sudo)
        ;; TODO: Build and install gtk and qt trays
        #:phases
        (modify-phases %standard-phases
@@ -383,7 +387,7 @@ (define-public tomb
                     ,@(map (lambda (program)
                              (or (and=> (which program) dirname)
                                  (error "program not found:" program)))
-                           '("seq" "mkfs.ext4" "pinentry" "sudo"
+                           '("seq" "mkfs.ext4" "pinentry"
                              "gpg" "cryptsetup" "gettext" "lsof"
                              "qrencode" "steghide" "findmnt")))))
                #t)))