Re: Support for geli onetime encryption for /tmp?

From: Simon L. Nielsen <simon_at_FreeBSD.org>
Date: Sun, 13 Dec 2009 12:12:03 +0100
On 2009.12.13 00:32:54 +0100, Max Laier wrote:
> On Saturday 12 December 2009 23:40:53 Simon L. Nielsen wrote:
> > On 2009.12.12 23:07:58 +0100, Daniel Thiele wrote:
> > > Is there maybe another way to achieve onetime /tmp encryption that
> > > I am missing? Preferably one that does not involve huge changes to
> > 
> > Well, I use the simple one - make /tmp a memory file system.  locate
> > is sometimes not too happy with an e.g. 50MB /tmp, but otherwise it
> > works very well for me.
> > 
> > [simon_at_arthur:~] grep tmp /etc/rc.conf
> > tmpmfs="YES"
> > tmpsize="50M"
> 
> but tmpfs pages are swappable IIRC.  This would mean that the data might end 
> up unencrypted on secondary storage.

Well, above is tmp_m_fs, which is just UFS on md(4) devices.  But that
can also be swapped out, so that's one reason I encrypt swap.  If you
care enough to encrypt /tmp you should also encrypt swap anyway.

I never looked at tmpfs, as I heard that it isn't really stable yet.

-- 
Simon L. Nielsen
Received on Sun Dec 13 2009 - 10:12:05 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:59 UTC