Support for geli onetime encryption for /tmp?
Simon L. Nielsen
simon at FreeBSD.org
Sun Dec 13 11:12:05 UTC 2009
On 2009.12.13 00:32:54 +0100, Max Laier wrote:
> On Saturday 12 December 2009 23:40:53 Simon L. Nielsen wrote:
> > On 2009.12.12 23:07:58 +0100, Daniel Thiele wrote:
> > > Is there maybe another way to achieve onetime /tmp encryption that
> > > I am missing? Preferably one that does not involve huge changes to
> >
> > Well, I use the simple one - make /tmp a memory file system. locate
> > is sometimes not too happy with an e.g. 50MB /tmp, but otherwise it
> > works very well for me.
> >
> > [simon at arthur:~] grep tmp /etc/rc.conf
> > tmpmfs="YES"
> > tmpsize="50M"
>
> but tmpfs pages are swappable IIRC. This would mean that the data might end
> up unencrypted on secondary storage.
Well, above is tmp_m_fs, which is just UFS on md(4) devices. But that
can also be swapped out, so that's one reason I encrypt swap. If you
care enough to encrypt /tmp you should also encrypt swap anyway.
I never looked at tmpfs, as I heard that it isn't really stable yet.
--
Simon L. Nielsen
More information about the freebsd-current
mailing list