Date: Sun, 13 Dec 2009 12:12:03 +0100 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Max Laier <max@love2party.net> Cc: Daniel Thiele <dthiele@gmx.net>, freebsd-current@freebsd.org, shaun@freebsd.org Subject: Re: Support for geli onetime encryption for /tmp? Message-ID: <20091213111202.GA1309@frankie.nitro.dk> In-Reply-To: <200912130032.54740.max@love2party.net> References: <4B24143E.2060803@gmx.net> <20091212224052.GF1417@arthur.nitro.dk> <200912130032.54740.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2009.12.13 00:32:54 +0100, Max Laier wrote: > On Saturday 12 December 2009 23:40:53 Simon L. Nielsen wrote: > > On 2009.12.12 23:07:58 +0100, Daniel Thiele wrote: > > > Is there maybe another way to achieve onetime /tmp encryption that > > > I am missing? Preferably one that does not involve huge changes to > > > > Well, I use the simple one - make /tmp a memory file system. locate > > is sometimes not too happy with an e.g. 50MB /tmp, but otherwise it > > works very well for me. > > > > [simon@arthur:~] grep tmp /etc/rc.conf > > tmpmfs="YES" > > tmpsize="50M" > > but tmpfs pages are swappable IIRC. This would mean that the data might end > up unencrypted on secondary storage. Well, above is tmp_m_fs, which is just UFS on md(4) devices. But that can also be swapped out, so that's one reason I encrypt swap. If you care enough to encrypt /tmp you should also encrypt swap anyway. I never looked at tmpfs, as I heard that it isn't really stable yet. -- Simon L. Nielsen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091213111202.GA1309>