From owner-freebsd-current@FreeBSD.ORG  Sun Dec 13 11:12:05 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0496E1065670;
	Sun, 13 Dec 2009 11:12:05 +0000 (UTC) (envelope-from simon@nitro.dk)
Received: from mx.nitro.dk (unknown [77.75.165.90])
	by mx1.freebsd.org (Postfix) with ESMTP id BA24C8FC15;
	Sun, 13 Dec 2009 11:12:04 +0000 (UTC)
Received: from frankie.nitro.dk (unknown [192.168.3.39])
	by mx.nitro.dk (Postfix) with ESMTP id 06EBB2D4897;
	Sun, 13 Dec 2009 11:09:29 +0000 (UTC)
Received: by frankie.nitro.dk (Postfix, from userid 2000)
	id 60C8DE04B9; Sun, 13 Dec 2009 12:12:03 +0100 (CET)
Date: Sun, 13 Dec 2009 12:12:03 +0100
From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Max Laier <max@love2party.net>
Message-ID: <20091213111202.GA1309@frankie.nitro.dk>
References: <4B24143E.2060803@gmx.net> <20091212224052.GF1417@arthur.nitro.dk>
	<200912130032.54740.max@love2party.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200912130032.54740.max@love2party.net>
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: Daniel Thiele <dthiele@gmx.net>, freebsd-current@freebsd.org,
	shaun@freebsd.org
Subject: Re: Support for geli onetime encryption for /tmp?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Dec 2009 11:12:05 -0000

On 2009.12.13 00:32:54 +0100, Max Laier wrote:
> On Saturday 12 December 2009 23:40:53 Simon L. Nielsen wrote:
> > On 2009.12.12 23:07:58 +0100, Daniel Thiele wrote:
> > > Is there maybe another way to achieve onetime /tmp encryption that
> > > I am missing? Preferably one that does not involve huge changes to
> > 
> > Well, I use the simple one - make /tmp a memory file system.  locate
> > is sometimes not too happy with an e.g. 50MB /tmp, but otherwise it
> > works very well for me.
> > 
> > [simon@arthur:~] grep tmp /etc/rc.conf
> > tmpmfs="YES"
> > tmpsize="50M"
> 
> but tmpfs pages are swappable IIRC.  This would mean that the data might end 
> up unencrypted on secondary storage.

Well, above is tmp_m_fs, which is just UFS on md(4) devices.  But that
can also be swapped out, so that's one reason I encrypt swap.  If you
care enough to encrypt /tmp you should also encrypt swap anyway.

I never looked at tmpfs, as I heard that it isn't really stable yet.

-- 
Simon L. Nielsen