From owner-freebsd-current@FreeBSD.ORG Fri Dec 18 16:18:44 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DE7A1065672; Fri, 18 Dec 2009 16:18:44 +0000 (UTC) (envelope-from uqs@spoerlein.net) Received: from acme.spoerlein.net (acme.spoerlein.net [IPv6:2a01:198:206::1]) by mx1.freebsd.org (Postfix) with ESMTP id D8DA88FC1D; Fri, 18 Dec 2009 16:18:43 +0000 (UTC) Received: from acme.spoerlein.net (localhost.spoerlein.net [IPv6:::1]) by acme.spoerlein.net (8.14.3/8.14.3) with ESMTP id nBIGIgHQ026359 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 18 Dec 2009 17:18:42 +0100 (CET) (envelope-from uqs@spoerlein.net) Received: (from uqs@localhost) by acme.spoerlein.net (8.14.3/8.14.3/Submit) id nBIGIgZM026358; Fri, 18 Dec 2009 17:18:42 +0100 (CET) (envelope-from uqs@spoerlein.net) Date: Fri, 18 Dec 2009 17:18:42 +0100 From: Ulrich =?utf-8?B?U3DDtnJsZWlu?= To: Daniel Thiele Message-ID: <20091218161842.GP55913@acme.spoerlein.net> Mail-Followup-To: Daniel Thiele , "Simon L. Nielsen" , freebsd-current@freebsd.org, shaun@freebsd.org References: <4B24143E.2060803@gmx.net> <20091212224052.GF1417@arthur.nitro.dk> <4B251476.1090303@gmx.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4B251476.1090303@gmx.net> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-current@freebsd.org, "Simon L. Nielsen" , shaun@freebsd.org Subject: Re: Support for geli onetime encryption for /tmp? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2009 16:18:44 -0000 On Sun, 13.12.2009 at 17:21:10 +0100, Daniel Thiele wrote: > Simon L. Nielsen wrote: > > On 2009.12.12 23:07:58 +0100, Daniel Thiele wrote: > > > >> Is there maybe another way to achieve onetime /tmp encryption that > >> I am missing? Preferably one that does not involve huge changes to > > > > Well, I use the simple one - make /tmp a memory file system. locate > > is sometimes not too happy with an e.g. 50MB /tmp, but otherwise it > > works very well for me. > > > > [simon@arthur:~] grep tmp /etc/rc.conf > > tmpmfs="YES" > > tmpsize="50M" > > > > Using a memory file system (together, of course, with an encrypted swap > partition) also crossed my mind. While a small memory based /tmp may be > sufficient for most desktop workloads, I don't think that I can chum up > with it. Especially when you consider that disk space is orders of > magnitudes cheaper than RAM. > > Since the tmpmfs option does not scale well with growing /tmp space > requirements (at least not in a cost-effective way), I am keen to know > why the patch I dug up in my first mail has never been committed. Was it > solely a lack of interest or time, or have there been other reasons? Either my understanding of the FreeBSD VM is wrong, or you fail to realize that tmpmfs will be swap-backed, so that disk usage is the same in both scenarios (but more flexible for the tmpfs). What I'm saying is that you lose almost nothing of physical RAM if you set tmpsize=1G and increase your swap accordingly. Once you fill /tmp with 1G, you will eventually use 1G swap. (medium oversimplification). Regards, Uli