From owner-freebsd-current@FreeBSD.ORG Fri Dec 18 20:13:27 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A42D1106566C for ; Fri, 18 Dec 2009 20:13:27 +0000 (UTC) (envelope-from dthiele@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 0FEE28FC08 for ; Fri, 18 Dec 2009 20:13:26 +0000 (UTC) Received: (qmail invoked by alias); 18 Dec 2009 20:13:24 -0000 Received: from p54867289.dip.t-dialin.net (EHLO impala.vnws.lan) [84.134.114.137] by mail.gmx.net (mp041) with SMTP; 18 Dec 2009 21:13:24 +0100 X-Authenticated: #19302822 X-Provags-ID: V01U2FsdGVkX18gUilgk6ggkvz8CHRGEb1V7Bzef+RPCo9z9otdd7 K5vEAttrbj3gwt Message-ID: <4B2BE3B8.2@gmx.net> Date: Fri, 18 Dec 2009 21:19:04 +0100 From: Daniel Thiele User-Agent: Thunderbird 2.0.0.23 (X11/20091212) MIME-Version: 1.0 To: Daniel Thiele , =?ISO-8859-1?Q?Ulrich_Sp=F6rlein?= , freebsd-current@freebsd.org, shaun@freebsd.org References: <4B24143E.2060803@gmx.net> <20091212224052.GF1417@arthur.nitro.dk> <4B251476.1090303@gmx.net> <20091218161842.GP55913@acme.spoerlein.net> In-Reply-To: <20091218161842.GP55913@acme.spoerlein.net> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.43 Cc: Subject: Re: Support for geli onetime encryption for /tmp? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2009 20:13:27 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ulrich Spörlein wrote: > On Sun, 13.12.2009 at 17:21:10 +0100, Daniel Thiele wrote: >> Simon L. Nielsen wrote: >>> On 2009.12.12 23:07:58 +0100, Daniel Thiele wrote: >>> >>>> Is there maybe another way to achieve onetime /tmp encryption that >>>> I am missing? Preferably one that does not involve huge changes to >>> Well, I use the simple one - make /tmp a memory file system. locate >>> is sometimes not too happy with an e.g. 50MB /tmp, but otherwise it >>> works very well for me. >>> >>> [simon@arthur:~] grep tmp /etc/rc.conf >>> tmpmfs="YES" >>> tmpsize="50M" >>> >> Using a memory file system (together, of course, with an encrypted swap >> partition) also crossed my mind. While a small memory based /tmp may be >> sufficient for most desktop workloads, I don't think that I can chum up >> with it. Especially when you consider that disk space is orders of >> magnitudes cheaper than RAM. >> >> Since the tmpmfs option does not scale well with growing /tmp space >> requirements (at least not in a cost-effective way), I am keen to know >> why the patch I dug up in my first mail has never been committed. Was it >> solely a lack of interest or time, or have there been other reasons? > > Either my understanding of the FreeBSD VM is wrong, or you fail to > realize that tmpmfs will be swap-backed, so that disk usage is the same > in both scenarios (but more flexible for the tmpfs). > > What I'm saying is that you lose almost nothing of physical RAM if you > set tmpsize=1G and increase your swap accordingly. Once you fill /tmp > with 1G, you will eventually use 1G swap. (medium oversimplification). > Well, it seems that I really overlooked the fact that tmpmfs will indeed be swap-based. To my shame I have to admit that I stopped reading at rc.conf(5), which does not mention that tmpmfs will by default be swap-based. Thank you for pointing that out. In that case I was wrong and tmpmfs really provides an interesting solution to my initial problem. Best regards, Daniel -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJLK+O2AAoJEB+84OrFyizNBPgQALKc0X/v/+70JGasEivYNIf9 ZgCZjqyK5WXh5oQLcRI6FOTrz4pr5u81O7B8KC2jw9+GDfuGzm+DiI3Znc78Syo9 x7DVRXEaasJ7fahinxJ6tQrDm58tHLSKjY++PO2DL9v8zJaL3WTW/uPU5J7crbLf 6u9vsGW+CNrm6dBNfvbr8NdoyjNoRBM+CpDaf3gLw56eRYkAeJWJrdlYxZb7RdAh MKvT/VcwXKLsLzVUmEvcYBhc9fj8GYO60exTiwSVRXgvZ0Rm5wFJjou9SOlVen9o uG/sKv9c5VU1qL5bt+5MebiZmVh0YFYYu4SqV3IbgRk+djdHEFd9OfYZKmv1R34s BxLHp6fOqQIdM0WTrPLDCpx6Lz2n92KrQqHu0pu0zvA1KEqkIFPuetkQ9G5qW0Dy zP94tnNWq6OecLU0gu7u7TaZYQAHR6vrBnwmyLBOvXr0gWwkE9eagp63vxE6eM4D ew8MDM20vjWvT91AgggjViB3tQAzsmzu1YEW2tdc+fKHSFnrC4DAnvxaCIkXUw8u nAZPkaebnrM2AsOHJrL0YmK+wh2Dh+p5oGykbXf1mzA9c4LOD0tpjloME45ERb8+ z9bpG6kyeUqeHjFvTzfhr2ne13atON5o9mdEiqSuNmAk8FkOeZKpNTTg4jQdS96C Gizpkg0y7T2DFTgqtJGh =dydc -----END PGP SIGNATURE-----