Easiest Way to Encrypt /tmp

[Oko]

What is the easiest way to encrypt /tmp. Yes, I did read man pages for vnd and I do know how to use vnd. I am curious what other people do.

Thanks,
OKO

[jggimi]

I don't encrypt it; I just use an MFS mount and a chmod 1777 for it in rc.conf.local. Not for security; but for whatever small performance gain I might get, particularly during long builds of userland or ports.

(I have an encrypted filesystem; I used to use a vnode for it but switched to softraid about a year ago.)

[TerryP]

Encrypted /tmp: upside, the file system data is encrypted; downside: well, the hub bub of encrypting it and such.

Memory File System (man mfs): Upside, the data is not retained between boots; downside: the data may reside momentary in memory even after power has been turned off, and likewise any backing store (e.g. swap partition) should be encrypted for extra paranoia. Encrypting your systems installed memory is a little, eh I'm not even gonna go there.

So in my humble opinion: a pure MFS is probably not as useful as an encrypted partition, unless you've got memory to burn (amd64 suggested) and a big encrypted swap file.


I haven't done any disk encryption recently, but I believe the process is very simple: setup your encrypted 'backing', do setup a partition on the encrypted 'pseudo device', and mount it as /tmp.

something like:

Code:

vnconfig -ck svndN /dev/wd...  # whatever /tmp is on now 
                                                           # +/- erasing it with dd'ing 
                                                           # bytes from /dev/srandom
fdisk svndN
disklabel svndN
newfs rsvndNa
mount /dev/svndNa /tmp

I can't remember the usual flags used on OpenBSD to format hard disks off the top of my head; so I've omitted writing any in the above. Just fill the pseudo device (svndN with a partition for use as /tmp, exempli gratia svnd0a.

Not sure what /etc/fstab would look like, but maybe something like

Code:

/dev/wd0d      /dev/svnd0a      vnd    rw,-k                 0    0
/dev/svnd0a   /tmp                 ffs      rw,FLAGS           0    0

and of course s/FLAGS/things like nodev, nosuid, whatever you use/; maybe you'd have to go though rc.local to sort out the vnd mount properly, dunno. I have never actually tried it on a partition that should be automagically mounted at startup; because you need to specify the key for 'vnconfig -k' and such.



suggested reading in manual: vnd, svnd, vnconfig, mfs

disclaimer: I haven't played with encrypted disks in quite a while now.

[jggimi]

Terry -- on OpenBSD, swap encryption has been a sysctl since 1999, and more importantly, it has been enabled by default since 2005 (3.8).

[TerryP]

Jggimi, I said memory to burn and a big encrypted swap partition ;-)

& thanks about the sysctl, I didn't know it went as far back as 2.5 or 2.6; always thought it was early 2000s.