Support for geli onetime encryption for /tmp?
Ulrich Spörlein
uqs at spoerlein.net
Fri Dec 18 16:18:44 UTC 2009
On Sun, 13.12.2009 at 17:21:10 +0100, Daniel Thiele wrote:
> Simon L. Nielsen wrote:
> > On 2009.12.12 23:07:58 +0100, Daniel Thiele wrote:
> >
> >> Is there maybe another way to achieve onetime /tmp encryption that
> >> I am missing? Preferably one that does not involve huge changes to
> >
> > Well, I use the simple one - make /tmp a memory file system. locate
> > is sometimes not too happy with an e.g. 50MB /tmp, but otherwise it
> > works very well for me.
> >
> > [simon at arthur:~] grep tmp /etc/rc.conf
> > tmpmfs="YES"
> > tmpsize="50M"
> >
>
> Using a memory file system (together, of course, with an encrypted swap
> partition) also crossed my mind. While a small memory based /tmp may be
> sufficient for most desktop workloads, I don't think that I can chum up
> with it. Especially when you consider that disk space is orders of
> magnitudes cheaper than RAM.
>
> Since the tmpmfs option does not scale well with growing /tmp space
> requirements (at least not in a cost-effective way), I am keen to know
> why the patch I dug up in my first mail has never been committed. Was it
> solely a lack of interest or time, or have there been other reasons?
Either my understanding of the FreeBSD VM is wrong, or you fail to
realize that tmpmfs will be swap-backed, so that disk usage is the same
in both scenarios (but more flexible for the tmpfs).
What I'm saying is that you lose almost nothing of physical RAM if you
set tmpsize=1G and increase your swap accordingly. Once you fill /tmp
with 1G, you will eventually use 1G swap. (medium oversimplification).
Regards,
Uli
More information about the freebsd-current
mailing list