Support for geli onetime encryption for /tmp?

Daniel Thiele dthiele at gmx.net
Fri Dec 18 20:13:27 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ulrich Spörlein wrote:
> On Sun, 13.12.2009 at 17:21:10 +0100, Daniel Thiele wrote:
>> Simon L. Nielsen wrote:
>>> On 2009.12.12 23:07:58 +0100, Daniel Thiele wrote:
>>>
>>>> Is there maybe another way to achieve onetime /tmp encryption that
>>>> I am missing? Preferably one that does not involve huge changes to
>>> Well, I use the simple one - make /tmp a memory file system.  locate
>>> is sometimes not too happy with an e.g. 50MB /tmp, but otherwise it
>>> works very well for me.
>>>
>>> [simon at arthur:~] grep tmp /etc/rc.conf
>>> tmpmfs="YES"
>>> tmpsize="50M"
>>>
>> Using a memory file system (together, of course,  with an encrypted swap
>> partition) also crossed my mind. While a small memory based /tmp may be
>> sufficient for most desktop workloads, I don't think that I can chum up
>> with it. Especially when you consider that disk space is orders of
>> magnitudes cheaper than RAM.
>>
>> Since the tmpmfs option does not scale well with growing /tmp space
>> requirements (at least not in a cost-effective way), I am keen to know
>> why the patch I dug up in my first mail has never been committed. Was it
>> solely a lack of interest or time, or have there been other reasons?
> 
> Either my understanding of the FreeBSD VM is wrong, or you fail to
> realize that tmpmfs will be swap-backed, so that disk usage is the same
> in both scenarios (but more flexible for the tmpfs).
> 
> What I'm saying is that you lose almost nothing of physical RAM if you
> set tmpsize=1G and increase your swap accordingly. Once you fill /tmp
> with 1G, you will eventually use 1G swap. (medium oversimplification).
> 

Well, it seems that I really overlooked the fact that tmpmfs will indeed
be swap-based. To my shame I have to admit that I stopped reading at
rc.conf(5), which does not mention that tmpmfs will by default be
swap-based.

Thank you for pointing that out. In that case I was wrong and tmpmfs
really provides an interesting solution to my initial problem.

Best regards,
Daniel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJLK+O2AAoJEB+84OrFyizNBPgQALKc0X/v/+70JGasEivYNIf9
ZgCZjqyK5WXh5oQLcRI6FOTrz4pr5u81O7B8KC2jw9+GDfuGzm+DiI3Znc78Syo9
x7DVRXEaasJ7fahinxJ6tQrDm58tHLSKjY++PO2DL9v8zJaL3WTW/uPU5J7crbLf
6u9vsGW+CNrm6dBNfvbr8NdoyjNoRBM+CpDaf3gLw56eRYkAeJWJrdlYxZb7RdAh
MKvT/VcwXKLsLzVUmEvcYBhc9fj8GYO60exTiwSVRXgvZ0Rm5wFJjou9SOlVen9o
uG/sKv9c5VU1qL5bt+5MebiZmVh0YFYYu4SqV3IbgRk+djdHEFd9OfYZKmv1R34s
BxLHp6fOqQIdM0WTrPLDCpx6Lz2n92KrQqHu0pu0zvA1KEqkIFPuetkQ9G5qW0Dy
zP94tnNWq6OecLU0gu7u7TaZYQAHR6vrBnwmyLBOvXr0gWwkE9eagp63vxE6eM4D
ew8MDM20vjWvT91AgggjViB3tQAzsmzu1YEW2tdc+fKHSFnrC4DAnvxaCIkXUw8u
nAZPkaebnrM2AsOHJrL0YmK+wh2Dh+p5oGykbXf1mzA9c4LOD0tpjloME45ERb8+
z9bpG6kyeUqeHjFvTzfhr2ne13atON5o9mdEiqSuNmAk8FkOeZKpNTTg4jQdS96C
Gizpkg0y7T2DFTgqtJGh
=dydc
-----END PGP SIGNATURE-----


More information about the freebsd-current mailing list