Support for geli onetime encryption for /tmp?
dthiele at gmx.net
Fri Dec 18 20:13:27 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Ulrich Spörlein wrote:
> On Sun, 13.12.2009 at 17:21:10 +0100, Daniel Thiele wrote:
>> Simon L. Nielsen wrote:
>>> On 2009.12.12 23:07:58 +0100, Daniel Thiele wrote:
>>>> Is there maybe another way to achieve onetime /tmp encryption that
>>>> I am missing? Preferably one that does not involve huge changes to
>>> Well, I use the simple one - make /tmp a memory file system. locate
>>> is sometimes not too happy with an e.g. 50MB /tmp, but otherwise it
>>> works very well for me.
>>> [simon at arthur:~] grep tmp /etc/rc.conf
>> Using a memory file system (together, of course, with an encrypted swap
>> partition) also crossed my mind. While a small memory based /tmp may be
>> sufficient for most desktop workloads, I don't think that I can chum up
>> with it. Especially when you consider that disk space is orders of
>> magnitudes cheaper than RAM.
>> Since the tmpmfs option does not scale well with growing /tmp space
>> requirements (at least not in a cost-effective way), I am keen to know
>> why the patch I dug up in my first mail has never been committed. Was it
>> solely a lack of interest or time, or have there been other reasons?
> Either my understanding of the FreeBSD VM is wrong, or you fail to
> realize that tmpmfs will be swap-backed, so that disk usage is the same
> in both scenarios (but more flexible for the tmpfs).
> What I'm saying is that you lose almost nothing of physical RAM if you
> set tmpsize=1G and increase your swap accordingly. Once you fill /tmp
> with 1G, you will eventually use 1G swap. (medium oversimplification).
Well, it seems that I really overlooked the fact that tmpmfs will indeed
be swap-based. To my shame I have to admit that I stopped reading at
rc.conf(5), which does not mention that tmpmfs will by default be
Thank you for pointing that out. In that case I was wrong and tmpmfs
really provides an interesting solution to my initial problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the freebsd-current