How do I encrypt my /tmp directory?
After reading this question about how often tmp is cleared, it would be best for our setup if tmp is encrypted. How do I encrypt it?
My fstab looks like this:
proc /proc proc nodev,noexec,nosuid 0 0
/dev/mapper/vg_doulos-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=205a1a54-7dfa-45a6-a7e3-4a7234b3a473 /boot ext4 defaults 0 2
/dev/mapper/vg_doulos-home /home ext4 defaults 0 2
/dev/mapper/vg_doulos-tmp /tmp ext4 defaults 0 2
# swap was on /dev/sda2 during installation
#UUID=705e9f69-bf95-4d44-9119-c40076d10333 none swap sw 0 0
/dev/mapper/cryptswap1 none swap sw 0 0
crypttab:
# <target name> <source device> <key file> <options>
cryptswap1 /dev/sda2 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
Is it sufficient to put something like this in crypttab?
crypttmp /dev/mapper/vg_doulos-tmp /dev/urandom
and then this to replace the tmp file entry in fstab?
/dev/mapper/crypttmp /tmp ext4 defaults 0 2
The correct incantation in crypttab should look like this:
crypttmp /dev/mapper/vg_doulos-tmp /dev/urandom precheck=/bin/true,tmp,size=256,hash=sha256,cipher=aes-cbc-essiv:sha256
The most important part was the precheck=/bin/true
. The reason why /tmp wasn't mounting was that cryptsetup was failing due to a precheck. The precheck noticed that the LVM partition was formatted for ext4
and refused to continue.
The fstab entry should look like this:
/dev/mapper/crypttmp /tmp ext4 defaults 0 2
Starting with Avery's answer, (on Ubuntu 12.04) I had to specify the filesystem type with "tmp=ext4" to get it to work:
/etc/cryptsetup:
crypttmp /dev/sdb /dev/urandom precheck=/bin/true,tmp=ext4,size=256,hash=sha256,cipher=aes-cbc-essiv:sha256
/etc/fstab:
/dev/mapper/crypttmp /tmp ext4 noatime 0 2
I think your right it should be enough to add in crypttab:
crypttmp /dev/mapper/vg_doulos-tmp /dev/urandom tmp
and in fstab:
/dev/mapper/crypttmp /tmp ext4 defaults 0 0
Greets