You are not logged in.
Hey all I'm trying to piece together infomration I'm finding from google and what works with arch. I want both my /tmp and swap to be encrypted. This particular method will generate new keys each boot.
I'm stuck on these two lines and where they should be placed. Maybe rc.sysinit after the LVM section. The reason being is that /dev/mapper/* is not static and has to be regenerated every boot. Anybody know another place or is that the proper file?
mknod -m 0550 /dev/mapper/cryptotmp c 254 0
mknod -m 0550 /dev/mapper/cryptoswap c 254 0
FSTAB doesn't seem to balk bout these lines but I don't think its a good fit.
cryptoswap /dev/disk/by-uuid/UUID=50edf71c-0056-42d3-941d-fe01ee28e777 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap
cryptotmp /dev/disk/by-uuid/UUID=5504cc86-be3a-4a5e-b082-8dfa9dc24fdb /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,tmp
These are definite /etc/fstab lines:
/dev/mapper/cryptoswap swap swap sw 0 0
/dev/mapper/cryptotmp /tmp ext2 defaults 0 0
Offline
True, and further down in that article is references Arch Linux: LVM on top of an encrypted partition which has served me well.
Offline
I'm also trying to get this to work. The wiki is not enough, since I don't care about suspend to disk etc and I want the key replaced and the partitions to be re-created at every reboot.
(The wiki is good enough for swap but not for /tmp imo.)
The mknod commands should not be used, cryptsetup sets those up for you.
SWAP
/etc/crypttab : swap /dev/sdaX SWAP -c aes-cbc-essiv:sha256 -s 256
/etc/fstab : /dev/mapper/swap none swap sw 0 0
/tmp
According to http://linux.die.net/man/5/crypttab you should be able to just use tmp instead of SWAP. This doesn't seem to work though.
My solution (best solution I've found so far, it'll show an error message when turning off the system though (it seems harmless)) :
/etc/crypttab : tmp /dev/sdaY /dev/urandom -c aes-cbc-essiv:sha256 -s 256 && mke2fs -q /dev/mapper/tmp
/etc/fstab : /dev/mapper/tmp /tmp ext2 defaults,noatime,nosuid,noexec 0 0
The wiki solution to the /tmp problem :
fstab : /dev/mapper/tmp /tmp tmpfs defaults 0 0
crypttab : tmp /dev/sdaY /dev/urandom -c aes-xts-plain -s 512
The problem with this setup is that tmpfs is, by default, set to half the size of your RAM. You can specify another size, but you have to be exact since it doesn't actually check if there is that much space on the partition, resulting in df -h being able to report a 5G /tmp mounted on a 1G /dev/mapper/tmp. If you don't specify a size, and the partition you intend to use for /tmp is larger than 50% of you ram, then part of it will be unused.
You can't just use ext2 instead of tmpfs either, since it'll complain because there is no ext2 filesystem on /dev/mapper/tmp.
Btw, it appears that tmpfs is actuallt using ram instead of a partition... http://en.wikipedia.org/wiki/Tmpfs
So... a larger encrypted swap, and mount tmpfs to /tmp, letting the os decide what goes in the swapfile when? Seems like a reasonable solution actually. I'll try it out (and probably update the wiki when I find a solution I'm happy with).
Found this : http://bugs.archlinux.org/task/15257 <- Start voting
Found this aswell : http://bugs.archlinux.org/task/17131 <- I wouldn't recommend using swap space encrypted with a random key until this is fixed
Last edited by scorpyn (2009-11-14 01:56:26)
Offline