You are not logged in.

#1 2009-11-11 21:12:46

OrangeRoot1000
Member
From: TN -- USA
Registered: 2008-08-07
Posts: 106
Website

Encryption of /tmp and swap in Arch

Hey all I'm trying to piece together infomration I'm finding from google and what works with arch.  I want both my /tmp and swap to be encrypted. This particular method will generate new keys each boot.

I'm stuck on these two lines and where they should be placed. Maybe rc.sysinit after the LVM section. The reason being is that /dev/mapper/* is not static and has to be regenerated every boot. Anybody know another place or is that the proper file?

mknod -m 0550 /dev/mapper/cryptotmp c 254 0
mknod -m 0550 /dev/mapper/cryptoswap c 254 0   

FSTAB doesn't seem to balk bout these lines but I don't think its a good fit.

cryptoswap /dev/disk/by-uuid/UUID=50edf71c-0056-42d3-941d-fe01ee28e777 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap
cryptotmp /dev/disk/by-uuid/UUID=5504cc86-be3a-4a5e-b082-8dfa9dc24fdb  /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,tmp


These are definite /etc/fstab lines:
/dev/mapper/cryptoswap swap swap sw 0 0
/dev/mapper/cryptotmp /tmp ext2 defaults 0 0

Offline

#2 2009-11-11 22:42:49

jwwolf
Member
Registered: 2009-06-29
Posts: 74

Re: Encryption of /tmp and swap in Arch

Always use the Arch Wiki over google.
tmp
swap

Last edited by jwwolf (2009-11-11 22:43:20)

Offline

#3 2009-11-11 23:07:31

vacant
Member
From: downstairs
Registered: 2004-11-05
Posts: 816

Re: Encryption of /tmp and swap in Arch

jwwolf wrote:

Always use the Arch Wiki over google.
tmp
swap

True, and further down in that article is references Arch Linux: LVM on top of an encrypted partition which has served me well.

Offline

#4 2009-11-12 23:02:14

scorpyn
Member
From: Sweden
Registered: 2008-01-29
Posts: 66

Re: Encryption of /tmp and swap in Arch

I'm also trying to get this to work. The wiki is not enough, since I don't care about suspend to disk etc and I want the key replaced and the partitions to be re-created at every reboot.
(The wiki is good enough for swap but not for /tmp imo.)

The mknod commands should not be used, cryptsetup sets those up for you.

SWAP

/etc/crypttab : swap     /dev/sdaX     SWAP     -c aes-cbc-essiv:sha256 -s 256
/etc/fstab    : /dev/mapper/swap     none    swap     sw     0 0

/tmp
According to http://linux.die.net/man/5/crypttab you should be able to just use tmp instead of SWAP. This doesn't seem to work though.
My solution (best solution I've found so far, it'll show an error message when turning off the system though (it seems harmless)) :

/etc/crypttab : tmp     /dev/sdaY     /dev/urandom     -c aes-cbc-essiv:sha256 -s 256 && mke2fs -q /dev/mapper/tmp
/etc/fstab    : /dev/mapper/tmp     /tmp     ext2     defaults,noatime,nosuid,noexec 0 0

The wiki solution to the /tmp problem :

fstab : /dev/mapper/tmp         /tmp    tmpfs           defaults        0       0
crypttab : tmp    /dev/sdaY    /dev/urandom    -c aes-xts-plain -s 512

The problem with this setup is that tmpfs is, by default, set to half the size of your RAM. You can specify another size, but you have to be exact since it doesn't actually check if there is that much space on the partition, resulting in df -h being able to report a 5G /tmp mounted on a 1G /dev/mapper/tmp. If you don't specify a size, and the partition you intend to use for /tmp is larger than 50% of you ram, then part of it will be unused.

You can't just use ext2 instead of tmpfs either, since it'll complain because there is no ext2 filesystem on /dev/mapper/tmp.


Btw, it appears that tmpfs is actuallt using ram instead of a partition... http://en.wikipedia.org/wiki/Tmpfs

So... a larger encrypted swap, and mount tmpfs to /tmp, letting the os decide what goes in the swapfile when? Seems like a reasonable solution actually. I'll try it out (and probably update the wiki when I find a solution I'm happy with).


Found this : http://bugs.archlinux.org/task/15257  <- Start voting smile

Found this aswell : http://bugs.archlinux.org/task/17131 <- I wouldn't recommend using swap space encrypted with a random key until this is fixed sad

Last edited by scorpyn (2009-11-14 01:56:26)

Offline

Board footer

Powered by FluxBB