7

After reading this question about how often tmp is cleared, it would be best for our setup if tmp is encrypted. How do I encrypt it?

My fstab looks like this:

proc            /proc           proc    nodev,noexec,nosuid 0       0
/dev/mapper/vg_doulos-root /               ext4    errors=remount-ro 0       1
# /boot was on /dev/sda1 during installation
UUID=205a1a54-7dfa-45a6-a7e3-4a7234b3a473 /boot           ext4    defaults        0   2
/dev/mapper/vg_doulos-home /home           ext4    defaults        0       2
/dev/mapper/vg_doulos-tmp /tmp            ext4    defaults        0       2
# swap was on /dev/sda2 during installation
#UUID=705e9f69-bf95-4d44-9119-c40076d10333 none            swap    sw              0  0
/dev/mapper/cryptswap1 none swap sw 0 0

crypttab:

# <target name> <source device>         <key file>      <options>
cryptswap1 /dev/sda2 /dev/urandom swap,cipher=aes-cbc-essiv:sha256

Is it sufficient to put something like this in crypttab?

crypttmp /dev/mapper/vg_doulos-tmp /dev/urandom

and then this to replace the tmp file entry in fstab?

/dev/mapper/crypttmp /tmp ext4 defaults 0 2

Community
  • 1
Son of the Wai-Pan
  • 1,165
  • Just a question, why do you need to encrypt the /tmp folder? There are other ways of dealing with it. – Mitch May 31 '12 at 05:16
  • @Mitch What other ways do you suggest? Any others that address the problem of what happens if someone breaks in, cuts the power, and takes the machine? (I mean, clearly not everyone needs something this robust, but it seems like encrypting /tmp beats most alternatives, when it comes to privacy of the files it contains.) – Eliah Kagan May 31 '12 at 08:05
  • @Eliah Kagan Maybe something like shredding /tmp folder on shutdown. So if someone does breaks in, cuts the power, takes the machine, that will simulate a shutdown. So shredding would be good. – Mitch May 31 '12 at 08:13
  • 1
    @Mitch If they cut the power, the machine doesn't shut down. It was on, and suddenly now it's off. Nothing gets shredded. Any cleartext in /tmp stays there and can be recovered quickly and trivially. – Eliah Kagan May 31 '12 at 08:21
  • @Eliah Kagan Following the default Ubuntu install, wouldn`t /tmp be configured as tmpfs which is a RAM disk. So the moment the machine is off in any way, it should be gone. – Mitch May 31 '12 at 08:25
  • @Mitch No, I don't think so. My Ubuntu 12.04 system has /run, /run/lock, and /run/shm listed as tmpfs filesystems (when I run mount). /tmp itself is just part of the / filesystem (i.e., when I run mount | grep /tmp, I get no output). Of course, if you did have /tmp configured as a tmpfs ramdisk, then you wouldn't have to shred it either. (Actually, there are exploits to read from RAM pulled from a computer that was recently on. But protecting against that sort of attack involves mainly an increase in physical security.) – Eliah Kagan May 31 '12 at 08:32
  • Then again, my Ubuntu system is upgraded from previous releases. Is /tmp a tmpfs ramdisk on your machine(s)? – Eliah Kagan May 31 '12 at 08:35
  • @Mitch EliahKagan describes exactly why I want to encrypt /tmp. On CentOS 6.2 I found that /tmp didn't delete all the files between reboots; I assumed that Ubuntu was this way as well. I can try to verify your statement about /tmp being wiped between shutdowns. – Son of the Wai-Pan May 31 '12 at 23:07
  • /tmp does get wiped between shutdowns... – Son of the Wai-Pan Jun 04 '12 at 07:02
  • My suggested solution doesn't work. Any other solutions? I get stopped at boot and have to manually skip mounting /tmp. – Son of the Wai-Pan Jun 04 '12 at 07:36

3 Answers3

4

The correct incantation in crypttab should look like this:

crypttmp /dev/mapper/vg_doulos-tmp /dev/urandom precheck=/bin/true,tmp,size=256,hash=sha256,cipher=aes-cbc-essiv:sha256

The most important part was the precheck=/bin/true. The reason why /tmp wasn't mounting was that cryptsetup was failing due to a precheck. The precheck noticed that the LVM partition was formatted for ext4 and refused to continue.

The fstab entry should look like this:

/dev/mapper/crypttmp /tmp ext4 defaults 0 2

Son of the Wai-Pan
  • 1,165
2

Starting with Avery's answer, (on Ubuntu 12.04) I had to specify the filesystem type with "tmp=ext4" to get it to work:

/etc/cryptsetup:

crypttmp /dev/sdb /dev/urandom precheck=/bin/true,tmp=ext4,size=256,hash=sha256,cipher=aes-cbc-essiv:sha256

/etc/fstab:

/dev/mapper/crypttmp /tmp ext4 noatime 0 2
Stephen
  • 21
  • 2
1

I think your right it should be enough to add in crypttab:

crypttmp  /dev/mapper/vg_doulos-tmp  /dev/urandom  tmp

and in fstab:

/dev/mapper/crypttmp  /tmp  ext4  defaults  0  0

Greets

Steve
  • 246
  • This doesn't work. :( I think it might be because /dev/mapper/vg_doulos-tmp is already in /dev/mapper and I'm trying to create another item there. – Son of the Wai-Pan Jun 04 '12 at 07:35
  • why you have it twice ? – Steve Jun 04 '12 at 07:49
  • I don't have it twice. I was just hypothesizing, but I don't think my guess is correct either. Here's what my fstab and crypttab look like: http://pastebin.com/GjsfewRR – Son of the Wai-Pan Jun 04 '12 at 08:31
  • I ran cryptdisks_start crypttmp and the output was: * crypttmp: the precheck for '/dev/mapper/vg_doulos-tmp' failed: - The device /dev/mapper/vg_doulos-tmp contains a filesystem type ext4. Any ideas how to fix this? I think the boot process is choking on this. – Son of the Wai-Pan Jun 04 '12 at 08:43
  • try : /dev/mapper/crypttmp /tmp ext2 defaults 0 0 – Steve Jun 04 '12 at 09:44