How do I encrypt my /tmp directory (system directory /tmp)?

I want a /tmp folder for encryption is like ecryptfs-setup-swap.
Is their any problems with using a “random pass-phrase” encrypted /tmp partition or directory?
How do I encrypted my /tmp directory (like swapfile) “system directory /tmp”
An encrypted partition that is recreated at every boot (like the set up for the swapfile)?
How can this be?

On 05/02/2016 07:16 AM, 123thinksuse wrote:
>
> I want a /tmp folder for encryption is like cryptoswap.
> Is their any problems with using a “random pass-phrase” encrypted /tmp
> partition or directory?
> How do I encrypted my /tmp directory (like swapfile) “system directory
> /tmp”
> An encrypted partition that is recreated at every boot (like the set up
> for the swapfile)?
> How can this be?

Which version of openSUSE are you using? I believe /tmp these days uses
tmpfs which is a RAM drive, meaning it will always be recreated when the
system is rebooted, and once powered off there is no way to get data out
of there, encrypted or otherwise.

It may help to understand your business case for this, to see if adding
encryption really does anything (unlikely, since encryption is useful for
data at rest, and /tmp is always mounted when the system is running).


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

i using opensuse leap 42.1?
You mean the system automatically uses the tmpfs?

If you are already using encryted swap, then just use “tmpfs” for “/tmp”.

At one time, I used to do that. These day, I normally use an encrypted LVM, with root, home and swap as volumes within the encrypted LVM. I normally use a separate unencrypted “/boot”, though it is possible to have “/boot” as part of the encrypted LVM (within root file system). However, I think the support for “/boot” within the encrypted LVM was broken at the time 42.1 came out, so if you want that you will run into problems setting it up.

Actually, no. “/tmp” as tmpfs is apparently used by fedora, and is recommended by the systemd developers. But it is not the default setup in opensuse.

If using tmpfs for “/tmp”, there is still a risk unless using encrypted swap. That’s because “/tmp” might be partly on swap.

And if randomly encrypted swap is used (as in the suggested “ecryptfs-setup-swap”), then hibernating won’t work.

ُ
Ok…
I normally use a separate unencrypted “/boot”,too
I am using the encrypted swap.So my /tmp is encrypted
Thanks for the replay.

Do:

 df /tmp

If that shows “tmpfs” you are set. If that shows the same output as for the root partition, then you need to setup using tmpfs for “/tmp”. You can do that with an entry in “fstab”, or maybe there’s a newer way of doing it under systemd.

how to set /tmpfs on the fstab?

I use this option

 tmpfs /tmp tmpfs defaults,noatime,nosuid,nodev,noexec,mode=1777,size=1024M 0 0

is it true?

Just a reminder to anyone who thinks it’s important…
If you hibernate a machine, the memory map is written to disk, so I suspect that tempfs will be written to disk instead of purged like what likely happens with a complete system shutdown.

TSU

Yes, that looks okay. Reboot and check that “/tmp” is now using tmpfs.

Yes, that’s correct.

It is normally written to swap. So if encryption is important, then you need swap to be encrypted. And if you use randomly encrypted swap, then you won’t be able to read that memory map on reboot, so hibernate won’t work.

Big Thanks you.for help me
now using tmpfs and encrypted swap

Great.

And now the final touch.

As root:


# mount --bind / /mnt
# cd /mnt/tmp
# ls -al

That is what is left over from before you were using “tmpfs” for “/tmp”. It is hidden under the mounted tmpfs file system.


# rm -rf * .??*
# cd /
# umount /mnt

and that should remove it all, then undo that temporary mount.

There’s probably nothing important there, but it doesn’t hurt to clean it up.

I really appreciate your help

Does /tpmsfs written in /.snapshots?
I found folders “/tmp” in /.snapshots.

I’m not sure, because I am not using “btrfs” (I did try it for a while).

However, I think you will find that only the empty “/tmp” directory is in a snapshot, or perhaps the original “/tmp” from the install which might have a temp file from the install.

Normal practice seems to be to make “/tmp” a separate subvolume, and to not extend snapshots into subvolumes.

In any case, your mounted “tmpfs” version of “/tmp” won’t be in a snapshot, as those do not cross mount points.

Exactly
I’ve checked again.not written /tmpfs on /.snapshots
my “/tmp” on /.snapshot was old.after use /tmpfs .that only the empty “/tmp” directory is in ./snapshots
Thanks a lot

can after install converting a root filesystem to LVM encrypt or LUKS?

can after install converting a root filesystem to LVM encrypt or LUKS?
my home partition is luks and I want the root partition is encrypt luks,too
can it be done?