1. Home
  2. Raspberry Pi Group
  3. encrypted /tmp doesn't work in raspbian jessie

encrypted /tmp doesn't work in raspbian jessie

OK, the new server (Pi + USB hard drive with several partitions) is working apart from encrypted '/tmp'. I have the following lines in '/etc/crypttab':

eswap /dev/disk/by-id/blahblah-part3 /dev/urandom swap etmp /dev/disk/by-id/blahblah-part4 /dev/urandom tmp=ext4

and both devices are appearing in '/dev/mapper/'. I've tried the following lines in '/etc/fstab':

/dev/mapper/eswap none swap sw 0 0 #/dev/mapper/etmp /tmp ext4 defaults 0 0 #tmpfs /tmp tmpfs size=9999M,mode=1777 0 0

but if I uncomment either of the /tmp lines, the system won't boot (headless, at least) as far as running the ssh server. The swap is working (after I did 'update-rc dphys-swapfile disable', anyway). The first /tmp line worked on the Raspbian wheezy system; the second one works on two current Ubuntu systems. What has changed?

Thanks, Adam

Reply to
Adam Funk
Loading thread data ...

I finally got round to figuring this out, after fixing the same problem on an Ubuntu non-Pi system. I think it has something to do with systemd. The fstab line was correct:

/dev/mapper/etmp /tmp ext4 defaults 0 0

but the crypttab line needed a slight change:

etmp /dev/disk/by-id/blahblah-part4 /dev/urandom tmp

Hope this helps someone else.

--
Slade was the coolest band in England. They were the kind of guys 
that would push your car out of a ditch.         --- Alice Cooper
Reply to
Adam Funk

Forgive my ignorance, but why would anyone want to encrypt /tmp?

Reply to
Tony van der Hoff

data stored in /tmp could give a hacker clues that would enable him to gain further access to the system

this does of course mean that the hacker must have found at least one exploitable vulnerability first & if that account has access to /tmp then it would be un-encrypted anyway.

--
Nothing can be done in one trip. 
		-- Snider
Reply to
alister

This prevents the recovery of data if the storage media is lost or stolen. I would expect such situation to use a LUKS whole disk encryption approach instead, but I'm not sure what the particular conditions are.

As pointed out, if you can access a running system with /tmp decrypted & mounted, the data is out there protected only by the permission settings, or an access control lists if you have that enabled.

--
Consulting Minister for Consultants, DNRC 
I can please only one person per day. Today is not your day. Tomorrow 
isn't looking good, either. 
I am BOFH. Resistance is futile. Your network will be assimilated.
Reply to
I R A Darth Aggie

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.