OK, the new server (Pi + USB hard drive with several partitions) is
working apart from encrypted '/tmp'. I have the following lines in
eswap /dev/disk/by-id/blahblah-part3 /dev/urandom swap
etmp /dev/disk/by-id/blahblah-part4 /dev/urandom tmp=ext4
and both devices are appearing in '/dev/mapper/'. I've tried the
following lines in '/etc/fstab':
/dev/mapper/eswap none swap sw 0 0
#/dev/mapper/etmp /tmp ext4 defaults 0 0
#tmpfs /tmp tmpfs size=9999M,mode=1777 0 0
but if I uncomment either of the /tmp lines, the system won't boot
(headless, at least) as far as running the ssh server. The swap is
working (after I did 'update-rc dphys-swapfile disable', anyway). The
first /tmp line worked on the Raspbian wheezy system; the second one
works on two current Ubuntu systems. What has changed?
I finally got round to figuring this out, after fixing the same
problem on an Ubuntu non-Pi system. I think it has something to do
with systemd. The fstab line was correct:
/dev/mapper/etmp /tmp ext4 defaults 0 0
but the crypttab line needed a slight change:
etmp /dev/disk/by-id/blahblah-part4 /dev/urandom tmp
Hope this helps someone else.
Slade was the coolest band in England. They were the kind of guys
that would push your car out of a ditch. --- Alice Cooper
data stored in /tmp could give a hacker clues that would enable him to
gain further access to the system
this does of course mean that the hacker must have found at least one
exploitable vulnerability first & if that account has access to /tmp then
it would be un-encrypted anyway.
On Wed, 4 Jan 2017 12:02:00 +0000,
T> Forgive my ignorance, but why would anyone want to encrypt /tmp?
This prevents the recovery of data if the storage media is lost or
stolen. I would expect such situation to use a LUKS whole disk
encryption approach instead, but I'm not sure what the particular
As pointed out, if you can access a running system with /tmp decrypted
& mounted, the data is out there protected only by the permission
settings, or an access control lists if you have that enabled.
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow