encrypted /tmp doesn't work in raspbian jessie

OK, the new server (Pi + USB hard drive with several partitions) is
working apart from encrypted '/tmp'. I have the following lines in
eswap /dev/disk/by-id/blahblah-part3 /dev/urandom swap
etmp /dev/disk/by-id/blahblah-part4 /dev/urandom tmp=ext4
and both devices are appearing in '/dev/mapper/'. I've tried the
following lines in '/etc/fstab':
/dev/mapper/eswap none swap sw 0 0
#/dev/mapper/etmp /tmp ext4 defaults 0 0
#tmpfs /tmp tmpfs size=9999M,mode=1777 0 0
but if I uncomment either of the /tmp lines, the system won't boot
(headless, at least) as far as running the ssh server. The swap is
working (after I did 'update-rc dphys-swapfile disable', anyway). The
first /tmp line worked on the Raspbian wheezy system; the second one
works on two current Ubuntu systems. What has changed?
Reply to
Adam Funk
Loading thread data ...
I finally got round to figuring this out, after fixing the same problem on an Ubuntu non-Pi system. I think it has something to do with systemd. The fstab line was correct:
/dev/mapper/etmp /tmp ext4 defaults 0 0
but the crypttab line needed a slight change:
etmp /dev/disk/by-id/blahblah-part4 /dev/urandom tmp
Hope this helps someone else.
Slade was the coolest band in England. They were the kind of guys 
that would push your car out of a ditch.         --- Alice Cooper
Reply to
Adam Funk
Forgive my ignorance, but why would anyone want to encrypt /tmp?
Reply to
Tony van der Hoff
data stored in /tmp could give a hacker clues that would enable him to gain further access to the system
this does of course mean that the hacker must have found at least one exploitable vulnerability first & if that account has access to /tmp then it would be un-encrypted anyway.
Nothing can be done in one trip. 
		-- Snider
Reply to
On Wed, 4 Jan 2017 12:02:00 +0000, T> Forgive my ignorance, but why would anyone want to encrypt /tmp?
This prevents the recovery of data if the storage media is lost or stolen. I would expect such situation to use a LUKS whole disk encryption approach instead, but I'm not sure what the particular conditions are.
As pointed out, if you can access a running system with /tmp decrypted & mounted, the data is out there protected only by the permission settings, or an access control lists if you have that enabled.
Consulting Minister for Consultants, DNRC 
I can please only one person per day. Today is not your day. Tomorrow 
 Click to see the full signature
Reply to
I R A Darth Aggie

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.