Encrypted /tmp: upside, the file system data is encrypted; downside: well, the hub bub of encrypting it and such.
Memory File System (man mfs): Upside, the data is not retained between boots; downside: the data may reside momentary in memory even after power has been turned off, and likewise any backing store (e.g. swap partition) should be encrypted for extra paranoia. Encrypting your systems installed memory is a little, eh I'm not even gonna go there.
So in my humble opinion: a pure MFS is probably not as useful as an encrypted partition, unless you've got memory to burn (amd64 suggested) and a big encrypted swap file.
I haven't done any disk encryption recently, but I believe the process is very simple: setup your encrypted 'backing', do setup a partition on the encrypted 'pseudo device', and mount it as /tmp.
something like:
Code:
vnconfig -ck svndN /dev/wd... # whatever /tmp is on now
# +/- erasing it with dd'ing
# bytes from /dev/srandom
fdisk svndN
disklabel svndN
newfs rsvndNa
mount /dev/svndNa /tmp
I can't remember the usual flags used on OpenBSD to format hard disks off the top of my head; so I've omitted writing any in the above. Just fill the pseudo device (svnd
N with a partition for use as /tmp, exempli gratia svnd0a.
Not sure what /etc/fstab would look like, but maybe something like
Code:
/dev/wd0d /dev/svnd0a vnd rw,-k 0 0
/dev/svnd0a /tmp ffs rw,FLAGS 0 0
and of course s/FLAGS/things like nodev, nosuid, whatever you use/; maybe you'd have to go though rc.local to sort out the vnd mount properly, dunno. I have never actually tried it on a partition that should be automagically mounted at startup; because you need to specify the key for 'vnconfig -k' and such.
suggested reading in manual: vnd, svnd, vnconfig, mfs
disclaimer: I haven't played with encrypted disks in quite a while now.