DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th April 2009
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 768
Thanked 36 Times in 32 Posts
Default Easiest Way to Encrypt /tmp

What is the easiest way to encrypt /tmp. Yes, I did read man pages for vnd and I do know how to use vnd. I am curious what other people do.

Thanks,
OKO
Reply With Quote
  #2   (View Single Post)  
Old 16th April 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,673
Thanked 214 Times in 189 Posts
Default

I don't encrypt it; I just use an MFS mount and a chmod 1777 for it in rc.conf.local. Not for security; but for whatever small performance gain I might get, particularly during long builds of userland or ports.

(I have an encrypted filesystem; I used to use a vnode for it but switched to softraid about a year ago.)
Reply With Quote
  #3   (View Single Post)  
Old 16th April 2009
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

Encrypted /tmp: upside, the file system data is encrypted; downside: well, the hub bub of encrypting it and such.

Memory File System (man mfs): Upside, the data is not retained between boots; downside: the data may reside momentary in memory even after power has been turned off, and likewise any backing store (e.g. swap partition) should be encrypted for extra paranoia. Encrypting your systems installed memory is a little, eh I'm not even gonna go there.

So in my humble opinion: a pure MFS is probably not as useful as an encrypted partition, unless you've got memory to burn (amd64 suggested) and a big encrypted swap file.


I haven't done any disk encryption recently, but I believe the process is very simple: setup your encrypted 'backing', do setup a partition on the encrypted 'pseudo device', and mount it as /tmp.

something like:

Code:
vnconfig -ck svndN /dev/wd...  # whatever /tmp is on now 
                                                           # +/- erasing it with dd'ing 
                                                           # bytes from /dev/srandom
fdisk svndN
disklabel svndN
newfs rsvndNa
mount /dev/svndNa /tmp
I can't remember the usual flags used on OpenBSD to format hard disks off the top of my head; so I've omitted writing any in the above. Just fill the pseudo device (svndN with a partition for use as /tmp, exempli gratia svnd0a.

Not sure what /etc/fstab would look like, but maybe something like

Code:
/dev/wd0d      /dev/svnd0a      vnd    rw,-k                 0    0
/dev/svnd0a   /tmp                 ffs      rw,FLAGS           0    0
and of course s/FLAGS/things like nodev, nosuid, whatever you use/; maybe you'd have to go though rc.local to sort out the vnd mount properly, dunno. I have never actually tried it on a partition that should be automagically mounted at startup; because you need to specify the key for 'vnconfig -k' and such.



suggested reading in manual: vnd, svnd, vnconfig, mfs

disclaimer: I haven't played with encrypted disks in quite a while now.
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #4   (View Single Post)  
Old 16th April 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,673
Thanked 214 Times in 189 Posts
Default

Terry -- on OpenBSD, swap encryption has been a sysctl since 1999, and more importantly, it has been enabled by default since 2005 (3.8).
Reply With Quote
  #5   (View Single Post)  
Old 16th April 2009
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

Jggimi, I said memory to burn and a big encrypted swap partition ;-)

& thanks about the sysctl, I didn't know it went as far back as 2.5 or 2.6; always thought it was early 2000s.
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Questions about encrypt local passwords aleunix OpenBSD Security 4 2nd June 2008 02:07 PM


All times are GMT. The time now is 02:35 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick