On Tue, Jul 04, 2006 at 04:14:51PM +0200, [EMAIL PROTECTED] wrote:
> Some days ago I read a question related to encrypting a partition.
> I just know that swap gets encrypted automaticly.
> Wouldn`t it be possible to encrypt also /tmp and /var/tmp also automaticly
> with the same mechanism wich is used to encrypt the SWAP?
No, but you can mount an encrypted svnd(4) device; some improvements
have been made in -current (but these are, in this case, irrelevant).
> Somebody mentioned that encrypting /tmp would be needed to because many
> applicatiosn store their temp. data there (wich is mostly correct).
>
> I didn`t posted that question to tech because misc@ is a better place but
> maybe a developer could answer my question.
> I thought about the statement that encrypting /tmp and /var/tmp is a good
> idea and I would angree so are there any (technical?) reasons that can`t
> be done even if a user does not use svnds?
> And btw: wouldn`t it be better to use rm -P for /tmp/* (or even -P as
> default for rm?)?
In all of these cases, the default is tuned for performance. This has a
good reason - encrypted disks only work if they are not mounted, which,
in practice, roughly equates to 'when the system is not running'.
For servers, desktops, and pretty much anything but laptops, this means
that anything likely to be able to get at your data does so while the
encrypted device is mounted, i.e. while encrypted disks wouldn't help
you anyway.
Since in the majority of cases, OpenBSD is not used on a laptop but on a
different type of machine, the defaults make sense - as defaults. In
certain, specialized circumstances, customization is called for.
Joachim
