Var/tmp as a bind mount doesn't seem to cause a problem. I use directories in /home, mounted with -o bind, for these things to allow use of full home directory space (unlike a separate LUKS volume) while sealing leaks of encrypted data.
Some time back I worked up the "Bootcrypt" method of using bind mounts on an encrypted home partition to close data leaks in /tmp, var/timp ,etc. Currently /home and swap are LUKS partitions, other "sensitive" directories are subdirectories on /home, bind mounted to the filesystem.
As of September 18 I have been able to use mountall with this-even with usplash, which I rolled back and pinned when the splash packages broke. I also use a custom splash theme based on ubuntustudio, with added armed penguins warning that all data is encrypted. In initramfs-tools/scripts/top , I had to substitute an older framebuffer script or usplash would freeze on usplash_write.
Can't use fsck yet(set 0 in fstab), due to another reported bug causing mountall to refuse to deal properly with a failed fsck run.
The partitions are specified by UUID, the bind mounts by file names in /home. Here if my fstab:
# /etc/fstab: static file system information.
#
# Use 'vol_id --uuid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
# / was on /dev/sda1 during installation
UUID=c6ecb774-1add-408f-95b2-16d263cadec1 / ext4 relatime,errors=remount-ro 0 0#TEMP
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0
#
####### CHANGES ADDED BY BOOTCRYPT V 1.1 #######
#
UUID=8213ad0a-269b-492a-8d30-94b5bac12942 /home ext3 rw,relatime,nofail 0 0#TEMP
#
/home/TMP /tmp ext3 rw,bind,relatime,nofail 0 0
/home/VAR_TMP /var/tmp ext3 rw,bind,relatime,nofail 0 0
/home/VAR_SPOOL /var/spool ext3 rw,bind,relatime,nofail 0 0
/home/VAR_MAIL /var/mail ext3 rw,bind,relatime,nofail 0 0
/home/VAR_CACHE_CUPS /var/cache/cups ext3 rw,bind,relatime,nofail 0 0
UUID=5d09cd8b-61a7-4e86-94f8-c85a406217d7 none swap swap 0 0
BIND MOUNTS OK-even on /var/tmp:
Var/tmp as a bind mount doesn't seem to cause a problem. I use directories in /home, mounted with -o bind, for these things to allow use of full home directory space (unlike a separate LUKS volume) while sealing leaks of encrypted data.
Some time back I worked up the "Bootcrypt" method of using bind mounts on an encrypted home partition to close data leaks in /tmp, var/timp ,etc. Currently /home and swap are LUKS partitions, other "sensitive" directories are subdirectories on /home, bind mounted to the filesystem.
As of September 18 I have been able to use mountall with this-even with usplash, which I rolled back and pinned when the splash packages broke. I also use a custom splash theme based on ubuntustudio, with added armed penguins warning that all data is encrypted. In initramfs- tools/scripts/ top , I had to substitute an older framebuffer script or usplash would freeze on usplash_write.
Can't use fsck yet(set 0 in fstab), due to another reported bug causing mountall to refuse to deal properly with a failed fsck run.
The partitions are specified by UUID, the bind mounts by file names in /home. Here if my fstab:
# /etc/fstab: static file system information. 1add-408f- 95b2-16d263cade c1 / ext4 relatime, errors= remount- ro 0 0#TEMP exec,utf8 0 0 269b-492a- 8d30-94b5bac129 42 /home ext3 rw,relatime,nofail 0 0#TEMP relatime, nofail 0 0 relatime, nofail 0 0 relatime, nofail 0 0 relatime, nofail 0 0 CACHE_CUPS /var/cache/cups ext3 rw,bind, relatime, nofail 0 0 61a7-4e86- 94f8-c85a406217 d7 none swap swap 0 0
#
# Use 'vol_id --uuid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
# / was on /dev/sda1 during installation
UUID=c6ecb774-
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,
#
####### CHANGES ADDED BY BOOTCRYPT V 1.1 #######
#
UUID=8213ad0a-
#
/home/TMP /tmp ext3 rw,bind,
/home/VAR_TMP /var/tmp ext3 rw,bind,
/home/VAR_SPOOL /var/spool ext3 rw,bind,
/home/VAR_MAIL /var/mail ext3 rw,bind,
/home/VAR_
UUID=5d09cd8b-
Here is the crypttab that goes with it:
# <target name> <source device> <key file> <options>
vgbase UUID=5b9711af- 64fa-4cda- 89b1-ffc637e635 9c none luks,tries=1000