You can use an overlayfs, or a bind mount, etc.
Also if after /tmp is created and mounted, you just mount over it any path that is an encrypted container, it will do the trick.
Also you can do something really weird and maybe enter in panic mode.
You can mount /dev/null over /tmp, so any write to /tmp goes nowhere.
Why a lot of people think o so complex solutions that do not meet what you really want...
You said you want data do not hit the HDD... just mount over the path the /dev/null
Of course, data will not be readable after written... it is lost as is it being written... that is what is for /dev/null designed.
But if you want data hit the disk, but not in plain (aka, encrypted)... just do this:
- Create a file to hold the data
- Create a LUKS container on it (see --header parameter)
- Mount it over the path
So any write will go to the disk, but will be encrypted.
I must warn you about this:
- Do you know each source code line off all parts (kernel, apps, etc) that will be run on the PC? If answer is no, you need a 100% disk encryption solution (including /boot, etc)... Grub2 + LUKS (multi-layer) is really great, see how to edit initramfs scripts to mount such LUKS, and be ready to type twice on each boot the passphrases... do not do what stupids does, store a KEY file inside the initramfs to avoid typing twice... cool boot attack will se it in plain and is really easy to find it.
If you are sure all your apps only write to "controlled" paths, try first with mount over a path that has a mount on it (it overrides the mount until unmount).
Sometimes, people search for a complex solution and do not see the easy one.
I mean, this will work:
- mount /dev/sda1 /mnt/MyHDD
- mount /dev/sdb2 /mnt/MyHDD
- umount /mnt/MyHDD
- umount /mnt/MyHDD
After 1 the files/folders seen on /mnt/MyHDD are on drive sda on first partition, after 2 the files/folders seen on /mnt/MyHDD are on sdb partition 2, after 3 the files/folders seen on /mnt/MyHDD are on drive sda on first partition, after 4 ¿? it depends on what was mounted there before 1.
So you can mount:
- /dev/null --- will cause all data lost
- /dev/mapper/crypto --- or whatever you call the LUKS (data will be encrypted)
Hope it helps.
You might want to look at setting up an encrypted LVM. – None – 2011-04-27T15:04:32.260
Thanks for answering. Could you be more precise? I would like /tmp to have a new random key every time the computer boots, or something like that. Whether there is a primary or logical partition, or just a stacked filesystem, doesn't matter for me. Just that it doens't ask for input from the user and doesn't use swap. – user39559 – 2011-04-27T15:40:57.657
1You need to provide a password to decrypt the disk, don't you? Otherwise, if it boots and loads the whole system without my intervention, how could system data be protected from my adversary and not from myself? I am unaware of such setup, please le me know if it is possible. – user39559 – 2011-11-14T15:57:39.760