3

I'd like to create one-time encrypted partition with a random key which will be wiped on reboot. I found a manual about swap encryption, but swap is just a block device which doesn't have any file system on it. Also I found full system encryption which is unacceptable, I want only one partition. Both methods are not my case.

How to create one? As far as I understand (I'm not Linux professional) I can't directly use fstab/crypttab directly because I need to format the partition after creation every time when the machine is booting up. A kind of script? Are there any pitfalls?

EDIT: Not sure if type of encryption (block/filesystem) matters so long as any saved data is encrypted. If distrib matters: Debian Stretch. TLDR: I want clean ext4 partition mounted somewhere after reboot which data is encrypted by random key.

Improve this question
4
  • 1
    You want an encrypted partition or an encrypted filesystem? Linux-only? Commented Mar 29, 2018 at 18:21
  • Reformatting the partition every time you boot up means nothing on that partition will be saved after shutting down. Have you considered just using a strong password with whole disk encryption and not using that password for anything else? Commented Mar 29, 2018 at 18:42
  • 2
    Have a look into dm-crypt, you can set up an encrypted partition to use, say /dev/urandom as a keyfile (Causing the partition to effectively be useless on reboot). However no matter what, you will need to format the partition during boot. Commented Mar 29, 2018 at 19:05
  • 1
    Yes, the idea is keeping data only while runnning without any possibility of recovering after reboot. Commented Mar 29, 2018 at 20:00

1 Answer 1

Reset to default
1

Swap is actually very close to what you want — with swap, you put the swap flag in /etc/crypttab, which tells the boot up scripts to run mkswap on the block device at boot.

You basically want the same thing, but with mkfs instead of mkswap. At least here, that's already supported with the tmp[=fstype] flag. You can check the manual page (man 5 crypttab) to see what's supported on your system.

So, this should work:

some_name /dev/sdaX /dev/urandom cipher=aes-xts-plain64,size=512,tmp=ext4

and then in /etc/fstab, you'd mount /dev/mapper/some_name wherever.

BTW: An alternative is tmpfs, which keeps the data in memory. Probably swapable, though, so you'll need either no swap or encrypted swap.

Improve this answer
1
  • Thanks, works like a charm. I considered tmpfs but it requires a tons of efforts to fit the amount of data into memory (it is possible but too hard). Commented Mar 31, 2018 at 11:14

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.