The answer is to recreate encrypted tmp partition every boot with random key as you do not need to keep temporary data in memory.
Create partition to store temporary data (/dev/sdaY in this example).
Edit /etc/crypttab configuration file and add similar entry so it will use random key and ext4 filesystem:
tempfs /dev/sdaY /dev/urandom tmp=ext4,cipher=aes-cbc-essiv:sha256
Add an entry to /etc/fstab configuration file so it would be mounted at boot time and not checked by fsck:
/dev/mapper/tempfs /tmp ext4 defaults 0 0
You can check changes (without reboot) by executing commands:
$ sudo /etc/init.d/cryptdisks restart * Stopping remaining crypto disks... * cryptswap1 (busy)... * tempfs (stopped)... [ OK ] * Starting remaining crypto disks... * cryptswap1 (running)... * tempfs (starting).. * tempfs (started)... [ OK ]
$ sudo mount /tmp