mount_ecrypt_home.sh: store vault key in XDG_RUNTIME_DIR instead of /var/tmp

/var/tmp is persistent on-disk storage. The encryption key must never
be written to disk, even temporarily. Replaced all occurrences of
/var/tmp/IPAVAULTKEY.txt with ${XDG_RUNTIME_DIR}/IPAVAULTKEY, which
is a per-user tmpfs directory (/run/user/<UID>) created by
systemd-logind: guaranteed memory-only, mode 0700, wiped on logout.

Also removed the TODO comment that tracked this exact issue.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

system_setup/mount_ecrypt_home.sh

@@ -42,7 +42,7 @@ if [ $? -ne 0 ]; then
     if [ -d "${ENCRYPTEDDATADIR}" ]; then
         echo "The encrypted Directory ${ENCRYPTEDDATADIR} exists."
         read -p "To mount it with your Key, that you noticed when installing that PC, enter the Key now or press CTRL+C to abort: " ENCKEY
-        echo ${ENCKEY} > /var/tmp/IPAVAULTKEY.txt
+        echo ${ENCKEY} > ${XDG_RUNTIME_DIR}/IPAVAULTKEY
     else
         echo "The Server ${SERVERFQDN_IPA} is offline and no Directory ${ENCRYPTEDDATADIR} exists. Cannot continue."
         echo "Please check your Connection/Server and retry."
@@ -52,12 +52,12 @@ else
     # Server is online
     #Get the Token from IPA
     echo Getting the Vault ${IPAVAULTNAME}
-    ipa vault-retrieve ${IPAVAULTNAME} --out /var/tmp/IPAVAULTKEY.txt >/dev/null #TODO: Instead of /var/tmp use tmpfs for more security
+    ipa vault-retrieve ${IPAVAULTNAME} --out ${XDG_RUNTIME_DIR}/IPAVAULTKEY >/dev/null
     if [ $? -ne 0 ]; then
         echo "No Key found. Will try to Setup a new one."
         ENCKEY=$( openssl rand -base64 24 )
-        echo ${ENCKEY} > /var/tmp/IPAVAULTKEY.txt
-        ipa vault-add "${IPAVAULTNAME}" --desc "Key for Fileencrytption of ${HOSTNM}" --type=standard && ipa vault-archive "${IPAVAULTNAME}" --in /var/tmp/IPAVAULTKEY.txt
+        echo ${ENCKEY} > ${XDG_RUNTIME_DIR}/IPAVAULTKEY
+        ipa vault-add "${IPAVAULTNAME}" --desc "Key for Fileencrytption of ${HOSTNM}" --type=standard && ipa vault-archive "${IPAVAULTNAME}" --in ${XDG_RUNTIME_DIR}/IPAVAULTKEY
         if [ $? -eq 0 ]; then
             echo
             echo "Your Key has been sucessfully stored to the Vault ${IPAVAULTNAME}"
@@ -75,13 +75,13 @@ else
             ENCKEY=""
         fi
     else
-        ENCKEY=$( cat /var/tmp/IPAVAULTKEY.txt )
+        ENCKEY=$( cat ${XDG_RUNTIME_DIR}/IPAVAULTKEY )
 #        echo "The Key is: ${ENCKEY}"
     fi
 fi
 if [ "${ENCKEY}." == "." ]; then
     echo "Some Error while fetching your IPA Vault Key. This should not happen. Quit."
-    rm /var/tmp/IPAVAULTKEY.txt
+    rm ${XDG_RUNTIME_DIR}/IPAVAULTKEY
     exit 2
 fi
 echo "Sucessfuly obtained IPA vault fileencryption key."
@@ -91,12 +91,12 @@ if [ ! -d "${DECRYPTEDDATADIR}" ] || [ ! -f "${HOME}/.config/gocryptfs/gocryptfs
     #Key has been obtained, but no Directory was created till know
     echo "First Setup of encryption: Creating new Directories now"
     mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs
-    gocryptfs -init -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
+    gocryptfs -init -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
 fi
 systemd-run --user --scope --unit=gocryptfs-home \
-    gocryptfs -noprealloc -allow_other -passfile /var/tmp/IPAVAULTKEY.txt -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
+    gocryptfs -noprealloc -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
 RETVAL=$?
-rm /var/tmp/IPAVAULTKEY.txt
+rm ${XDG_RUNTIME_DIR}/IPAVAULTKEY
 cd ${EXECDIR}
 if [ ${RETVAL} -eq 0 ]; then
     echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}"