The answer is to recreate encrypted tmp partition every boot with random key as you do not need to keep temporary data in memory.

Create partition to store temporary data (/dev/sdaY in this example).

Edit /etc/crypttab configuration file and add similar entry so it will use random key and ext4 filesystem:

tempfs     /dev/sdaY /dev/urandom tmp=ext4,cipher=aes-cbc-essiv:sha256

Add an entry to /etc/fstab configuration file so it would be mounted at boot time and not checked by fsck:

/dev/mapper/tempfs /tmp ext4 defaults 0 0

You can check changes (without reboot) by executing commands:

$ sudo /etc/init.d/cryptdisks restart
 * Stopping remaining crypto disks...
 * cryptswap1 (busy)...
 * tempfs (stopped)...                                                   [ OK ]
 * Starting remaining crypto disks...
 * cryptswap1 (running)...
 * tempfs (starting)..
 * tempfs (started)...                                                   [ OK ]
$ sudo mount /tmp