Do I lose TRIM under encrypted filesystem on SSD?

mbar · Veteran Joined: 19 Jan 2005 Posts: 1990 Location: Poland

My guess is yes, but I'd like to ask you anyway. The setup will be a SSD with partitions encrypted via dm-crypt (cryptsetup) and with ext4 on top of that. Does dm-crypt kill TRIM?

Sadako · Posted: Wed Apr 28, 2010 12:17 pm Post subject:

TRIM command passthrough via dmcrypt is apparently being worked on, but yes you do lose TRIM with dmcrypt, at least for the moment.

There was a fairly long thread on the subject on the dmcrypt mailing list recently, you should check it out.
There seem to be some security concerns with the use of TRIM, some of it looks overly paranoid, but a few points make real sense.
_________________
"You have to invite me in"

mbar · Veteran Joined: 19 Jan 2005 Posts: 1990 Location: Poland

Thanks.

ssteinberg · Apprentice Joined: 09 Jul 2010 Posts: 206 Location: Israel

Bringing this back up.
What is the status at the moment? Getting some conflicting results from Google. I don't mind the security flaw of non-random data from free blocks. I do mind no-TRIM on my SSD. So, dm-crypt with ext4+discard. Possible?

ssteinberg · Apprentice Joined: 09 Jul 2010 Posts: 206 Location: Israel

Surely this is a relevant topic to some of us. dm-crypt + TRIM on SSDs?

lkraav · Posted: Fri Apr 08, 2011 10:25 pm Post subject:

watching this as well. i'm not digging the massive performance drop, where, what layer exactly does this massive slowdown come from right now? is it fixable and to what extent?

Moriah · Posted: Thu Sep 08, 2011 1:04 am Post subject:

I too am watching this. I am running dm-crypt with luks to encrypt the entire ssd in my laptop. I boot from a usb stick using a pass phrase. This gives me 2 factor authentication. I run lvm on top of dm-crypt, then xfs on top of lvm. I need lvm snapshots, but only in read-only mode. This is for backup. All dm-crypt and lvm runs on the same drive; there is usually opnly one drive in the laptop, although I have a second sata slot. If I use the second sata slot, it is for a seperate removable drive, so lvm only applies to one drive at a time, as does dm-crypt.

I would like to change to ext4 and use trim, but I hear there are problems with lvm snapshots, and with dm-crypt.

What is the current status of all this?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

lkraav · Posted: Thu Sep 08, 2011 8:29 am Post subject:

some reading from dm-crypt core dev in the meanwhile: http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html

Moriah · Posted: Mon Sep 12, 2011 3:48 pm Post subject:

That was a good and thought provoking article.

What happens if a SSD is cleaned via data security erase (everything gets set to zero) and is then used with dm-crypt? If I leave everything set to zeros, I start out with the same problem (almost) as when I use TRIM. If I write random data to the disk, and fill it up, prior to using dm-crypt with a filesystem, then I have clobbered the free pool and destroyed my fast write time capability. Is there a solution?

Perhaps SSD and full disk encryption were just not made for each other?

_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

tholin · Apprentice Joined: 04 Oct 2008 Posts: 203

Cryptsetup+trim is supported in kernel-3.1 and cryptsetup built from repo. Use the --allow-discards argument when doing luksOpen.

Moriah · Posted: Wed Sep 14, 2011 6:35 pm Post subject:

That is useful advice, but that doesn't answer the question about being able to see the sectors that are all zeros because they have been trimmed, nor the question about using up all the pre-erased free blocks by using dd to copy an image to the drive, or to copy /dev/random to the drive before setting it up for LUKS/dm-crypt.

_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.