Ask Your Question
0

Enabling trim/discard on F16 using lvm on luks

asked 2012-01-20 06:37:05 -0500

audun gravatar image

I recently installed Fedora 16 on my laptop, which has an SSD drive. During installation, I chose to encrypt the drive, and also to use lvm, resulting in /dev/sda1 for /boot and /dev/sda2 for luks, with LV mapped home, swap and root inside. Now, I'd like to use trim, but from what I gather, the calls are not allowed through some kind of dmcrypt layer by default, because of the security implications. I'm fine with the slightly reduced level of security though, and I still want TRIM.

I've been trying to read up on it, but I simply can't find any documentation I'm able to follow, and I don't have any understanding what so ever on how the whole device mapper bootstrapping process works. I assume that as some point, a cryptsetup luksOpen call is made to open the encrypted drive/parition, which creates a /dev/mapper handle for it, which is then used to by LVM to find the physical volume inside in and do its thing.. Or something like that?

For non-encrypted configs, /etc/fstab seems to be the place to add trim using the discard parameter.. But in my case, fstab only contains logical volumes (with the exception of boot). Should I add a discard option to each individual volume or is that superfluous? I.e. will LVM pass discards through by default or is it configured some other way?

Then there's /etc/crypttab. Could I set some form of discard option there? I googled my way to http://code.google.com/p/cryptsetup/wiki/DMCrypt but I'm not sure if the discard option mentioned there goes in crypttab? It's not mentioned in the man page.

I'm at a complete loss here.. Any suggestions? :)

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2012-01-20 10:55:11 -0500

ZenDark gravatar image

updated 2012-01-22 04:15:11 -0500

discard option is a filesystem (ext4) option, so it should be transparent to the type of devices (sdX or lvm)...

With trim you clean your free space writing 0 in it, but luks must encrypt the content of your lvm partitions before writing to the physical disk. That 0 for free space in your logical volume could not be saved as 0 in your ssd disk, defeating the discard purpose.

But it seems you can trick luks to pass the trim to the ssd disk:

discard/TRIM support for solid state disks

Solid state disk users should be aware that by default, Linux's full-disk encryption mechanisms will not forward TRIM commands from the filesystem to the underlying disk. The device-mapper maintainers have made it clear that TRIM support will never be enabled by default on dm-crypt devices because of the potential security implications; if TRIM support were enabled, an attacker may be able to tell which blocks have been used, how many blocks have been used, and other information that is exposed directly to the device when a TRIM is issued.

It may be possible to determine the filesystem utilized by your encrypted device through the data that is leaked by TRIM. Furthermore, any information that may be derived by a profile of block usage may be exposed by enabling TRIM support on an encrypted device.

As of linux version 3.1, support for dm-crypt TRIM pass-through can be toggled upon device creation or mount with dmsetup. Support for this option also exists in cryptsetup version 1.4.0 and up. To add support during boot, you will need to add ":allow-discards" to the cryptdevice option. The option should look like this:

cryptdevice=/dev/mapper/root:root:allow-discards

For more information, including specific commands and details on dm-crypt TRIM pass-through, see these mailing list threads:

From: https://wiki.archlinux.org/index.php/SystemEncryptionwith_LUKS

How to Enable

Wait until Fedora 17...

Or try it patching F16...

First of all. Backup all your data, this procedure is very experimental and I didn't test it. If something get wrong you will lose all your encrypted data. You need: Kernel 3.1 or newer (you are covered with Fedora 16 stock kernel) Cryptsetup 1.4.0 or newer (in Fedora 16 is named cryptsetup-luks, will be renamed in F17). Fedora stock version is 1.3 so we need a more updated package. You can download the newer packages from kogi.

http://koji.fedoraproject.org/koji/buildinfo?buildID=284146

sudo yum remove cryptsetup-luks
sudo rpm -ivh cryptsetup-1.4.1-2.fc17.x86_64.rpm cryptsetup-libs-1.4.1-2.fc17.x86_64.rpm

After that follow this instructions: http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/5166

sudo dmsetup table /dev/mapper/VolGroup-lv_root --showkeys0 32636928 linear 8:3 8259584

sudo dmsetup load /dev/mapper/VolGroup-lv_root --table "0 32636928 linear 8:3 8259584 1 allow_discards"

sudo ...
(more)
edit flag offensive delete link more

Question Tools

1 follower

Stats

Asked: 2012-01-20 06:37:05 -0500

Seen: 6,160 times

Last updated: Jan 22 '12