TRIM support via dm-crypt/device-mapper

ssd luks device-mapper
8,440

Solution 1

For the record, this functionality did NOT exist when I first posted this question. I asked on the mailing list and was informed by Milan Broz that discard passthrough for dm-crypt targets still had not been implemented. Milan indicated that he intended to implement this at some point, but did not state when.

After digging around in dm-crypt.c and related files for a while, it appeared that TRIM support would be fairly trivial to add. I wrote the list asking for their general advisement on the task before I jumped in. The next day, Milan submitted a patch that implements TRIM pass-through on dm-crypt and this has been staged into linux-next. It should be included in the Linux 3.1 kernel.

TRIM passthrough must be enabled explicitly. There are potential security issues in using TRIM on a dm-crypt'd device, because TRIM sends information about block usage to the firmware on the device which then marks recently freed areas as usable (as I understand it, anyway). This means that an interested party can derive information about patterns of disk usage. For instance, it was postulated that an attacker could almost definitely learn what filesystem was in use on the encrypted medium through this data. An attacker may also be able to learn more useful information, like that you had a lot of big files saved until recently (big contiguous TRIM'd blocks).

Please see these threads for reference:

http://www.redhat.com/archives/dm-devel/2011-June/msg00093.html

http://www.redhat.com/archives/dm-devel/2011-July/msg00042.html

http://www.redhat.com/archives/dm-devel/2011-July/msg00088.html

tl;dr: TRIM passthrough support for dm-crypt targets will exist in Linux >= 3.1 but must be enabled manually via cryptsetup and/or dmsetup due to data leakage that may allow profiling based on disk usage patterns.

Solution 2

As of kernel 3.2.x, dm-crypt + brtfs is supposed to be safe. See the reply to my question from Chris Mason:

http://permalink.gmane.org/gmane.comp.file-systems.btrfs/15554 and http://permalink.gmane.org/gmane.comp.file-systems.btrfs/15564

Share:
8,440

Related videos on Youtube

jeffcook2150
Author by

jeffcook2150

Updated on September 18, 2022

Comments

  • jeffcook2150
    jeffcook2150 almost 2 years

    Getting a new laptop with SSD tomorrow. I need to know about the current status of dm-crypt and TRIM. I have seen several conflicting reports and most activity around this question seems to be > 1 year old. Some say that dm-crypt TRIM passthrough has been included in multiple recent kernel versions (which is not a problem for me, since I use Arch). Some say that the support still does not exist. Can I get a clear, well-sourced answer on the status of dm-crypt TRIM support? git commits or mailing list announcements that mention this feature would be ideal.

    The answer to this question has big potential to influence the way I architect my new laptop's disks. Hopefully it will be useful to some others to have a decent, up-to-date answer.

  • jeffcook2150
    jeffcook2150 about 13 years
    Thanks, but that answer is still non-definitive and over a year old. I would like a definitive, recent answer. I guess I will have to mail the list, just hoping SU would be a quick shortcut :p
  • user1686
    user1686 about 13 years
    Well, if it already worked a year ago...
  • jeffcook2150
    jeffcook2150 about 13 years
    "I guess it works because my SSD is not slow" is not really a reliable indicator of whether TRIM support is actually functional.
  • user1686
    user1686 about 13 years
    Which is exactly what I have never said.
  • jeffcook2150
    jeffcook2150 almost 13 years
    That's what the post you've quoted says.
  • jeffcook2150
    jeffcook2150 almost 13 years
    Thanks honig, I had found that before. Please see the answer I just added, it provides detail on real discard support for dm-crypt targets.
  • Mitch McMabers
    Mitch McMabers over 3 years
    Thanks for the explanation! Most of us don't care if the "attacker" can guess what filesystem we use (due to the data layout on disk) or can guess that we've deleted lots of big files (lots of trim zeroed space). Those worries may matter for some corporation. But for home users, SSD health matters more: USE TRIM. Without TRIM, the SSD (yes, even "garbage collection" ones) will have to shuffle around all that dead, unused data in the wrongful belief that it may be used later. That leads to lots of useless writes and earlier SSD death. It also reduces SSD write-performance over time.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to check if TRIM is working for an encrypted volume?
Do you recommend LUKS encryption on a SSD (TRIM support)?
Slow SSD + dm-crypt with Luks encryption in Ubuntu 12.10
HDD & SSD Linux: Hard resetting link
Data access speed in LUKS encrypted partition
How can I tell if a encrypted (LUKS) device is already open?
What does `cryptsetup resize` do if LUKS doesn't store partition size?
How to install Ubuntu with LVM & LUKS on a SSD and use an LUKS encrypted HDD for data on a Dell Inspiron 7580
Does LUKS encryption affect TRIM? (SSD and linux)
New SSD, is the MBR broken? DISK BOOT FAILURE