Friday, April 13, 2012

How to Activate TRIM on LUKS Encrypted Partitions in Ubuntu & Debian

This step by step walkthrough will let you take advantage of the TRIM technology for your encrypted SSD partitions for cryptsetup 1.4 or higher and kernel 3.1 or higher. This leads to a hassle-free SSD experience because

"TRIM enables the SSD to handle garbage collection overhead, that would otherwise significantly slow down future write operations to the involved blocks, in advance."

Example Setup

Notebook with SSD as the single drive, Linux installed in single ext4 LVM root partition with LVM swap partition, both over LUKS encrypted logical partition.

SSD: /dev/sda

sudo fdisk -l /dev/sda
/dev/sda1               # boot partition (83) (unencrypted, ext4)
/dev/sda2               # extended partition
/dev/sda5               # logical partition (83) with LUKS encryption
ls /dev/mapper
/dev/mapper/sda5_crypt         # encrypted LUKS device in physical /dev/sda5 partition
/dev/mapper/volumegroup-root   # root partition sda5_crypt
/dev/mapper/volumegroup-swap   # swap partition sda5_crypt

HowTo

  1. Make a backup of all your data. You're messing with your file system so having a backup is simply a good idea.
  2. Make sure you have the required kernel and cryptsetup versions (3.1 & 1.4, e.g. in Ubuntu 12.04, beware though, at time of writing 12.04 is still beta).
  3. Add discard parameter to the file system options of the encrypted LVM volume(s) in your /etc/fstab file. This makes the file system of your LVM partition aware that you want to use TRIM.
    /dev/mapper/volumegroup-root    /    ext4    discard,noatime,nodiratime,errors=remount-ro    0    1
    
  4. The last step is not enough though. As long as LUKS is not aware that you want to use TRIM it will effectively block all TRIM operations coming from the LVM partition's file system, for security reasons. Add discard parameter to the cryptdevice options in /etc/crypttab to make LUKS accept the discard behavior of the LVM partition.
    sda5_crypt UUID=e364d03f-[...]6cd7e none luks,discard
    
  5. Rebuild your initramfs. The crypttab options are stored there and used on boot.
    sudo update-initramfs -c -k all
  6. Reboot.
  7. Check if TRIM is now active.
    sudo dmsetup table /dev/mapper/sda5_crypt --showkeys
    
  8. If the last command shows a result like this (1 allow_discards at the end) you're all set.
    0  77656056  crypt  aes-cbc-essiv:sha256  abc[...]c7a0c  0  8:5  2056  1  allow_discards
    

Result

TRIM is activated. Enjoy your hassle-free SSD!

15 comments:

Evg said...

I've tried to activate trim with no success. Crypt with showkeys showed that trim is not activated.

Ubuntu 11.04
Kernel 3.1.4
Cryptsetup 1.4.2

nem said...

Could you post more details about your hardware, partitions and outputs for the steps you took?

Anonymous said...

Thanks!

nem said...

You're welcome. Glad to be of help.

Anonymous said...

Thanks
followed your instruction,trim is working

Anonymous said...

12.04 X64 Alternate Disk Whole Disk Encrypted Option Install OCZ 128GB Octane. Works Great. You Rock. Whos the man, cmon admit, its you. WTG. Thanks!

Rodney said...

Using this may reduce the security of the encryption to a degree. Empty space will show as true zeros.

Anonymous said...

Thanks for the info.

Can you add the trim support after the filesystem is in place, and has been for a while, or should this be done during the install process.

I am curious what happens about data that is deleted pre-trim. I assume the controller on the drive will manage this appropriately - any advice/knowledge?

nem said...

Thanks for the thanks. :) It's nice to see that this little post actually helped others.

@Rodney: you're absolutely right, this potentially decreases the security level. Which is why this probably may never be active by default.

@#8: you can add the trim support whenever, as long as you are running a setup with LVM over LUKS. As to what happens with data that is deleted "pre-trim": my guess is it's marked as deleted but not really deleted, which is why an encrypted drive without TRIM is actually more secure, because you don't get blocks with no data in between your encrypted data. Over time the SSD is filled up with such "marked as deleted" data which doesn't just get overwritten with new data though - slowing down writes.

As I said, this is just a guess. Corrections and pointers to other sources would be welcome.

Anonymous said...

I do not think these steps will work. LVM has to pass the trim command down the stack to luks. The LVM version in 12.04 does not support this.

http://askubuntu.com/questions/191914/how-should-i-configure-trim-support-for-lvm-logical-volumes

Andrew W said...

One thing that would stop this working is if you are trying to use the discard option with an ext3 filesystem. As I found out the hard way, this is not supported and will not work.

Just in case anyone else tries this and wonders what happened...

ajn said...

Thanks! I'm wondering, after following these instructions, is it still necessary to have a cron job to trim the disk on Ubuntu 14.04? Or the trimming is done automatically after every file delete?

leo said...

Thank you for the guide, this is great!

If there already is an initramfs image, you may have to change the -c (create) to -u flag:

sudo update-initramfs -u -k all

Shawn said...

Ubuntu 14.04.2 LTS using Crucial M4 512GB SSD
/dev/sda1 ntfs
/dev/sda2 bitlocker
/dev/sda3 ext3 /boot
/dev/sda4 luks (/dev/mapper/sda4-crypt with lvm2 pv and / and swap lv's)

Followed all the instructions but steps 7 and 8 were still not showing allow_discards.

The thing that finally fixed it was this:
Update /etc/default/grub
Add the discard option to the line that says GRUB_CMDLINE_LINUX

sudo update-grub

Reboot.

All works perfectly now.

Anonymous said...

I have checked with a fresh 17.10. installation. Trim is enabled with ext4 by default now:
$ sudo dmsetup table /dev/mapper/nvme0n1p5_crypt --showkeys
0 498612224 crypt aes-xts-plain64 7b088419edebfed988cfbdd6fc56febd8874258ea53061585e80d36ca46d5abdb73dc1cf2ee8ad5e95699edb7f2a990941ad622e7492a16b1d065fc789c02b8f 0 259:3 4096 1 allow_discards