This step by step walkthrough will let you take advantage of the TRIM technology for your encrypted SSD partitions for cryptsetup 1.4 or higher and kernel 3.1 or higher. This leads to a hassle-free SSD experience because
"TRIM enables the SSD to handle garbage collection overhead, that would otherwise significantly slow down future write operations to the involved blocks, in advance."
Example Setup
Notebook with SSD as the single drive, Linux installed in single ext4 LVM root partition with LVM swap partition, both over LUKS encrypted logical partition.
SSD: /dev/sda
sudo fdisk -l /dev/sda /dev/sda1 # boot partition (83) (unencrypted, ext4) /dev/sda2 # extended partition /dev/sda5 # logical partition (83) with LUKS encryption
ls /dev/mapper /dev/mapper/sda5_crypt # encrypted LUKS device in physical /dev/sda5 partition /dev/mapper/volumegroup-root # root partition sda5_crypt /dev/mapper/volumegroup-swap # swap partition sda5_crypt
HowTo
- Make a backup of all your data. You're messing with your file system so having a backup is simply a good idea.
- Make sure you have the required kernel and cryptsetup versions (3.1 & 1.4, e.g. in Ubuntu 12.04, beware though, at time of writing 12.04 is still beta).
- Add discard parameter to the file system options of the encrypted LVM volume(s) in your /etc/fstab file. This makes the file system of your LVM partition aware that you want to use TRIM.
/dev/mapper/volumegroup-root / ext4 discard,noatime,nodiratime,errors=remount-ro 0 1
- The last step is not enough though. As long as LUKS is not aware that you want to use TRIM it will effectively block all TRIM operations coming from the LVM partition's file system, for security reasons. Add discard parameter to the cryptdevice options in /etc/crypttab to make LUKS accept the discard behavior of the LVM partition.
sda5_crypt UUID=e364d03f-[...]6cd7e none luks,discard
- Rebuild your initramfs. The crypttab options are stored there and used on boot.
sudo update-initramfs -c -k all
- Reboot.
- Check if TRIM is now active.
sudo dmsetup table /dev/mapper/sda5_crypt --showkeys
- If the last command shows a result like this (1 allow_discards at the end) you're all set.
0 77656056 crypt aes-cbc-essiv:sha256 abc[...]c7a0c 0 8:5 2056 1 allow_discards
Result
TRIM is activated. Enjoy your hassle-free SSD!
15 comments:
I've tried to activate trim with no success. Crypt with showkeys showed that trim is not activated.
Ubuntu 11.04
Kernel 3.1.4
Cryptsetup 1.4.2
Could you post more details about your hardware, partitions and outputs for the steps you took?
Thanks!
You're welcome. Glad to be of help.
Thanks
followed your instruction,trim is working
12.04 X64 Alternate Disk Whole Disk Encrypted Option Install OCZ 128GB Octane. Works Great. You Rock. Whos the man, cmon admit, its you. WTG. Thanks!
Using this may reduce the security of the encryption to a degree. Empty space will show as true zeros.
Thanks for the info.
Can you add the trim support after the filesystem is in place, and has been for a while, or should this be done during the install process.
I am curious what happens about data that is deleted pre-trim. I assume the controller on the drive will manage this appropriately - any advice/knowledge?
Thanks for the thanks. :) It's nice to see that this little post actually helped others.
@Rodney: you're absolutely right, this potentially decreases the security level. Which is why this probably may never be active by default.
@#8: you can add the trim support whenever, as long as you are running a setup with LVM over LUKS. As to what happens with data that is deleted "pre-trim": my guess is it's marked as deleted but not really deleted, which is why an encrypted drive without TRIM is actually more secure, because you don't get blocks with no data in between your encrypted data. Over time the SSD is filled up with such "marked as deleted" data which doesn't just get overwritten with new data though - slowing down writes.
As I said, this is just a guess. Corrections and pointers to other sources would be welcome.
I do not think these steps will work. LVM has to pass the trim command down the stack to luks. The LVM version in 12.04 does not support this.
http://askubuntu.com/questions/191914/how-should-i-configure-trim-support-for-lvm-logical-volumes
One thing that would stop this working is if you are trying to use the discard option with an ext3 filesystem. As I found out the hard way, this is not supported and will not work.
Just in case anyone else tries this and wonders what happened...
Thanks! I'm wondering, after following these instructions, is it still necessary to have a cron job to trim the disk on Ubuntu 14.04? Or the trimming is done automatically after every file delete?
Thank you for the guide, this is great!
If there already is an initramfs image, you may have to change the -c (create) to -u flag:
sudo update-initramfs -u -k all
Ubuntu 14.04.2 LTS using Crucial M4 512GB SSD
/dev/sda1 ntfs
/dev/sda2 bitlocker
/dev/sda3 ext3 /boot
/dev/sda4 luks (/dev/mapper/sda4-crypt with lvm2 pv and / and swap lv's)
Followed all the instructions but steps 7 and 8 were still not showing allow_discards.
The thing that finally fixed it was this:
Update /etc/default/grub
Add the discard option to the line that says GRUB_CMDLINE_LINUX
sudo update-grub
Reboot.
All works perfectly now.
I have checked with a fresh 17.10. installation. Trim is enabled with ext4 by default now:
$ sudo dmsetup table /dev/mapper/nvme0n1p5_crypt --showkeys
0 498612224 crypt aes-xts-plain64 7b088419edebfed988cfbdd6fc56febd8874258ea53061585e80d36ca46d5abdb73dc1cf2ee8ad5e95699edb7f2a990941ad622e7492a16b1d065fc789c02b8f 0 259:3 4096 1 allow_discards
Post a Comment