Does LUKS encryption affect TRIM? (SSD and linux)

07
2014-04
  • Algific

    I'm moving over to Linux when the new SSD arrives. SSD gives increased performance, so I thought that I could encrypt everything.

    But then I came to think about TRIM, and garbage collection on the drive. Will a LUKS encrypted drive affect the garbage collection system? (TRIM).

    • Answers
  • Algific

    I emailed them. And TRIM will not work. Because the OS doesn't know where files are stored. Only the encrypted system knows it. Due to the fact that the encryption comes first. I'll use truecrypt instead. On top of the file system for my home folder.

  • Zsub

    No. An empty block will still be listed as empty and thus be TRIMed.

    Even if your drive is encrypted, the drive itself knows nothing of the encryption, just where which data is (and which space isn't used at the moment). So it'll be fine.

    As for the performance, I don't know how the impact might be. It would seem that certain optimizations in the SSD might not work, but I cannot figure which ones require knowledge about the actual data so there will probably be no impact from a storage point of view.
    Note that encryption requires extra CPU cycles, so the impact might be noticeable there.

  • ultrasawblade

    Most of the tutorials I've read about setting up LUKS drives ask you to badblocks the entire drive with random data first. This way an attacker cannot know which sectors contain data and which ones haven't been used yet. This information could be used to discover things about the data and correlate with other time-based information which could lead to a compromise.

    So, even if the LUKS modules supported sending groups of unused blocks to TRIM, you wouldn't want to do it anyway.

  • joe

    Yes for the latest Fedora 17 with test updates

    http://vpv.kapsi.fi/blog/2012/07/ssd-trimdiscard-on-fedora-17-with-encypted-partitions/

  • David Foerster

    From man 5 crypttab:

    Options

    discard

    Allow using of discards (TRIM) requests for device.

    WARNING: Assess the specific security risks carefully before enabling this option. For example, allowing discards on encrypted devices may lead to the leak of information about the ciphertext device (filesystem type, used space etc.) if the discarded blocks can be located easily on the device later.

    Kernel version 3.1 or more recent is required. For older versions is the option ignored.


    • Related Question

    When does Linux do SSD garbage collection?
  • Shane

    I'm trying to get an understanding of when my computer does garbage collection and frees up previously used blocks on the SSD.

    Is this a task handled by the OS or the SSD controller?
    Does this happen when I delete a file (permanently from trash), or does it wait until I try to overwrite that block?
    How does a journaling filesystem affect this drive's performance and maintenance?
    Does the system do anything special when my computer is idle and the screen is locked?
    How can I tell if my firmware and/or kernel support the TRIM command?

    For what it's worth, I'm using Ubuntu 9.04, 64-bit (kernel version 2.6.28-15-generic) and full disk encryption with LUKS. The SSD is a Dell 256GB with a Samsung controller with an ext3 filesystem for root and ext2 for boot. No other hard drives, no other OSes.

    I've read through the AnandTech article talking about TRIM and Intel and OCZ and pages and blocks, which is what prompted my question in the first place - I have no idea where my own setup falls in this analysis. While I'm interested in the answers to the above questions, I'm more interested in learning how to answer these questions, if that makes any sense.


    • Related Answers
  • Slink84

    There is a new article from Anand with more info about SSD magic :) I'd advise you to read it too. TRIM is explained in more detail there. In general, it says that trim is good, but:

    ...Unfortunately, no drives properly support TRIM yet...

    That support is only in beta firmware at the moment. So, if both your OS and controller firmware support TRIM, then it will work approximately this way: your OS will send that command to the SSD controller once some file is permanently deleted. Whether it will be actually trimmed at that moment or some other time depends entirely on your drives firmware implementation.

    If your OS doesn't support TRIM, then there is a chance that you can get a wiper tool from your drive manufacturer. You can read how that works here.

    If your drive controller doesn't support TRIM, then maybe you can get an update or some beta version of it's firmware.

    Hope that helps.

  • drfrogsplat

    For what it's worth, I'm using Ubuntu 9.04, 64-bit (kernel version 2.6.28-15-generic) and full disk encryption with LUKS.

    Actually you may not want to use TRIM with full drive encryption, as it will indicate which parts of the disk you're not using by TRIMming them! This may make brute-forcing the passkey simpler if the unused regions of the disk are completely emptied.