Web lists-archives.com

Re: how to enable trim for an external encrypted SSD?




Am 2017-11-06 13:09, schrieb Joerg Desch:
Now I have bought a SanDisk Extreme Portable SSD. My goal is to add a LUKS encrypted partition without an explicit fstab entry. I've done this with some USB thumbdrives before, but not with TRIM support. The drvie should
be plugged into any Linux device without the need to change the
configuration.

What is the correct way to add TRIM support to an external SSD with LUKS
encrypted partition?

I don't what you want is possible. When you plug in an external drive
(that is _not_ in /etc/fstab etc.) the process of how it gets mounted
is different:

 - For configured drives (/etc/fstab etc.) the init system (e.g.
   systemd, but also initscripts when you are using sysvinit) will
   read /etc/crypttab and /etc/fstab and apply those options to
   the LUKS container and the filesystem.

 - For non-configured drives the 'udisks' helper program will
   enable the user to decrypt & mount those devices.

Now, at least the ext4 filesystem allows you to set default mount
options, such as 'discard':

   tune2fs -o +discard /dev/external_disk_device

btrfs on the other hand tries to auto-detect SSDs and enable
discard automatically if on an SSD - but I have no idea whether that
works under LUKS or not.

But all that doesn't really help you if the underlying LUKS container
isn't opened with the discard option set. And as far as I know there
is no possibility of tagging a LUKS container with that option, you
must always supply that option to the cryptsetup command (which is
done implicitly via /etc/crypttab).

And while you might be able to reconfigure udisks to pass the discard
option to cryptsetup (though I'm also doubtful about that), that
configuration would have to happen on each individual computer, and
can't be put onto the external drive.

In summary:

 - If your filesystem is not encrypted, btrfs out of the box, and
   ext4 with the proper option set, should make it possible to
   automatically enable mounting with the correct option.

 - But I don't know of any method to tag a LUKS container so that it
   is opened with TRIM support by default.

Hence I don't think what you want is possible with the current state
of affairs, unfortunately. Sorry.

You could ask the LUKS developers to include an additional flag in
their headers that allows you to specify that this volume should be
opened with discards allowed by default - to maybe solve this in the
very long term. No idea how amenable they'd be towards that though,
as they do discourage the usage of TRIM in LUKS because it weakens
possible security guarantees somewhat.

Regards,
Christian