Skip to content

Debian, dmcrypt and SSD TRIMming

Spent an hour or so this morning wondering how to get my Debian initramfs to activate my LUKS-encrypted partition with --allow-discards. I know it's less secure, but as long as wrenches are still cheap I'm fine with sub-standard security if it means my hardware will perform better for longer. :-)

The trick is to add a flag "discard" to your crypttab, like this:

wilmer@peer:~$ cat /etc/crypttab
sda2_crypt /dev/sda2 none luks,discard

And then of course rebuild your initramfs (update-initramfs -u) and reboot, etc.

You do need cryptsetup 1.4 or higher for this to work. I had to manually install that package (only twenty or so days old) from sid on my testing laptop.


No Trackbacks


Display comments as Linear | Threaded

Wildy on :

How are the speeds on an SSD with dm-crypt? Is the performance hit really noticeable?

Wilmer on :

To be honest I haven't measured it.. Disk performance is rarely an issue for me since I believe disk performance is only important if you have too little memory to fit most things into cache. :>

I'd still guess that dm-crypt can keep up with average SSDs throughput-wise on a recent machine?

Bob on :

Thanks for the post.

One question though: is it sufficient to have "discard" in your crypt-tab or does the creation of the encrypted volume need to be made with --allow-discards?

In other words, I installed debian on a crypt volume, and then added "discard" to my crypttab. Am I trimming or not?

Wilmer on :

Hm. It's a good question.

IIRC I've verified that this works with mke2fs and/or lvremove, which reported success (while the ioctl previously failed).

I do hope that, if --allow-discards is necessary as well, the ioctl would keep failing.

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

BBCode format allowed
Form options