Skip to content

Debian, dmcrypt and SSD TRIMming

Spent an hour or so this morning wondering how to get my Debian initramfs to activate my LUKS-encrypted partition with --allow-discards. I know it's less secure, but as long as wrenches are still cheap I'm fine with sub-standard security if it means my hardware will perform better for longer. :-)

The trick is to add a flag "discard" to your crypttab, like this:

wilmer@peer:~$ cat /etc/crypttab
sda2_crypt /dev/sda2 none luks,discard

And then of course rebuild your initramfs (update-initramfs -u) and reboot, etc.

You do need cryptsetup 1.4 or higher for this to work. I had to manually install that package (only twenty or so days old) from sid on my testing laptop.


No Trackbacks


Display comments as Linear | Threaded

Wildy on :

How are the speeds on an SSD with dm-crypt? Is the performance hit really noticeable?

Wilmer on :

To be honest I haven't measured it.. Disk performance is rarely an issue for me since I believe disk performance is only important if you have too little memory to fit most things into cache. :>

I'd still guess that dm-crypt can keep up with average SSDs throughput-wise on a recent machine?

Bob on :

Thanks for the post.

One question though: is it sufficient to have "discard" in your crypt-tab or does the creation of the encrypted volume need to be made with --allow-discards?

In other words, I installed debian on a crypt volume, and then added "discard" to my crypttab. Am I trimming or not?

Wilmer on :

Hm. It's a good question.

IIRC I've verified that this works with mke2fs and/or lvremove, which reported success (while the ioctl previously failed).

I do hope that, if --allow-discards is necessary as well, the ioctl would keep failing.

Add Comment