Announcement

Collapse
No announcement yet.

Fedora 26 Planning To Enable TRIM/Discard On Encrypted Disks

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fedora 26 Planning To Enable TRIM/Discard On Encrypted Disks

    Phoronix: Fedora 26 Planning To Enable TRIM/Discard On Encrypted Disks

    One of the latest Fedora 26 changes being worked on is enabling TRIM/Discard by default for newly-created encrypted disks via dm-crypt...

    http://www.phoronix.com/scan.php?pag...d-TRIM-Discard

  • #2
    Typo:

    Originally posted by phoronix View Post
    by default foe newly-created

    Comment


    • #3
      Originally posted by tildearrow View Post
      Typo:
      Thanks.
      Michael Larabel
      http://www.michaellarabel.com/

      Comment


      • #4
        Enabling TRIM/discard should increase I/O performance, assuming you don't have any problematic solid-state drive.
        Has anyone had issues on Linux using SSD's and TRIM. I mean "personally had issues"?

        Comment


        • #5
          Originally posted by aht0 View Post
          Has anyone had issues on Linux using SSD's and TRIM. I mean "personally had issues"?
          How could we. The absence of trim only slows down writes (which isn't even the majority of operations on a typical home computer) and may lead to increased wear over time.

          That aside, instead of praising individual distros for enabling trim in this and that scenarios, I think we should shame all distros that are missing this feature.

          Comment


          • #6
            Windows had TRIM on bitlocker since 2009.

            Comment


            • #7
              Hmm, my gut feeling is that TRIM shouldn't be used for encrypted volumes - it will leak information about the content of the volume. Ideally, it shouldn't be possible for an attacker to determine where the actual data is on the volume - unused space should be filled with something indistinguishable from encrypted data (such as other data, encrypted using a randomly-generated key).

              Comment


              • #8
                Originally posted by molletts View Post
                Hmm, my gut feeling is that TRIM shouldn't be used for encrypted volumes - it will leak information about the content of the volume. Ideally, it shouldn't be possible for an attacker to determine where the actual data is on the volume - unused space should be filled with something indistinguishable from encrypted data (such as other data, encrypted using a randomly-generated key).
                This has generally been the reason given for not having it enabled by default with encrypted volumes. My experience over the years that I've had SSDs in my systems and also using encrypted volumes is that not turning it on ends up meaning that eventually I start hating life because my write speeds become abysmal. As such, enabling TRIM pass through is one of the first things I do when setting up a new system that has SSDs and encrypted volumes.

                Comment


                • #9
                  The general information I've seen is enabling trim on dm-crypt devices is still a major security concern: See arch wiki pages here and here. I'd want to verify these concerns are all addressed before I'd trust this and expose possible leaks.

                  Comment


                  • #10
                    Originally posted by garegin View Post
                    Windows had TRIM on bitlocker since 2009.
                    Linux has TRIM on dm-crypt devices since time. The current Fedora change is about activating it by default, trading performance against security. The default behavior was to trade security against performance, and the decision belonged to the user itself (the behavior can be changed after the volume creation). Enabling TRIM on an encrypted device create holes on the device revealing where are the sensible data. Also, TRIM must be avoided if you hide an encrypted volume inside a visible encrypted volume: the visible one will destroy the hidden one at TRIM time.

                    The problem in not trimming encrypted SSD is premature degradation and performance issues. It can be workarounded for some time if you don't allocate the whole SSD, letting a enough space to gives the underlying wear leveling algorithm enough reserve to work the time you need it works. This workaround is not as good as enabling TRIM on the whole surface, and the premature degradation is timed by the size of your reserve instead of the size of the whole unused part of your volume, but it's a cheap way to trade security first, performance second, against available space.

                    Edit: I noticed at work that Windows is not able to TRIM on Intel Matrix based RAID, something Linux can. So on Windows, if you want to redundant your precious encrypted data storage, you can't TRIM. On Linux you can TRIM dm-crypt volumes on both mdadm and Intel Matrix based RAID. And if you don't crypt, the easier way to TRIM Windows NTFS volume on Intel Matrix based RAID is to do it from Linux. Yes.
                    Last edited by illwieckz; 21 January 2017, 01:10 PM.

                    Comment

                    Working...
                    X