You are not logged in.
- Topics: Active | Unanswered
#1 2013-02-12 18:59:32
- jik779
- Member
- From: Germany
- Registered: 2012-08-04
- Posts: 17
Migrating installed unencrypted Arch to a dm-crypt-setup on a SSD+TRIM
Hi Guys!
My current installation looks as follows:
My Archs / is installed on sda5 (in a extended partion sda3, sda1/2 are windows partitions).
/ is not encrypted, my ~ is encrypted with eCryptfs.
sda is a SSD (OCZ Vertex 2).
I also have a hard-disk at sdb, which has sufficient space for the content of my /.
I want to use a full-partition encryption ( like described here: https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS ). According to this, since version 3.1, the linux kernel supports TRIM'ing of SSD's. I'm aware that this is not as secure as not-trimming, but i'll take the risk.
My problem is that i don't know how i should achieve that with all my old stuff intact, nor how to make sure that i use the correct cryptsetup-params to make the new partition trimmable.
1. I'd guess i copy both my decrypted home and the rest of the partition to my sdb. How to make sure that permission etc. will survive that?
2. Can I follow a 'normal' cryptsetup-tutorial to set the encrypted partition up and will then be able to use the :allow-discards-option and be fine? Or do I have to follow a specific installation routine to make the partition trimable? The wiki I mentiond earlier is not so clear about that.
3. Can you give me hints, curlpits that may wait for me or otherwise a bit hope that everything is going to work? 
Regards,
Michael
Last edited by jik779 (2013-02-12 19:03:15)
Offline
#2 2013-02-12 22:54:50
- the sad clown
- Member
- From: 192.168.0.X
- Registered: 2011-03-20
- Posts: 837
Re: Migrating installed unencrypted Arch to a dm-crypt-setup on a SSD+TRIM
Someone who knows more than me will hopefully pipe in, but I've been thinking about encrypting my HDD as well. My suggestion would be to use a VM and practice on an installation you don't care about to get familiar with it.
I laugh, yet the joke is on me
Offline
#3 2013-02-13 23:11:15
- Strike0
- Member
- From: Germany
- Registered: 2011-09-05
- Posts: 1,486
Re: Migrating installed unencrypted Arch to a dm-crypt-setup on a SSD+TRIM
A couple of things to your questions:
1. A Luks blockdevice has nothing to do with permissions. Just backup your system correctly and restore it onto the encrypted partition. Please see the backup wiki for such a general question. Also look at the discussion page: https://wiki.archlinux.org/index.php/Ta … 2012.07.15
which contains some links to bbs threads covering such. Along the.sad.clown's suggestion, nothing hinders you to test restoring to a VM too.
2. Yes. You can turn on/off discards anytime, do it manually or via mount option, as you like (if your SSD supports it generally).
3. Common culprit: Plan your partitioning. In particular if you need LVM or not, as changing that afterwards (e.g. from a single / system + /boot) means backup / restore again.
One hint not on the wiki or other threads here yet - the new cryptsetup just rolled in this week with a great new feature:
cryptsetup benchmarkshows you CPU encryption throughput for your system for the various ciphers. In particular if you have a fast SSD and a slow CPU, it helps to make an informed choice not to slow down io throughput.
Offline
#4 2013-02-20 23:47:16
- hunterthomson
- Member
- Registered: 2008-06-22
- Posts: 794
- Website
Re: Migrating installed unencrypted Arch to a dm-crypt-setup on a SSD+TRIM
Yes, backup. You can use tar to backup. It will backup everything except extended attributes (xattr) and SElinux flags. It will backup Sticky-Bit and stuff. On a normal Arch install you are not using xattr's though.... I am 98% sure.
Yes, you just edit /etc/default/grub and add this to make sure it has TRIM enabled. Then rebuild the gurb.cfg
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdaX:root:allow-discards"I have a LVM-on-LUKS setup.
Here are my notes on how I set it up. Take what you need (don't copy & past 
)
Owe, and from what I read it is not necessary to "--align-payload" with ether cryptsetup or LVM2 these days. Both are suppose to align to 1MB my default.
cryptsetup -h sha512 -c aes-xts-plain64 -y -s 512 luksFormat --align-payload=8192 /dev/sdb2
cryptsetup --allow-discards luksOpen /dev/sdb2 root
pvcreate /dev/mapper/root
vgcreate VolGroup00 /dev/mapper/root
lvcreate -L 8G VolGroup00 -n lvolroot
mkfs.ext4 -b 4096 -E stride=128,stripe-width=128 /dev/mapper/VolGroup00-lvolhomeOne more cool thing. You know, if you have /boot and GRUB installed on a USB stick you don't have to partition your SSD/HDD at all. You can encrypt ALL of /dev/sda and then ether put LVM, GPT, MBR, or simply a file-system right on top of the /dev/mapper/root
I don't really see much of a reason to do that but it would be cool
Last edited by hunterthomson (2013-02-21 00:08:41)
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline