You are not logged in.

#1 2013-02-12 18:59:32

From: Germany
Registered: 2012-08-04
Posts: 17

Migrating installed unencrypted Arch to a dm-crypt-setup on a SSD+TRIM

Hi Guys!

My current installation looks as follows:
My Archs / is installed on sda5 (in a extended partion sda3, sda1/2 are windows partitions).
/ is not encrypted, my ~ is encrypted with eCryptfs.
sda is a SSD (OCZ Vertex 2).
I also have a hard-disk at sdb, which has sufficient space for the content of my /.

I want to use a full-partition encryption ( like described here: ). According to this, since version 3.1, the linux kernel supports TRIM'ing of SSD's. I'm aware that this is not as secure as not-trimming, but i'll take the risk.

My problem is that i don't know how i should achieve that with all my old stuff intact, nor how to make sure that i use the correct cryptsetup-params to make the new partition trimmable.

1. I'd guess i copy both my decrypted home and the rest of the partition to my sdb. How to make sure that permission etc. will survive that?

2. Can I follow a 'normal' cryptsetup-tutorial to set the encrypted partition up and will then be able to use the :allow-discards-option and be fine? Or do I have to follow a specific installation routine to make the partition trimable? The wiki I mentiond earlier is not so clear about that.

3. Can you give me hints, curlpits that may wait for me or otherwise a bit hope that everything is going to work? wink



Last edited by jik779 (2013-02-12 19:03:15)


#2 2013-02-12 22:54:50

the sad clown
From: 192.168.0.X
Registered: 2011-03-20
Posts: 837

Re: Migrating installed unencrypted Arch to a dm-crypt-setup on a SSD+TRIM

Someone who knows more than me will hopefully pipe in, but I've been thinking about encrypting my HDD as well.  My suggestion would be to use a VM and practice on an installation you don't care about to get familiar with it.

I laugh, yet the joke is on me


#3 2013-02-13 23:11:15

From: Germany
Registered: 2011-09-05
Posts: 1,277

Re: Migrating installed unencrypted Arch to a dm-crypt-setup on a SSD+TRIM

A couple of things to your questions:
1. A Luks blockdevice has nothing to do with permissions. Just backup your system correctly and restore it onto the encrypted partition. Please see the backup wiki for such a general question. Also look at the discussion page: … 2012.07.15
which contains some links to bbs threads covering such. Along the.sad.clown's suggestion, nothing hinders you to test restoring to a VM too.
2. Yes. You can turn on/off discards anytime, do it manually or via mount option, as you like (if your SSD supports it generally).
3. Common culprit: Plan your partitioning. In particular if you need LVM or not, as changing that afterwards (e.g. from a single / system + /boot) means backup / restore again.

One hint not on the wiki or other threads here yet - the new cryptsetup just rolled in this week with a great new feature:

cryptsetup benchmark

shows you CPU encryption throughput for your system for the various ciphers. In particular if you have a fast SSD and a slow CPU, it helps to make an informed choice not to slow down io throughput.


#4 2013-02-20 23:47:16

Registered: 2008-06-22
Posts: 794

Re: Migrating installed unencrypted Arch to a dm-crypt-setup on a SSD+TRIM

Yes, backup. You can use tar to backup. It will backup everything except extended attributes (xattr) and SElinux flags. It will backup Sticky-Bit and  stuff. On a normal Arch install you are not using xattr's though.... I am 98% sure.

Yes, you just edit /etc/default/grub and add this to make sure it has TRIM enabled. Then rebuild the gurb.cfg


I have a LVM-on-LUKS setup.
Here are my notes on how I set it up. Take what you need (don't copy & past tongue )

Owe, and from what I read it is not necessary to "--align-payload" with ether cryptsetup or LVM2 these days. Both are suppose to align to 1MB my default.

cryptsetup -h sha512 -c aes-xts-plain64 -y -s 512 luksFormat --align-payload=8192 /dev/sdb2

cryptsetup --allow-discards luksOpen /dev/sdb2 root

pvcreate /dev/mapper/root

vgcreate VolGroup00 /dev/mapper/root

lvcreate -L 8G VolGroup00 -n lvolroot

mkfs.ext4 -b 4096 -E stride=128,stripe-width=128 /dev/mapper/VolGroup00-lvolhome

One more cool thing. You know, if you have /boot and GRUB installed on a USB stick you don't have to partition your SSD/HDD at all. You can encrypt ALL of /dev/sda and then ether put LVM, GPT, MBR, or simply a file-system right on top of the /dev/mapper/root

I don't really see much of a reason to do that but it would be cool tongue

Last edited by hunterthomson (2013-02-21 00:08:41)

OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec


Board footer

Powered by FluxBB