You are not logged in.
- Topics: Active | Unanswered
#1 2023-07-28 14:21:43
- daniel_shub
- Member
- Registered: 2012-06-21
- Posts: 85
Confused about dm-crypt LUKS with an SSD
I have a full disk encryption setup with dm-crypt LUKS and GRUB on an SSD with two partitions: an unencrypted EFI partition and the encrypted / (which includes /boot). Because I am using GRUB with an encrypted boot partitions, I have used LUKS1 and not LUKS2. The wiki ( https://wiki.archlinux.org/title/Dm-cry … ives_(SSD) ) talks about TRIM and workqueue support on encrypted SSDs and I am confused.
I am okay with the potential data leaks associated with enabling TRIM and my drive supports it. Is enabling TRIM as simple as adding "allow-discards" to the "cryptdevice" line?
I also would like to disable the read and write workqueue. I am not mounting / through crypttab and I am not using LUKS2, so my setup seems to fall through the cracks of the wiki.
Offline
#2 2023-07-28 14:42:31
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,425
Re: Confused about dm-crypt LUKS with an SSD
You can use LUKS2 with grub, but the keyslot has to be pbkdf2 algorithm instead of argon2id. This can be converted (cryptsetup convert for LUKS1/LUKS2, cryptsetup luksConvertKey for keyslot algorithms). Another option is to ditch the encrypted /boot entirely and just put everything /boot related on your EFI partition.
For enabling TRIM, you need the --allow-discards flag. Where to put it depends on initramfs type / which encrypt hook you are using. If you're already using cryptdevice, you can add either 'allow-discards' or just 'discard' option to it. The encrypt hook also supports no-read/write-workqueue options there.
With LUKS2 you could just set these options persistently in the header, no need to specify flags anywhere else and it would be displayed in luksDump
Last edited by frostschutz (2023-07-28 14:45:08)
Offline