TRIM support via dm-crypt/device-mapper

ssd luks device-mapper

For the record, this functionality did NOT exist when I first posted this question. I asked on the mailing list and was informed by Milan Broz that discard passthrough for dm-crypt targets still had not been implemented. Milan indicated that he intended to implement this at some point, but did not state when.

After digging around in dm-crypt.c and related files for a while, it appeared that TRIM support would be fairly trivial to add. I wrote the list asking for their general advisement on the task before I jumped in. The next day, Milan submitted a patch that implements TRIM pass-through on dm-crypt and this has been staged into linux-next. It should be included in the Linux 3.1 kernel.

TRIM passthrough must be enabled explicitly. There are potential security issues in using TRIM on a dm-crypt'd device, because TRIM sends information about block usage to the firmware on the device which then marks recently freed areas as usable (as I understand it, anyway). This means that an interested party can derive information about patterns of disk usage. For instance, it was postulated that an attacker could almost definitely learn what filesystem was in use on the encrypted medium through this data. An attacker may also be able to learn more useful information, like that you had a lot of big files saved until recently (big contiguous TRIM'd blocks).

Please see these threads for reference:

http://www.redhat.com/archives/dm-devel/2011-June/msg00093.html

http://www.redhat.com/archives/dm-devel/2011-July/msg00042.html

http://www.redhat.com/archives/dm-devel/2011-July/msg00088.html

tl;dr: TRIM passthrough support for dm-crypt targets will exist in Linux >= 3.1 but must be enabled manually via cryptsetup and/or dmsetup due to data leakage that may allow profiling based on disk usage patterns.


As of kernel 3.2.x, dm-crypt + brtfs is supposed to be safe. See the reply to my question from Chris Mason:

http://permalink.gmane.org/gmane.comp.file-systems.btrfs/15554 and http://permalink.gmane.org/gmane.comp.file-systems.btrfs/15564

Related

devcon.exe not working in Windows7 x64
Disable formatting in Eclipse
Command to Call 'Turn Off Computer' Menu
How do we access the second last copied stuff on our clipboard? [duplicate]
How do I update / flush / reset my DNS records in Windows?
how to totally clear the filesytem's cache on linux?
Are there any methods of "unyellowing" old beige PC parts?
Is there a Windows equivalent of the script command in Linux? [duplicate]
Can two Linux partitions use the same swap space?
How can I format a drive using the GPT format on OS X?
Btrfs on top of a mdadm raid10, or btrfs raid10 on bare devices?
How to move TextMate 2 output pane to a new window