Debian Jessie: TRIM on LVM on LUKS on SSD

Even though I have been using SSDs for more than 5 years on my main machine, I’ve never bothered to set up TRIM properly. At first, that was because the drive didn’t support it – it was the first Intel X25M model, an 80GB drive. After that I moved on to an Intel X25M 120GB, and then an Intel 520 240GB. Both of those drives supported TRIM, but I didn’t configure my machine to use it.

I’m upgrading my laptop to SSD number four (an Intel 530, 480GB) and I decided it was time to set up TRIM properly. This is a fairly straightforward configuration with LUKS handling encryption for an LVM physical volume, inside of which the logical volumes live that I need to be able to run TRIM on.

Caveat emptor: because TRIM essentially makes it clear which blocks on the drive are in use and which are not, TRIM is disabled by default at the LUKS layer. Enabling TRIM will leak a bit of information (how many bytes are used by your encrypted partition), and should not be done in a ‘plausible deniability’ scenario.

There’s a lot of information out there on this subject – the best docs appear to be for Arch – but it seems that Debian does things slightly differently from most other distributions. Here’s what I had to do to make TRIM work.

1. In /etc/default/grub, add to the GRUB_CMDLINE_LINUX_DEFAULT and GRUB_CMDLINE_LINUX lines:

  cryptdevice=/dev/sdaX:vg_name:discard

Replace /dev/sdaX with the path to the partition that contains your LUKS volume. Replace vg_name with the name of your LVM volume group.

2. Run update-grub:

  # update-grub

3. In /etc/lvm/lvm.conf, set

  issue_discards = 1

in the devices section.

4. update /etc/crypttab: add ‘,discard’ to the fourth field for each encrypted partition:

sdaX_crypt UUID=abcdefgh-1234-5678-90ab-cdefghijklmn none luks,discard

5. update your initramfs:

  # mkinitramfs -o /boot/initrd.img-`uname -r`

6. it is sufficient to run lstrim weekly. So do not add it to the options in /etc/fstab, but rather install the following in /etc/cron.weekly/fstrim:

  #! /bin/sh
  for mount in / /boot /data; do
    fstrim -v $mount
  done

You should adjust the list of mount points to your situation. You’ll get a weekly e-mail with the amount of space that was trimmed; if you don’t like that, drop the -v argument to fstrim.

And that’s it. After a reboot, you can verify that TRIM is supported with:

# dmsetup table
sdaX_crypt: 0 929880064 crypt aes-xts-plain64 0...0 0 8:X 4096 1 allow_discards

If everything worked, you will see ‘allow_discards’ at the end of the line for your LUKS-backed device. And fstrim will not complain with ‘discard operation not supported’.

This entry was posted in Sysadmin. Bookmark the permalink.

Leave a Reply