TRIM on LVM on LUKS on SSD

I have an (unfortunately too small) Samsung 840 Pro in my laptop and it’s been a long time since I’ve re-installed (no time for Korora for months) and I’ve noticed it getting a little sluggish. Most noticeable is long pauses while the drive goes nuts. I figured it was probably time to get some TRIM action on the drive, something I never bothered with before because I didn’t really care.

My setup is reasonably common, I imagine. I have a regular old boot partition and a second encrypted partition which is used as a physical volume for lvm. Hence any and all lv are automatically encrypted. If you’re using encryption, it’s possible that enabling trim could give an attacker insight into what blocks have/haven’t been used, but for me it’s just to make it harder for someone to get my data if I lose the laptop or it’s stolen.

Filesystem
First things first, the file system needs to support trim (ext4 does). If you’re using Fedora 18 you may have to edit your /etc/fstab and add the discard mount option to any partition you want to trim.
/dev/sda1 /boot ext4 defaults,discard 1 2

Under Fedora 19, my non-encrypted, non-lvm /boot partition works with fstrim out of the box (I didn’t have to set the discard mount option), so that’s good.

chris@localhost ~ $ sudo fstrim -v /boot
[sudo] password for chris:
/boot: 407 MiB (426762240 bytes) trimmed

With my / and /home partitions however it’s a different story, I get this:
chris@localhost ~ $ sudo fstrim -v /home
fstrim: /home: FITRIM ioctl failed: Operation not supported

So, problem is that somewhere along the way the discard commands aren’t reaching the device.

I have filesystem, lvm, luks, block layers I guess and I know it’s not the first or the last, so that leaves lvm and luks. Thanks to this post, it was pretty easy to enable on the latter two.

LVM
I edited the /etc/lvm/lvm.conf file and enabled the issue_discards option:
issue_discards = 1

LUKS
Now to ensure that discards are sent to my crypto layer by adding the allow-discards option to /etc/crypttab
luks-blah-blah-blah UUID=blah-blah-blah none allow-discards

Note: Thanks to chesty for pointing out that on Debian and other distros the format of that file and discards option may be different. Check man crypttab for the right option, but it may be something like this:
luks-blah-blah-blah UUID=blah-blah-blah none luks,discard

Initramfs
OK, so config files are in place, no as both of these configs are included in the initramfs, time to rebuild it:
chris@localhost ~ $ sudo dracut --force

Note: For Fedora 18 I had to tell dracut to include the crypttab file, as per this bug report.
chris@localhost ~ $ sudo dracut --force -I /etc/crypttab

Note2: Again, on Debian updating initramfs is different, try the update-initramfs command.

You can confirm that crypttab is in the initramfs with:
chris@localhost ~ $ sudo lsinitrd |grep crypttab

Test
After a reboot, I can test out fstrim again, which now works! (By the way, it’s fast.)
chris@localhost ~ $ time sudo fstrim -v /home
/home: 332.6 MiB (348778496 bytes) trimmed
 
real 0m0.194s
user 0m0.007s
sys 0m0.015s

Cron it
Finally, set this as an hourly cron job and enjoy the benefits.
root@localhost ~ # echo -e "fstrim /\nfstrim /home\nfstrim /boot" > /etc/cron.hourly/fstrim

12 Responses to “TRIM on LVM on LUKS on SSD”


  • Thanks for the write up, I’ve just implemented it. I changed the line

    luks-blah-blah-blah UUID=blah-blah-blah none allow-discards

    to

    luks-blah-blah-blah UUID=blah-blah-blah none luks,discard

    I’m not sure if it’s a distro thing, but my debian crypttab man page documents the discard option, not allow-discards

  • Hi Michael,

    Thanks for the note, yeah I should mention that on Debian (and other distros) the format of crypttab is different. You’ve done the right thing there, certainly if it worked? :-)

    You’ll need to rebuild your initramfs differently too, but you probably already know that.

    Cheers,
    -c

  • Is there a chance that TRIM discards will weaken the cryptography?

  • Ken, yes but as far as I know only because it allows an attacker to discover unused sectors. I don’t know what they could actually do with it, but in my opinion, and for my use it’s acceptable. See here: http://asalor.blogspot.com.es/2011/08/trim-dm-crypt-problems.html

    -c

  • Thank for that great step by step guide. It works without any problems.

  • Just wanted to say “thanks!” for clear instructions. Seems to work well on Fedora 19.

  • Thanks for the detailed suggestions.

    I had a quick test on a Fedora 19 system [it does not use LVM] that is running a Virtual Machine on an SSD drive.

    The host does not have any encrypted partitions, but the VM itself does. My /etc/fstab includes the discard option for the SSD partition. But given that the host does not use LUKS, then /etc/crypttab settings don’t seem to be relevant.

    However running fstrim against the mount point of the SSD drive produces an ioctl failed: Operation not supported error.

    Any suggestions welcome.

  • Hi Frank,

    I don’t think that the vm will be passing trim requests down because its drive is just a file on the host drive. Just run trim on your host..

    -c

  • Can anybody give me a hint on how to update the initramfs in Mint 15?
    I tried the update-initramfs -u command (-u for update existing initramfs) but all I get is this error message:

    “update-initramfs: Generating /boot/initrd.img-3.8.0-19-generic
    grep: /boot/config-3.8.0-19-generic: No such file or directory
    Warning: No support for locale: de_DE.utf8″

    And then of course, fstrim doesn’t work, although I changed the lvm.conf and crypttab entries.

  • What configs do you have under /boot?

    ls -l /boot/config*

    I’m guessing your current kernel doesn’t match the config, but it’s been a while since I’ve done Debian stuff like this..

    -c

Leave a Reply