Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
fstriming an encrypted partition ?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
LegionOfHell
Apprentice
Apprentice


Joined: 16 Mar 2019
Posts: 234
Location: Toronto, Canada

PostPosted: Sat Jun 13, 2020 5:50 pm    Post subject: fstriming an encrypted partition ? Reply with quote

I have the following setup:

/dev/sda:

/dev/sda1 mounted at /boot

&

/dev/sda2 ---> LUKS encrypted --> LVM --> /dev/mapper/vg0-root

/dev/mapper/vg0-root is mounted at /

(1) I want to setup fcron to trim my ssd periodically ... should I just do fstrim / ... or do i need to do something else since the drive is encrypted ?

(2) Do I need LVM even when there is a single logical partition (with an encrypted setup?)?
Back to top
View user's profile Send private message
pa4wdh
Guru
Guru


Joined: 16 Dec 2005
Posts: 386

PostPosted: Sat Jun 13, 2020 6:02 pm    Post subject: Reply with quote

1) LUKS will not allow discards (trims) unless you add --allow-discards to cryptsetup when you open your LUKS device. The general advice is against trimming an encrypted device because trimming an encrypted device will reveal which blocks in use to someone analyzing your encrypted drive.
Instead of fstrim you can also use ext4's discard option for on-the-fly trimming.

2) You don't need LVM in LUKS, you could just mkfs and mount the decrypted device (the device that's now listed in pvdisplay)
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

Free as in Freedom is not limited to software only:
Music: http://www.jamendo.com
Recipes: http://www.opensourcefood.com
Back to top
View user's profile Send private message
LegionOfHell
Apprentice
Apprentice


Joined: 16 Mar 2019
Posts: 234
Location: Toronto, Canada

PostPosted: Sat Jun 13, 2020 9:36 pm    Post subject: Reply with quote

Can you confirm that I am doing this right ?

Are the following steps correct...I want to encrypt /dev/sda2 without using an lvm.

First I partition /dev/sda:

Code:
parted -a optimal /dev/sda
mklabel gpt
unit mib
mkpart primary 1 512
name 1 boot
set 1 boot on
mkpart primary 512 -1
name 2 rootfs
print
quit


The guide says:
Quote:
Just create partition with expected partition size, don't set partition type or format it.


Did I do the partitioning right ? Is there a mistake in there ?




then:

Code:
(1) mkfs.vfat -F32 /dev/sda1
(2) cryptsetup luksFormat /dev/sda2
(3) cryptsetup luksOpen --allow-discards /dev/sda2 myname
(4) mkfs.ext4 /dev/mapper/myname
(5) mkdir -p /mnt/myname
(6) mount /dev/mapper/myname /mnt/myname


what should myname be in step (3) ?
for (5) and (6) shouldn't it be /mnt/gentoo instead of /mnt/myname ? typo ?


Also, you said:
Quote:
Instead of fstrim you can also use ext4's discard option for on-the-fly trimming.


Does this require the --allow-discards option ?
Back to top
View user's profile Send private message
LegionOfHell
Apprentice
Apprentice


Joined: 16 Mar 2019
Posts: 234
Location: Toronto, Canada

PostPosted: Sun Jun 14, 2020 2:59 am    Post subject: Reply with quote

In addition to the post above, I have more questions:

(1) When generating an initramfs with genkernel ... is the --lvm option needed even if lvm is not being used ?

(2) To make trim work with a luks setup, should I add the following to /etc/default/grub ?

Code:
GRUB_CMDLINE_LINUX_DEFAULT="root_trim=yes"


(3) After installing Gentoo with the luks setup, How does the OS know to open the encrypted partition(/dev/sda2) with the option --allow-discards at each boot ?
my understanding is that the following command should be run at each boot:
Code:
cryptsetup luksOpen --allow-discards /dev/sda2 myname

does this happen with how I installed things(post above) ? everytime i boot my system the --allow-discards is run too ? if not, then how can I make it work ?

(4) Using fstrim / could expose an encrypted drive, how about adding discard to /etc/fstab ? does that compromise the system too ?
Back to top
View user's profile Send private message
pa4wdh
Guru
Guru


Joined: 16 Dec 2005
Posts: 386

PostPosted: Sun Jun 14, 2020 3:31 pm    Post subject: Reply with quote

Quote:

Did I do the partitioning right ? Is there a mistake in there ?

I don't know parted that well, so i can't comment on that. As long as you create a partition the size you want/need you should be fine.

Quote:
what should myname be in step (3) ?

It's a name you can choose. I usually use encrypted-<regular device name>, so if i encrypt sda2 i call it encrypted-sda2.

Quote:
for (5) and (6) shouldn't it be /mnt/gentoo instead of /mnt/myname ? typo ?

If you are installing gentoo and want the encrypted device to be the root device of your new install, then yes.

Quote:
Does this require the --allow-discards option ?

Yes, it is required for LUKS to pass on the discards from any tool downto the real device.

I can't answer your new questions, i don't trim my encrypted root devices and i don't use genkernel.

Quote:
(4) Using fstrim / could expose an encrypted drive, how about adding discard to /etc/fstab ? does that compromise the system too ?

Any kind of trimming will compromise the security level of your encrypted drive.
The goal of encrypting a drive is to hide the real data, or even the fact there is any data. With trimming there will be a visible difference between used and unused blocks because that's what trimming does, there is no way around that.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

Free as in Freedom is not limited to software only:
Music: http://www.jamendo.com
Recipes: http://www.opensourcefood.com
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15830

PostPosted: Sun Jun 14, 2020 4:31 pm    Post subject: Reply with quote

When considering whether to pass trimming to the device, you need to think about your threat model. Why are you encrypting the drive? Do you want the drive to withstand a determined adversary? If so, how determined is the adversary: little brother, dumpster diver, private thief, police in a state with strong human rights, police in a state with no respect for your rights, international espionage agency, ...? Do you only need to deter casual inspection/modification? If your goal is only to deter someone who will give up after trying obvious passwords, then the cryptanalysis risk from trimming does not matter. If you need the drive to withstand someone willing to spend a considerable amount of effort to open it, then the cryptanalysis risk could matter.
Back to top
View user's profile Send private message
pietinger
Guru
Guru


Joined: 17 Oct 2006
Posts: 311
Location: Bavaria

PostPosted: Sun Jun 14, 2020 6:01 pm    Post subject: Reply with quote

pa4wdh wrote:
The goal of encrypting a drive is [...] or even the fact there is any data.

With LUKS you cannot deny there is encrypted data, because of the luks header.
You need a pure (old) dmcrypt solution if you want argue that there is no encrypted data, only random stuff.

Side-note about trimming a crypted partition: You can do this without thinking about highest security, because:

If you are really the target of a secret service this is your lowest problem, because they have other potentials and methods (like assembling a hardware-keylogger or arresting you one minute after you signed in your computer).
Back to top
View user's profile Send private message
LegionOfHell
Apprentice
Apprentice


Joined: 16 Mar 2019
Posts: 234
Location: Toronto, Canada

PostPosted: Sun Jun 14, 2020 9:18 pm    Post subject: Reply with quote

Hu wrote:
When considering whether to pass trimming to the device, you need to think about your threat model. Why are you encrypting the drive? Do you want the drive to withstand a determined adversary? If so, how determined is the adversary: little brother, dumpster diver, private thief, police in a state with strong human rights, police in a state with no respect for your rights, international espionage agency, ...? Do you only need to deter casual inspection/modification? If your goal is only to deter someone who will give up after trying obvious passwords, then the cryptanalysis risk from trimming does not matter. If you need the drive to withstand someone willing to spend a considerable amount of effort to open it, then the cryptanalysis risk could matter.


So there is no way around this ? people should not trim their SSDs ? wouldn't that destroy the SSD ?

I am thinking of coupling luks with encfs...put the browser's cacher dir and etc in an encrypted folder...
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 369
Location: Russia

PostPosted: Sun Jun 14, 2020 11:08 pm    Post subject: Reply with quote

About your partitioning scheme, it also depends on the bootloader you use, old bios grub or EFI, old grub method requires an additional (very small partition) about 2MB, it should be unformatted. Not sure how it works for EFI. Here is the setup I use for my boot flash drive:
Code:
parted -a optimal /dev/sdX
unit mib
mklabel gpt
mkpart primary 1 3
mkpart primary ext2 3 1027
mkpart primary fat32 1027 -1
set 1 bios_grub on
set 2 boot on
set 3 msftdata on
name 1 gentoo-grub
name 2 gentoo-boot
name 3 USB-ADATA
quit

Quote:
With LUKS you cannot deny there is encrypted data, because of the luks header.

You can detach LUKS headers, but I don't see it as a good excuse to say 'hey, mr cop, it's just random data, let me go!', rather as a way to irreversably and quickly destroy (mr.Robot style) the LUKS header, and in turn make it into useless random data even to yourself.

Quote:
So there is no way around this ? people should not trim their SSDs ? wouldn't that destroy the SSD ?

Make a hardware device which would send 2000v to your +12v SSD line, and tie it up to your ankle. Good protection against *three_letter_agency*, but they can also use snipers, if you die near your PC the ankle trick won't work.


Last edited by etnull on Sun Jun 14, 2020 11:12 pm; edited 2 times in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15830

PostPosted: Sun Jun 14, 2020 11:08 pm    Post subject: Reply with quote

There is no way to both have trim and provide the maximum barrier to cryptanalysis. That is why I wrote above that you should think about whether you need that barrier. If you just want some confidence that the drive will not be read when you return it to the manufacturer for warranty service, or trash it because it is no longer useful, cryptanalysis is probably not a concern. If you use LUKS with a good password and make a reasonable effort to wipe the LUKS header before you dispose of the drive, that will probably suffice.

Trimming can help extend life on an SSD, but anecdotal evidence suggests that many models of SSD, even without trim, are likely to become obsolete due to speed/size concerns well before they wear out due to lack of trimming. I have an SSD that has been in use for more than 8 years and it still claims to have >95% usable life remaining. It's very likely that its eventual retirement will be motivated by some factor other than exhaustion of usable life.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum