Re: Bug#954200: DI encrypted LVM, discard option crypttab file
On 3/18/2020 3:44 PM, Ben Hutchings wrote:
> On Wed, 2020-03-18 at 11:27 +0100, john doe wrote:
>> Package: debian-installer
>> Version: debian-10.3.0-amd64-netinst.iso
>>
>> After installing debian-10.3.0-amd64-netinst.iso with encrypted LVM, the
>> crypttab file is populated with the discard' option in the fourth field.
>>
>> According to (1), the discard option has security implication:
>>
>> "discard
>> Allow discard requests to be passed through the encrypted block device.
>> This improves performance on SSD storage but has security implications."
>
> As I recall, the security implication is a minor information leak - it
> makes it possible to determine how much, and which parts, of the disk
> are used. Hardly anyone should care about that, so this is a
> reasonable defualt.
>
Reading (1), I don't see that has a reasonable default.
You clearly need to understand when to use this flag.
1) http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html
> Ben.
>
>> I would suggest that the debian-installer populates the first two
>> mandatory fields of '/etc/crypttab'.
Changing 'luks,discard' to 'key-slot=0' would be more appropriate.
--
John Doe
Reply to: