Re: Whole Disk Encryption + SSD

To: debian-user@lists.debian.org
Subject: Re: Whole Disk Encryption + SSD
From: David Christensen <dpchrist@holgerdanske.com>
Date: Fri, 2 Jul 2021 11:33:36 -0700
Message-id: <[🔎] 34ed194d-4533-23fe-4eb4-eee88ae92499@holgerdanske.com>
In-reply-to: <[🔎] 20210702150218.GA6807@axis.corp>
References: <4ef539b6-af04-4d53-9512-cd3dba0d4ce3@gmx.com> <bb07defe-eaea-ddee-e534-73289541cc60@holgerdanske.com> <[🔎] 20210702025528.GA14316@axis.corp> <[🔎] ea57b6a6-f3d2-d256-5ce3-94afdb34c833@holgerdanske.com> <[🔎] 20210702150218.GA6807@axis.corp>

On 7/2/21 8:02 AM, David Wright wrote:

On Thu 01 Jul 2021 at 20:43:09 (-0700), David Christensen wrote:

On 7/1/21 7:55 PM, David Wright wrote:

On Mon 28 Jun 2021 at 13:36:35 (-0700), David Christensen wrote:

I do not set the 'discard' (trim) option in fstab(5).  If and when I
want to erase unused blocks (such as before taking an image), I use
fstrim(8).

What improvement does erasing unused blocks achieve?


Zero blocks are readily compressed, reducing the size of the image file.


Ah, I see. So a spinning rust analogy might be:

. Take an old conventional disk, sdz, where df shows 10% uasge,
. cp /dev/zero a-file-on-sdz
. rm a-file-on-sdz
. dd if=/dev/sdz … and compressing it, saving ~90% space.

But can I tweak my question a little—

Say that /dev/sdz contained one partition, sdz1, which filled the disk
and was a LUKS encrypted /home. In this case, the above would fail to
save space because the raw device sdz would be full of "random" data.

But what happens with an SSD? If, after the rm step above, you
# fstrim /home
the mountpoint, where /etc/fstab has the line
   /dev/mapper/luks-fedcba98-7654-3210-… LABEL1 ext4 /home
then what gets zeroed, the container or the contained?
I can't put my finger on any documentation that spells it out.

AIUI userland programs such as fstrim(8) interact with the kernel via anapplication programming interface (API). Device drivers interact withthe kernel and/or each other via device driver interfaces (DDI). Somedevice drivers are designed to interact with hardware. Other devicedrivers are designed to fit in between the kernel and/or device drivers-- for example, LVM, md, and dm-crypt. So, you can layer ext4 on top ofLVM on top of dm-crypt (LUKS) on top of md on top of several SSD's.

Given a file system driver that supports trim, fstrim makes an API callto the file system driver telling the file system driver to erase unusedblocks. The file system driver knows what blocks are unused and makesDDI calls to trim those blocks. If everything between the file systemdriver and the SSD(s) supports trim commands, eventually the trimcommands reach the SSD(s) and blocks are erased. Similarly, theresponse codes must be passed upwards from the SSD(s) to the file systemdriver, which then responds to fstrim.



David

Reply to:

References:
- Re: Whole Disk Encryption + SSD
  - From: David Wright <deblis@lionunicorn.co.uk>
- Re: Whole Disk Encryption + SSD
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: Whole Disk Encryption + SSD
  - From: David Wright <deblis@lionunicorn.co.uk>

Prev by Date: Re: systemd nfs mount blocked until first entered
Next by Date: Re: Useful use of dd [was: Useless use of "dd"]
Previous by thread: Re: Whole Disk Encryption + SSD
Next by thread: Re: Font color selection in MATE terminal
Index(es):
- Date
- Thread