[dm-crypt] Prepare SSD for encrypted linux install

Robert Nichols rnicholsNOSPAM at comcast.net
Thu Nov 9 01:34:38 CET 2017


On 11/08/2017 11:36 AM, Merlin Büge wrote:
> Hello all,
> 
> 
> I want to use an SSD (Samsung 850 PRO 512GB) for a fully encrypted Linux
> system. I've read the cryptsetup FAQ and various posts in the
> internet and I'm familiar with the common problems/pitfalls regarding
> dm-crypt on SSDs.
> 
> To avoid information leakage about the storage device's usage patterns,
> it is generally recommended to fill the entire device with random data
> before setting up encryption. It is also recommended to issue an 'ATA
> secure erase' to SSDs before using it to avoid performance issues.
> 
> But doing these two things, either my (1) random data gets 'deleted' via
> the (2) 'ATA secure erase' (the SSD will report all zeros), or I end up
> with degraded performance when (1) issuing 'ATA secure erase' before
> (2) putting random data on it.
> 
> I thought of TRIMing the SSD via 'blkdiscard' instead of using
> 'ATA secure erase' after putting random data on it (twice, see [0]),
> but that should make no difference, since the SSD will most probably
> report all zeros for TRIMed sectors. Either way, the flash chips will
> contain all random data ...

No, they won't. They will all be cleared. The whole point of TRIM or blkdiscard is to allow the controller to clear the blocks of flash cells so that they will be immediately available for writing when needed. Writing random data to the flash cells and then immediately clearing them is fairly pointless. All it does is mask any residue a cleared cell might have of the last data it contained. People who need that level of security don't ask about it here.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.



More information about the dm-crypt mailing list