0 voters
According to the Arch wiki, TRIM is and always will be disabled by default on dm-crypt devices due to some potential security concerns.
It seems enabling TRIM requires adding the discard option in fstab, and perhaps elsewhere too—a bit confusing.
Also is there a command to check whether TRIM is currently enabled? (not just supported)
I don’t use SSDs. You should have had that option in the poll.
I mount using the ‘defaults’ parameter in /etc/fstab, with LUKS, followed by LVM, and then filesystems. I’m not so well-versed in storage that I’ve really stopped to consider if that nesting might have implications for that.
Then again, I distrohop for fun. I’m constantly churning what’s actually on disk anyway. My filesystems are cattle, not pets, and I don’t think about them very much.
I actually use TRIM with LUKS (On my personal laptop), reason being if someone stole my laptop, he or she is probably not sophisticated enough to try to actually get to my data, he or she will probably just format the drive and try to resell the laptop (Who would steal a T430 anyway?)
So i don’t really care for the security impacts trim on luks could have, i just set allow-discards in /etc/defaults/grub, Would i be using a linux machine at work i would not use it, for the aforementioned security concerns raised in the archwiki
Thanks for posting this. It’s an interesting problem.
IMO, the security risk is pretty low unless you really have some pros trying to get your data, most likely with physical access to the machine.
Well, if some pro, most probably three letter agencies, got physical access to my hardware i have lost anyway.
For Work machines, if my employer enforces FDE i would not configure it in any way that, even only theoretically, could endanger my data safety. Also, work machine which should normally be imaged by employer guidelines.
Agreed, but I don’t even think DISA STIG mentions anything about this. At least, I don’t think it’s in the OpenSCAP criteria for RHEL (I’ve read through that a couple times in the past).
To be honest, didn’t even know there was a security problem with trim until i’ve read about it in this thread. Guess it’s more a theoretical problem than an actively abused one.
Part of the problem I see is that the risk of TRIM + LUKS is neither well-known nor well-understood.
That is, how serious is the risk? Also, how useful is TRIM? How does the cost benefit analysis work out for various use cases?