Archlinux: dm-crypt && trim/discard && dropbear_initrd_encrypt don’t work together!

March 5, 2012 / posted in Linux / No Comments

Today I accidentially found out that trim/discard does not work with a dm-crypt device when you use dropbear_initrd_encrypt (version 0.8-16).
You won’t notice that it is not working when you use the online discard with the discard option in /etc/fstab because there is not error thrown, but when you use fstrim you get this error: FITRIM ioctl failed: Operation not supported.

I tried some things and tracked this down to the encryptssh hook from dropbear_initrd_encrypt which seem to use some older version of /lib/initcpio/hooks/encrypt. You also may notice that you don’t get the “Enabling TRIM/discard support.” at boot while using encryptssh instead of encrypt. Encryptssh is missing the whole Trim stuff :/

Edit: I patched the missing parts from /lib/initcpio/hooks/encrypt to /lib/initcpio/hooks/encryptssh and updated everything else to the newest encrypt hook (trim).
Here is my patch for /lib/initcpio/hooks/encryptssh (encryptssh_hook).
Here is my patch for /lib/initcpio/install/dropbear (dropbear_install).
Or if you can download the new encryptssh hook here and the new dropbear install hook here.

But: It does not work over ssh anymore. Don’t know why, it seems to hang in a loop after mounting successful.

Try on your own risk! This is still not working!

Edit #2: I got it running with trim now, not the most beautiful solution, but working…basically I added --allow-discards to every important command.
Changes to /lib/initcpio/install/dropbear (changed line is marked):

[...]
#!/bin/sh
if [ -c "/dev/mapper/control" ]; then
  if eval /sbin/cryptsetup luksOpen \`cat /.cryptdev\` \`cat /.cryptname\` --allow-discards ; then
    echo > /.done
[...]

Changes to /lib/initcpio/hooks/encryptssh (changed lines are marked):

[...]
if [ -f ${ckeyfile} ]; then
   if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} --allow-discards ${CSQUIET}; then
      dopassphrase=0
   else
[...]
[...]
#loop until we get a real password
while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} --allow-discards ${CSQUIET}; do
   if [ -f /.done ]; then
     break
   fi
[...]
[...]
exe="/sbin/cryptsetup create ${cryptname} ${cryptdev} --allow-discards"
tmp=$(echo "${crypto}" | cut -d: -f1)
[...]

For me, this seems to be some working solution until the script is updated to the latest encrypt hook. :)

< , , , , , , , , , >

Comments (0)

› No comments yet.

Leave a Reply

Allowed Tags - You may use these HTML tags and attributes in your comment.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Pingbacks (0)

› No pingbacks yet.