TRIM support via dm-crypt/device-mapper

For the record, this functionality did NOT exist when I first posted this question. I asked on the mailing list and was informed by Milan Broz that discard passthrough for dm-crypt targets still had not been implemented. Milan indicated that he intended to implement this at some point, but did not state when.

After digging around in dm-crypt.c and related files for a while, it appeared that TRIM support would be fairly trivial to add. I wrote the list asking for their general advisement on the task before I jumped in. The next day, Milan submitted a patch that implements TRIM pass-through on dm-crypt and this has been staged into linux-next. It should be included in the Linux 3.1 kernel.

TRIM passthrough must be enabled explicitly. There are potential security issues in using TRIM on a dm-crypt'd device, because TRIM sends information about block usage to the firmware on the device which then marks recently freed areas as usable (as I understand it, anyway). This means that an interested party can derive information about patterns of disk usage. For instance, it was postulated that an attacker could almost definitely learn what filesystem was in use on the encrypted medium through this data. An attacker may also be able to learn more useful information, like that you had a lot of big files saved until recently (big contiguous TRIM'd blocks).

Please see these threads for reference:

http://www.redhat.com/archives/dm-devel/2011-June/msg00093.html

http://www.redhat.com/archives/dm-devel/2011-July/msg00042.html

http://www.redhat.com/archives/dm-devel/2011-July/msg00088.html

tl;dr: TRIM passthrough support for dm-crypt targets will exist in Linux >= 3.1 but must be enabled manually via cryptsetup and/or dmsetup due to data leakage that may allow profiling based on disk usage patterns.

As of kernel 3.2.x, dm-crypt + brtfs is supposed to be safe. See the reply to my question from Chris Mason:

http://permalink.gmane.org/gmane.comp.file-systems.btrfs/15554 and http://permalink.gmane.org/gmane.comp.file-systems.btrfs/15564

According to this post...

My question is: What happens, if a dm-crypt-layer is between the filesystem and the real block-device? Will the trim be passed through, or will it be discarded?

It guess it will be passed through. I'm using btrfs on a SSD which is encrypted with LUKS/dmcrypt, and it works great. Btrfs uses ata trim quite a while.

You might also need discard in mount options of the filesystem.

well there's this thread

https://bbs.archlinux.org/viewtopic.php?id=114924

and this tool

http://sourceforge.net/tracker/index.php?func=detail&aid=2997551&group_id=136732&atid=736684

I haven't used it yet, but I'm also interested in this problem.