Enable SSD trim for dm-crypt after fresh installation

Hey all,

I freshly installed Manjaro (with KDE) on my new computer. I am moving from a 6+ years installation of Manjaro also having encryption enabled as well.

During installation I chose the default option (having /boot and /, both encrypted) as, after some thought, decided I don’t need special partitions. So now I want to enable trim on the SSD everything is installed using the discard boot option.

However I fail at the basic questions:

  • I read some docs and it seems I have to configure the option in the boot loader? What kind of boot loader do I have (reading the docs there are several, I don’t know which is used by Manjaro per default), how to configure this boot loader (if you read this maybe you know this as well)
  • How to check the dm-crypt configuration (encryption algo, hashing algo, iterations …) in use on my drive (I want to make sure the default is “good”) and to mainly also check the iterations as my header unlocking is super slow (10s I would guess)

Thanks in advance

Hullo,
Welcome, and excuse me if I go over a few things;

If this was Traditional/BIOS setup you dont need a separate /boot either, and if it is U/EFI then it should be /boot/efi (or /efi). Maybe thats what you meant.

So … generally discard is discouraged.
Instead the suggestion is usually to use ‘periodic’ trim.
Which really just consists of enabling the timer.

systemctl enable fstrim.timer

To some degree this depends on your device and filesystem … of which we know nothing about either. Certain devices will create data corruption if using ‘continuous’ trim (discard).

Most everything about it you would need is at the ArchWiki:
https://wiki.archlinux.org/title/Solid_state_drive#TRIM

Huh? What option? discard ?
No. See above, but discard would be placed as an option for entries in /etc/fstab

EDIT. Oh … because of dm-crypt. Please see this:

https://wiki.archlinux.org/title/Dm-crypt/Specialties#Discard/TRIM_support_for_solid_state_drives_(SSD)


See here:
https://wiki.archlinux.org/title/Dm-crypt

I would have added some links but wasn’t allowed to. I have read the Arch Wiki documentation however so far some information is not clear.

Based on the fstab you seem to be right. I have a /boot/efi, / and /tmp mapping.

I understand but the downsides are not a big problem for me. So I would prefer to use regular / instant ssd trim.

Which is true. I am using a 4 TB M2 (NVME) ssd which supports trim (I checked in Linux).

I figured out how to get information about the dm-crypt configuration. One can execute cryptsetup luksDump /dev/nvme0n1p2 or dmsetup table to receive an overview. Dmsetup also provides the “flags” such as trim or workqueue. The keys headers use >6000000 iterations - which might be the reason why it is so slow to unlock.

It seems the setup only provides LUKS but not LUKS2. There is an option to use cryptsetup to setup discard or disable workqueue (TRIM) but it fails:

sudo cryptsetup --allow-discards --persistent refresh /dev/mapper/luks-deviceid
This operation is supported only for LUKS2 device.
Device activated but cannot make flags persistent.

As a test I tried to set no_read_workqueue and no_write_workqueue (which I feel are less dangerous than discard) into /etc/crypttab but it seems the parameters are not used after reboot.
My /etc/crypttab looks the following: luks-deviceid UUID=uid /crypto_keyfile.bin luks,no-read-workqueue,no-write-workqueue

So my questions remain

  • It seems I have to provide a kernel parameter?
  • As systemd is used in general I assumed sd-encrypt is used - however /etc/mkinitcpio.conf references encrypt among others. Is this expected?
  • Where to provide the kernel parameters?
  • Still provide dm-crypt configuration (no-read-workqueue,no-write-workqueue) to /etc/crypttab or somewhere else?