$ man cryptsetup
--allow-discards
Allow the use of discard (TRIM) requests for the device. This option is only relevant for open action. This is also not supported for LUKS2 devices with data integrity
protection.
WARNING: This command can have a negative security impact because it can make filesystem-level operations visible on the physical device. For example, information leaking
filesystem type, used space, etc. may be extractable from the physical device if the discarded blocks can be located later. If in doubt, do not use it.
A kernel version of 3.1 or later is needed. For earlier kernels, this option is ignored.
Some person here says that “For most users, the benefit of TRIM outweigh those security concerns.” so while on my MJ the encryption is not set to use discard:
$ sudo fstrim -v /
fstrim: /: the discard operation is not supported
and system does not use fstrim:
$ systemctl status fstrim.timer
○ fstrim.timer - Discard unused blocks once a week
Loaded: loaded (/usr/lib/systemd/system/fstrim.timer; disabled; vendor preset: disabled)
Active: inactive (dead)
and my system encrypted drive seems to support TRIM (having non zero values DISC-GRAN & DISC-MAX):
$ lsblk --discard
NAME DISC-ALN DISC-GRAN DISC-MAX DISC-ZERO
nvme0n1 0 512B 2T 0
├─nvme0n1p1 0 512B 2T 0
└─nvme0n1p2 0 512B 2T 0
└─luks-a-b-c-d 0 0B 0B 0
i think i should use fstrim? But how to do it? The steps should be?
sudo nano /etc/crypttab
replace luks by luks,discard
(is it safe? i do not want non-bootable system)
Then:
$ systemctl enable --now fstrim.timer
?