From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <thom@codehawks.eu>
Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Fri, 30 May 2014 19:24:34 +0200 (CEST)
Received: by mail-wg0-f52.google.com with SMTP id l18so2302554wgh.23
 for <dm-crypt@saout.de>; Fri, 30 May 2014 10:24:34 -0700 (PDT)
Received: from [192.168.100.89] ([80.169.147.204])
 by mx.google.com with ESMTPSA id ge6sm4947255wic.0.2014.05.30.10.24.33
 for <dm-crypt@saout.de>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Fri, 30 May 2014 10:24:33 -0700 (PDT)
Message-ID: <5388BED0.90203@codehawks.eu>
Date: Fri, 30 May 2014 18:24:32 +0100
From: Thomas Bastiani <thom@codehawks.eu>
MIME-Version: 1.0
References: <1401370403.94216.YahooMailNeo@web172002.mail.ir2.yahoo.com>
 <20140529201335.GA9014@tansi.org>
 <CAMFqqRpTzXA4x12wC-P7YG5K7gkMfrgk52vWdzUu3ZwJ_=CkSA@mail.gmail.com>
 <20140530134238.GA21698@tansi.org>
 <CAMFqqRqHjPuQHrT4kRihsBci1ZFC9A76+rUo-AeuQzpT_SAgUw@mail.gmail.com>
 <20140530150701.GA4281@fancy-poultry.org>
 <CAMFqqRpk7b_1awwWOE_08JFLhtxRmzHDubz69ek96CHqRxQjCA@mail.gmail.com>
 <5388AA9C.3020909@codehawks.eu> <20140530171053.GA5729@fancy-poultry.org>
In-Reply-To: <20140530171053.GA5729@fancy-poultry.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] Is erasing hard disk drive mandatory?
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On 05/30/14 18:10, Heinz Diehl wrote:
> On 30.05.2014, Thomas Bastiani wrote: 
> 
>> On SSD's though, this would prevent TRIM from functioning properly 
>> and make the SSD appear as full to the controller which would 
>> hurt performance.
> 
> If you e.g. do a "dd if=/dev/urandom of=bigfile" to a SSD drive
> until the partition is fully overwritten, simply deleting "bigfile" 
> followed by a "fstrim" should restore performance to the same level as
> is was before. What am I missing?
> 

Your first step is to dd if=/dev/urandom of=/dev/sd<x> or an equivalent
operation. This is before you even create an encrypted container and
definitely below your file system... It may be that files that you
create and then delete will trigger a TRIM operation if dm-crypt (and
eventually LVM) are configured to pass TRIM through. But the rest of
your "securely erased" drive is still not TRIM-ed.

And also it doesn't make sense to configure dm-crypt to pass TRIM (with
--allow-discards) if you've written random data to your drive at
creation time because then you introduce another different type of
side-channel leak.

Does that make sense?

--
Thomas