At a first glance enabling TRIM on a luks encrypted volume looks quite easy, and, as a matter of a fact it is.
The shitstorm starts when trying to enable TRIM on the root volume, but, let’s go one step at a time.
First of all, enabling trim on a regular not encrypted volume is pretty easy; just open the file “/etc/fstab” and add the flag “discard“.
You may also want to add the flag “noatime” to prevent the OS from writing additional informations regarding last access date and such, it’s not strictly necessary but it will save the SSD’s cells some useless write operations.
The fstab file should look like this (here only one row is reported):
/dev/mapper/luks-d3[...] / ext4 discard,noatime,x-systemd.device-timeout=0 1 1
In case the volume/s is a luks encrypted one, also the file “/etc/cryptab” needs to be edited by adding the flag “allow-discards“.
luks-d3[...] UUID=d3[...] none allow-discards
Rebuild the initramfs with “dracut -fv” and the “grub.cfg” file with “grub2-mkconfig -o /boot/grub2/grub.cfg“.
In case “/” is encrypted the things are a bit more tricky.
As today, there seems to be some kind of issue in applying TRIM in this specific scenario, for some reason if the luks encrypted volume is listed in the “grub.cfg” file the configuration present in “/etc/crypttab” is overlooked/ignored.
A fix for this isn’t already available, though there is a workaround that can be used.
First of all, I suggest to do a backup of:
In this case, if something go wrong we can just move back to the backup file instead of having to mount volumes and rebuild the configuration via the recovery shell.
Anyway, the trick, as a user suggested on bugzilla, is to remove everything related to luks volumes from “/etc/default/grub” and then rebuild “grub.cfg” with “grub2-mkconfig -o /boot/grub2/grub.cfg“.
Here is how the configuration file should look like:
GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved GRUB_CMDLINE_LINUX="rd.md=0 rd.lvm=0 rd.dm=0 $([ -x /usr/sbin/rhcrashkernel-param ] && /usr/sbin/rhcrashkernel-param || : ) vconsole.keymap=it2 dhgb splash quiet i915.powersave=1 i915.modeset=1 i915.semaphores=1 i915.i915_enable_rc6=7 i915.i915_enable_fbc=1 i915.lvds_downclock=1 i915_enable_ppgtt=1" GRUB_DISABLE_RECOVERY="true" GRUB_THEME="/boot/grub2/themes/system/theme.txt"
Reboot and now TRIM should be available even for root volume.
What follows is a list of useful commands:
1. mount | grep discard ### to be sure that TRIM is really enabled;
2. cryptsetup status luks-uidd ### to check if TRIM is enabled in luks volumes;
3. dmsetup table ### to check if TRIM is enabled in luks volumes;
4. fstrim _path_to_dir -v ### force TRIM command.
On a side note, I would like to point out that enabling TRIM on an encrypted volume is far from being classified as a “best practice”.
While at least with luks having TRIM enabled should not expose your data to any risk it will probably cut out every chance of being able to call “plausible deniability”, so think at what you are doing before actually doing it.
More informations about this subject can be found here: TRIM and encrypted volumes.