Enable TRIM on external LUKS encrypted drive

If you use an encrypted external SSD, you should periodically trim it. The first step would be to make sure the external drive itself supports trimming. The next step would be to make sure the LUKS partition on the device supports trimming as well. By default, encrypted filesystems do not support passing discard requests due to some security concerns. For example, crypttab man page states:

WARNING: Assess the specific security risks carefully before enabling this option. For example, allowing discards on encrypted devices may lead to the leak of information about the ciphertext device (filesystem type, used space etc.) if the discarded blocks can be located easily on the device later.

For most users, the benefit of TRIM outweigh those security concerns. The easiest way to enable TRIM is to pass the discard option in /etc/crypttab. For example:

cdisk0 UUID=12345678-9abc-def012345-6789abcdef01 none luks,discard

The problem with the /etc/crypttab approach is that it requires you to pre-configure your external drives. A better approach would be to enable discards at the LUKS configuration, which would apply automatically whenever the drive is used. This can be done in LUKS version 2 headers.

# cryptsetup --allow-discards --persistent refresh luks-643dc0f7-c876-4e37-9207-5c053a75fc70

Where luks-643dc0f7-c876-4e37-9207-5c053a75fc70 is the name of the mapping for the encrypted drive. You can verify that allow_discards is now part of the flag by dumping the LUKS header.

# cryptsetup luksDump /dev/sda4 | grep Flags
Flags:       	allow-discard

Now, you should be able to use fstrim to trim your external SSD with LUKS encryption drive.

3 thoughts on “Enable TRIM on external LUKS encrypted drive”

  1. Thanks for the article. You do have a typo – you wrote “dicard” instead of “discard” 🙂

    I have an NVME SSD in my laptop and I use LUKS to encrypt my SSD. I was wondering if doing an SSD TRIM was safe when using LUKS encryption, and I’m glad to see that except for a few relatively minor security concerns, it’s perfectly fine to run fstrim with an encrypted SSD.

    Thanks again!

  3. Excellent article.
    Your guidelines work flawlessly on internal LUKS-encrypted SSDs, but not when the same SSDs are attached externally through an USB M.2 NVMe enclosure.
    I have tried both Ugreen and Sabrent enclosures which are supposed to support trimming.
    Are there specific steps for this use-case?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.