LUKS Encrypted SSD under Ubuntu 14.04

So, after upgrading my laptop a couple weeks ago I found myself with a “spare” 960GB SSD from my old laptop.  Since the new laptop uses an M.2 PCIE SSD and has no room for expansion, I thought this would be the perfect opportunity to replace the WD Black hard drive I use as secondary storage in my office workstation.

Before doing that, though, it needs to be encrypted.

The drive in question is a Patriot Ignite 960GB SATA 3 SSD.  Its not the most impressive performer as far as SSDs go, but it offers a very high capacity for an SSD on a budget.  It will absolutely trounce the performance any mechanical drive.  Perfect for my needs as a secondary storage device.

The process for setting up a LUKS encrypted drive under Ubuntu 14.04 isn’t all that different from the process laid out in my previous post, LUKS Encrypted Disks under Ubuntu 10.10.  However, since this is an SSD it requireds TRIM to be enabled to keep the drive running with good performance and ensure wear leveling.  If I were to just treat it the same way as a mechanical hard drive, sectors would be zeroed out and the performance of the drive would degrade over time, as well as reduce its life span since wear leveling would never kick in.

As with my previous posting, this is mostly a reference for myself.  The steps outlined here work for me, but may not work for you, and will destroy your data in the process.  I accept no responsibility for the consequences of anyone following the instructions laid out below.

WARNING:  Following these steps will erase disks and lose data!

In my previous post, I was setting things up for an external hard drive.  This time around, I’m setting up the SSD as a “permanent” drive that will prompt me for password at boot.

Assuming the drive has been installed into the machine as the second hard drive, we need to edit the partitions., we need to find it.

From a shell window, issue the command ‘sudo parted -l’ command to verify which drive it is.  For brevity, I omitted all the output except the drive I’m working on:

marc@opus:~$ sudo parted -l
Model: ATA Patriot Ignite (scsi)
Disk /dev/sdb: 960GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
 1 1049kB 1000MB 999MB primary ext2
 2 1001MB 616GB 615GB extended
 6 1001MB 600GB 599GB logical ext4
 5 600GB 616GB 16.0GB logical
 3 616GB 616GB 105MB primary ntfs boot
 4 616GB 960GB 344GB primary ntfs

So the drive is on /dev/sdb.  In my old laptop, I had setup dual boot with Windows 7, but don’t need that now.  So I need to delete all of the partitions on this drive using fdisk, and then create a single new partition on it:

marc@opus:~$ sudo fdisk /dev/sdb

Command (m for help): p

Disk /dev/sdb: 960.2 GB, 960197124096 bytes
255 heads, 63 sectors/track, 116737 cylinders, total 1875385008 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x9da5462a

 Device Boot Start End Blocks Id System
/dev/sdb1 2048 1953791 975872 83 Linux
/dev/sdb2 1955838 1203320831 600682497 5 Extended
/dev/sdb3 * 1203320832 1203525631 102400 7 HPFS/NTFS/exFAT
/dev/sdb4 1203525632 1875382271 335928320 7 HPFS/NTFS/exFAT
/dev/sdb5 1172070400 1203320831 15625216 82 Linux swap / Solaris
/dev/sdb6 1955840 1172070399 585057280 83 Linux

Partition table entries are not in disk order

Command (m for help): d
Partition number (1-6): 6

Command (m for help): d
Partition number (1-5): 5

Command (m for help): d
Partition number (1-5): 4

Command (m for help): d
Partition number (1-5): 3

Command (m for help): d
Partition number (1-5): 2

Command (m for help): d
Selected partition 1

Command (m for help): n
Partition type:
 p primary (0 primary, 0 extended, 4 free)
 e extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-1875385007, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-1875385007, default 1875385007):
Using default value 1875385007

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

So now the disk is ready.  Set up the encryption, first setup the partition that was created above:

marc@opus:~$ sudo cryptsetup --verify-passphrase luksFormat /dev/sdb1 -c aes -s 256 -h sha256

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:


WARNING!
========
This will overwrite data on /dev/sdi1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
marc@fozzie:~$ sudo cryptsetup luksOpen /dev/sdi1 backups01
Enter passphrase for /dev/sdi1:
marc@fozzie:~$ sudo fdisk /dev/mapper/backups01
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x75dd258c.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

WARNING: DOS-compatible mode is deprecated. It's strongly recommended to
switch off the mode (command 'c') and change display units to
sectors (command 'u').

Command (m for help): n
Command action
e   extended
p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-60800, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-60800, default 60800):
Using default value 60800

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 22: Invalid argument.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
marc@fozzie:~$ sudo mkfs.ext4 -Lbackups01 /dev/mapper/backups01
mke2fs 1.41.12 (17-May-2010)
Filesystem label=backups01
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
30531584 inodes, 122095743 blocks
6104787 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
3727 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000

Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 35 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
marc@fozzie:~$ sudo cryptsetup luksClose backups01

Now, setup device mapper:

marc@opus:~$ sudo cryptsetup luksOpen /dev/sdb1 cryptossd
Enter passphrase for /dev/sdb1:

Now, create the filesystem:

marc@opus:~$ sudo mkfs.ext4 -Lcryptossd /dev/mapper/cryptossd
mke2fs 1.42.9 (4-Feb-2014)
warning: 86 blocks unused.

Filesystem label=cryptossd
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
58720032 inodes, 234422272 blocks
11721112 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
7154 block groups
32768 blocks per group, 32768 fragments per group
8208 inodes per group
Superblock backups stored on blocks:
 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
 102400000, 214990848

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

Now, to close the filesystem, use:

marc@opus:~$ sudo cryptsetup luksClose cryptossd

Now, we have to make sure that our TRIM support is setup, and this must be done at every level.  We start with /etc/crypttab.  First, get the block ID of the newly created volume using blkid:

marc@opus:~$ blkid
/dev/sdb1: UUID="f77e10f0-6074-46be-9a4e-dcf2ff8090d4" TYPE="crypto_LUKS"

Now edit /etc/crypttab and add a line to use the obtained UUID from the newly setup disk, paying special attention to the discard portion:

marc@opus:~$ cat /etc/crypttab
cryptossd UUID=f77e10f0-6074-46be-9a4e-dcf2ff8090d4 none luks,discard

Since this is not using LVM, thats it.  To enable it to be mounted at boot time, prompting for the password, add a line into /etc/fstab.  Make sure that the mount point has been created otherwise it will throw an error.

 # <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/cryptossd /cryptossd ext4 defaults,discard,noatime 0 2

And that’s it.  Before rebooting, test your /etc/fstab entry with the following commands:

marc@opus:~$ sudo cryptsetup luksOpen /dev/sdb1 cryptossd
Enter passphrase for /dev/sdb1:
marc@opus:~$ sudo mount -a
marc@opus:~$ df -m
Filesystem            1M-blocks Used Available Use% Mounted on
/dev/mapper/cryptossd    901188   72    855315   1% /cryptossd

You should now have your SSD encrypted with TRIM support enabled and running, prompting you for a password at each boot.