So, after upgrading my laptop a couple weeks ago I found myself with a “spare” 960GB SSD from my old laptop. Since the new laptop uses an M.2 PCIE SSD and has no room for expansion, I thought this would be the perfect opportunity to replace the WD Black hard drive I use as secondary storage in my office workstation.
Before doing that, though, it needs to be encrypted.
The drive in question is a Patriot Ignite 960GB SATA 3 SSD. Its not the most impressive performer as far as SSDs go, but it offers a very high capacity for an SSD on a budget. It will absolutely trounce the performance any mechanical drive. Perfect for my needs as a secondary storage device.
The process for setting up a LUKS encrypted drive under Ubuntu 14.04 isn’t all that different from the process laid out in my previous post, LUKS Encrypted Disks under Ubuntu 10.10. However, since this is an SSD it requireds TRIM to be enabled to keep the drive running with good performance and ensure wear leveling. If I were to just treat it the same way as a mechanical hard drive, sectors would be zeroed out and the performance of the drive would degrade over time, as well as reduce its life span since wear leveling would never kick in.
As with my previous posting, this is mostly a reference for myself. The steps outlined here work for me, but may not work for you, and will destroy your data in the process. I accept no responsibility for the consequences of anyone following the instructions laid out below.
WARNING: Following these steps will erase disks and lose data!
In my previous post, I was setting things up for an external hard drive. This time around, I’m setting up the SSD as a “permanent” drive that will prompt me for password at boot.
Assuming the drive has been installed into the machine as the second hard drive, we need to edit the partitions., we need to find it.
From a shell window, issue the command ‘sudo parted -l’ command to verify which drive it is. For brevity, I omitted all the output except the drive I’m working on:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
marc@opus:~$ sudo parted -l Model: ATA Patriot Ignite (scsi) Disk /dev/sdb: 960GB Sector size (logical/physical): 512B/512B Partition Table: msdos Number Start End Size Type File system Flags 1 1049kB 1000MB 999MB primary ext2 2 1001MB 616GB 615GB extended 6 1001MB 600GB 599GB logical ext4 5 600GB 616GB 16.0GB logical 3 616GB 616GB 105MB primary ntfs boot 4 616GB 960GB 344GB primary ntfs |
So the drive is on /dev/sdb. In my old laptop, I had setup dual boot with Windows 7, but don’t need that now. So I need to delete all of the partitions on this drive using fdisk, and then create a single new partition on it:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
marc@opus:~$ sudo fdisk /dev/sdb Command (m for help): p Disk /dev/sdb: 960.2 GB, 960197124096 bytes 255 heads, 63 sectors/track, 116737 cylinders, total 1875385008 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x9da5462a Device Boot Start End Blocks Id System /dev/sdb1 2048 1953791 975872 83 Linux /dev/sdb2 1955838 1203320831 600682497 5 Extended /dev/sdb3 * 1203320832 1203525631 102400 7 HPFS/NTFS/exFAT /dev/sdb4 1203525632 1875382271 335928320 7 HPFS/NTFS/exFAT /dev/sdb5 1172070400 1203320831 15625216 82 Linux swap / Solaris /dev/sdb6 1955840 1172070399 585057280 83 Linux Partition table entries are not in disk order Command (m for help): d Partition number (1-6): 6 Command (m for help): d Partition number (1-5): 5 Command (m for help): d Partition number (1-5): 4 Command (m for help): d Partition number (1-5): 3 Command (m for help): d Partition number (1-5): 2 Command (m for help): d Selected partition 1 Command (m for help): n Partition type: p primary (0 primary, 0 extended, 4 free) e extended Select (default p): p Partition number (1-4, default 1): 1 First sector (2048-1875385007, default 2048): Using default value 2048 Last sector, +sectors or +size{K,M,G} (2048-1875385007, default 1875385007): Using default value 1875385007 Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. |
So now the disk is ready. Set up the encryption, first setup the partition that was created above:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
marc@opus:~$ sudo cryptsetup --verify-passphrase luksFormat /dev/sdb1 -c aes -s 256 -h sha256 WARNING! ======== This will overwrite data on /dev/sdb1 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: WARNING! ======== This will overwrite data on /dev/sdi1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: marc@fozzie:~$ sudo cryptsetup luksOpen /dev/sdi1 backups01 Enter passphrase for /dev/sdi1: marc@fozzie:~$ sudo fdisk /dev/mapper/backups01 Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel Building a new DOS disklabel with disk identifier 0x75dd258c. Changes will remain in memory only, until you decide to write them. After that, of course, the previous content won't be recoverable. Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite) WARNING: DOS-compatible mode is deprecated. It's strongly recommended to switch off the mode (command 'c') and change display units to sectors (command 'u'). Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 1 First cylinder (1-60800, default 1): Using default value 1 Last cylinder, +cylinders or +size{K,M,G} (1-60800, default 60800): Using default value 60800 Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. WARNING: Re-reading the partition table failed with error 22: Invalid argument. The kernel still uses the old table. The new table will be used at the next reboot or after you run partprobe(8) or kpartx(8) Syncing disks. marc@fozzie:~$ sudo mkfs.ext4 -Lbackups01 /dev/mapper/backups01 mke2fs 1.41.12 (17-May-2010) Filesystem label=backups01 OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 30531584 inodes, 122095743 blocks 6104787 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=4294967296 3727 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 102400000 Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 35 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. marc@fozzie:~$ sudo cryptsetup luksClose backups01 |
Now, setup device mapper:
1 2 |
marc@opus:~$ sudo cryptsetup luksOpen /dev/sdb1 cryptossd Enter passphrase for /dev/sdb1: |
Now, create the filesystem:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
marc@opus:~$ sudo mkfs.ext4 -Lcryptossd /dev/mapper/cryptossd mke2fs 1.42.9 (4-Feb-2014) warning: 86 blocks unused. Filesystem label=cryptossd OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 58720032 inodes, 234422272 blocks 11721112 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=4294967296 7154 block groups 32768 blocks per group, 32768 fragments per group 8208 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 102400000, 214990848 Allocating group tables: done Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done |
Now, to close the filesystem, use:
1 |
marc@opus:~$ sudo cryptsetup luksClose cryptossd |
Now, we have to make sure that our TRIM support is setup, and this must be done at every level. We start with /etc/crypttab. First, get the block ID of the newly created volume using blkid:
1 2 |
marc@opus:~$ blkid /dev/sdb1: UUID="f77e10f0-6074-46be-9a4e-dcf2ff8090d4" TYPE="crypto_LUKS" |
Now edit /etc/crypttab and add a line to use the obtained UUID from the newly setup disk, paying special attention to the discard portion:
1 2 |
marc@opus:~$ cat /etc/crypttab cryptossd UUID=f77e10f0-6074-46be-9a4e-dcf2ff8090d4 none luks,discard |
Since this is not using LVM, thats it. To enable it to be mounted at boot time, prompting for the password, add a line into /etc/fstab. Make sure that the mount point has been created otherwise it will throw an error.
1 2 |
# <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/cryptossd /cryptossd ext4 defaults,discard,noatime 0 2 |
And thats it. Before rebooting, test your /etc/fstab entry with the following commands:
1 2 3 4 5 6 |
marc@opus:~$ sudo cryptsetup luksOpen /dev/sdb1 cryptossd Enter passphrase for /dev/sdb1: marc@opus:~$ sudo mount -a marc@opus:~$ df -m Filesystem 1M-blocks Used Available Use% Mounted on /dev/mapper/cryptossd 901188 72 855315 1% /cryptossd |
You should now have your SSD encrypted with TRIM support enabled and running, prompting you for a password at each boot.