LUKS Encrypted SSD under Ubuntu 14.04

By | February 11, 2016

So, after upgrading my laptop a couple weeks ago I found myself with a “spare” 960GB SSD from my old laptop.  Since the new laptop uses an M.2 PCIE SSD and has no room for expansion, I thought this would be the perfect opportunity to replace the WD Black hard drive I use as secondary storage in my office workstation.

Before doing that, though, it needs to be encrypted.

The drive in question is a Patriot Ignite 960GB SATA 3 SSD.  Its not the most impressive performer as far as SSDs go, but it offers a very high capacity for an SSD on a budget.  It will absolutely trounce the performance any mechanical drive.  Perfect for my needs as a secondary storage device.

The process for setting up a LUKS encrypted drive under Ubuntu 14.04 isn’t all that different from the process laid out in my previous post, LUKS Encrypted Disks under Ubuntu 10.10.  However, since this is an SSD it requireds TRIM to be enabled to keep the drive running with good performance and ensure wear leveling.  If I were to just treat it the same way as a mechanical hard drive, sectors would be zeroed out and the performance of the drive would degrade over time, as well as reduce its life span since wear leveling would never kick in.

As with my previous posting, this is mostly a reference for myself.  The steps outlined here work for me, but may not work for you, and will destroy your data in the process.  I accept no responsibility for the consequences of anyone following the instructions laid out below.

 

WARNING:  Following these steps will erase disks and lose data!

In my previous post, I was setting things up for an external hard drive.  This time around, I’m setting up the SSD as a “permanent” drive that will prompt me for password at boot.

Assuming the drive has been installed into the machine as the second hard drive, we need to edit the partitions., we need to find it.

From a shell window, issue the command ‘sudo parted -l’ command to verify which drive it is.  For brevity, I omitted all the output except the drive I’m working on:

So the drive is on /dev/sdb.  In my old laptop, I had setup dual boot with Windows 7, but don’t need that now.  So I need to delete all of the partitions on this drive using fdisk, and then create a single new partition on it:

So now the disk is ready.  Set up the encryption, first setup the partition that was created above:

Now, setup device mapper:

Now, create the filesystem:

Now, to close the filesystem, use:

Now, we have to make sure that our TRIM support is setup, and this must be done at every level.  We start with /etc/crypttab.  First, get the block ID of the newly created volume using blkid:

Now edit /etc/crypttab and add a line to use the obtained UUID from the newly setup disk, paying special attention to the discard portion:

Since this is not using LVM, thats it.  To enable it to be mounted at boot time, prompting for the password, add a line into /etc/fstab.  Make sure that the mount point has been created otherwise it will throw an error.

And thats it.  Before rebooting, test your /etc/fstab entry with the following commands:

You should now have your SSD encrypted with TRIM support enabled and running, prompting you for a password at each boot.

Leave a Reply

Your email address will not be published. Required fields are marked *