Bug#648868: cryptsetup: Please add support for allow-discards option in crypttab

Tue, 15 Nov 2011 10:48:18 -0800 

Package: cryptsetup
Severity: wishlist
Tags: patch

Hi,

cryptsetup 1.4.0 brings support for --allow-discards, which is useful
on SSD storage devices, although it comes with security risks that
must be assessed.

The attached patch, prepared and tested against the current packaging
SVN repo (rev. 897), adds support for an allow-discards option in
crypttab, that translates into passing --allow-discards to cryptsetup.
This patch also updates the documentation accordingly. Please review.

(I'll mark this bug as blocked by #647851 as soon as I get its number.)

Regards,
--
  intrigeri <intrig...@boum.org>
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
  | Did you exchange a walk on part in the war
  | for a lead role in the cage?


commit 8a2d30a612cd507f8bff840863c6e4473a303795
Author: intrigeri <intrig...@boum.org>
Date:   Tue Nov 15 18:24:56 2011 +0100

    Add support for allow-discards option in crypttab.

diff --git a/debian/cryptdisks.functions b/debian/cryptdisks.functions
index 9cb72d4..9e4b76a 100644
--- a/debian/cryptdisks.functions
+++ b/debian/cryptdisks.functions
@@ -51,6 +51,9 @@ parse_opts () {
 		VALUE=$(echo "$opt" | sed '/=/!d;s/^.*=//')
 		
 		case "$PARAM" in 
+		allow-discards)
+			PARAMS="$PARAMS --allow-discards"
+			;;
 		readonly)
 			PARAMS="$PARAMS -r"
 			;;
diff --git a/debian/doc/crypttab.xml b/debian/doc/crypttab.xml
index 077caf6..92e0ce4 100644
--- a/debian/doc/crypttab.xml
+++ b/debian/doc/crypttab.xml
@@ -143,6 +143,21 @@
    </varlistentry>
 
    <varlistentry>
+    <term><emphasis>allow-discards</emphasis></term>
+    <listitem>
+     <simpara>Allow using of discards (TRIM) requests for device.</simpara>
+     <simpara><emphasis role="strong">WARNING</emphasis>: Assess the
+     specific security risks carefully before enabling this option.
+     For example, allowing discards on encrypted devices may lead to
+     the leak of information about the ciphertext device (filesystem
+     type, used space etc.) if the discarded blocks can be located
+     easily on the device later.</simpara>
+      <simpara>Kernel version 3.1 or more recent is required.
+      For older versions is the option ignored.</simpara>
+    </listitem>
+   </varlistentry>
+
+   <varlistentry>
     <term><emphasis>readonly</emphasis></term>
     <listitem>
      <simpara>The backing device is read-only (eg: a dvd).</simpara>

Reply via email to