I’ve been wanting to encrypt the drives in my laptop for quite some time now. I was putting it off for a couple of reasons. I know that the processor in my laptop can’t decrypt fast enough to keep up with my Crucial M4’s 300+ MB per second read speeds. I also wasn’t too excited about the extra CPU overhead reducing my already limited amount of battery run time.
I finally decided to give it a try anyway. There are a few security-related issues to watch out for, and I have some specific problems that I have to work around with my particular laptop.
Much of this should apply to almost any SSD or operating system. I am currently running Ubuntu 12.10, and I am almost positive I am using the Ubuntu installer’s default encryption options. Whatever you are using, be certain to choose a good, long pass phrase.
Performance and battery life
I have effectively cut my maximum sequential read speeds in half. My Crucial M4 can read at 330 MB per second, and my old Intel X25-M was only about 30 MB per second slower than that. The Intel Core i7-720QM in my laptop does not have Intel’s new encryption acceleration instructions. It can only encrypt at about 140 MB per second.
Sequential read performance is the only benchmark statistic that breaks that 140 MB per second barrier. In day-to-day use, my laptop isn’t noticeably slower now than before I encrypted it.
Just about the only thing that might be noticeably slower would be copying large files around. Most of the time, when I do this a slower device is the bottleneck, like my second 7200 RPM drive, or a network drive. Even a copy from one location to another on the SSD is going to be bottlenecked quite a bit by the slower write speeds.
I haven’t done any properly scientific battery life tests. The battery life of my big, old desktop replacement style laptop was never good to begin with. I’m pretty confident that battery life under normal use hasn’t been significantly impacted, though. I just don’t do all that much disk I/O on the rare occasions that I am away from my desk.
Security and TRIM/discard
Solid-state drives have a feature that allows the operating system to alert the drive that a disk block is now empty. This lets the drive reclaim unused blocks. These reclaimed blocks can be erased while the drive is idle. A well TRIMmed SSD tends to perform better than an unTRIMmed one. Some drives are more reliant on TRIM than others, though.
This creates a small problem for encryption, though. Normally, an encrypted drive is one big solid block of seemingly random data. Once you start TRIMming that drive there will be “holes” full of zeroes almost anywhere that you have deleted a file.
Depending on how far you lean to the side of paranoia, this could definitely be a problem. I’m also under the impression that this might damage TrueCrypt’s “hidden volumes.”
I am not one with this level of paranoia. I also don’t have anything on this laptop worth protecting from the “lead pipe” password crackers.
If you want to enable TRIM support, you will need to make sure it is enabled in both your
/etc/fstab file AND your
/etc/crypttab file. I hadn’t thought to check the latter when I first set this up.
A snippet from my own
sda5_crypt UUID=f329fc5a-04ab-43cf-b762-0db126b31c26 none luks,discard
I am unhappy with the performance of on-the-fly TRIM on my Crucial M4. I just run
fstrim manually every once in a while. I am pretty sure you will still need the
discard pass through option enabled in your
/etc/crypttab file in order for
fstrim to function.
NVidia’s stupid drivers
This particular problem most likely only affects a very small number of users. NVidia’s proprietary driver does not yet allow me to activate any external screens during the boot process. My laptop spends most of its time hiding away in its little cradle connected to a pair of external monitors. This means that I can’t see the pass phrase prompt if I boot my laptop while it is “docked.”
The open source Nouveua drivers will do this just fine automatically. Unfortunately for me, they aren’t up to my requirements for gaming performance.
I imagine that on some random day in the future this won’t be a problem anymore. Then I will get to discover whether or not my Bluetooth keyboard is functional that early in the boot process. I expect that it isn’t, but that should be easy enough to fix.
It is a good thing I rarely turn this thing off…