Re: [dm-crypt] How to optimise encrypted filesystems on an SSD?

[Milan Broz <mbroz@redhat.com>]

On 02/06/2010 12:48 AM, mark wrote:
> For a while I've been using LUKS/dm-crypt with LVM2 to secure hard
> drives in laptops and servers. Recently I've moved one of my filesystems
> onto a solid-state drive (Intel X25-M-G2 80GB with latest firmware).
> 
> There are some excellent instructions here
> http://thunk.org/tytso/blog/2009/02/20/aligning-filesystems-to-an-ssds-erase-block-size/

Beware - that page is completely obsolete regarding lvm2 now!
Recent version have much more better support for data  alignment
(with new kernels it should be automatic)

> on how to align ext4 and LVM to the erase block size of the SSD. However
> I've not been able to find a recipe for optimising an encrypted
> filesystem in the same way.
> 
> A typical usage case for me would be this, from following defaults for
> encrypted lvm on the Debian installer:
> 
> /dev/sda1 79GB crypt-luks
> /dev/mapper/sda1_crypt holds PV for LVM2
>      PV has a VG with two LVs, 4GB swap and the rest for ext4 /
> /dev/sda5 256MB ext2 /boot
> 
> Could anyone explain how I might go about aligning/optimising this, or
> point me to some instructions? Am I better putting lvm over luks or luks
> over lvm? Or something entirely different?

Just in short:
(cryptsetup will get support for automatic alignment according
to kernel exported device parameters soon, so all this will be automatic)

- the underlying device must be aligned
(if using partitions, be sure you have start of partition aligned,
better use "fdisk -u" to calculate in sectors.
If not sure, align to 1M or even 4M offset, this will always fit:-)
(fdisk from latest util-linux-ng should support automatic alignment)

- be sure that lvm2 PV metadata (data start) is always aligned
(see pvcreate --dataalignment parameter)
(latest lvm2 already have support for automatic data alignment
if kernel exports proper alignment data)

- for cryptetup/LUKS - use "--align-payload" parameter
(default is alignment to 4k boundary, not enough for SSD).
Note that parameter is in 512 bytes sectors!

e.g. you want to align to 4MB boundary ( = 8192 * 512 bytes), use

  cryptsetup luksFormat --align-payload=8192 ...

verify with cryptsetup luksDump (see Payload offset)

(I usually set lvm2 extent size to 4MB and aling LUKS the same,
so the LUKS header takes exactly one extent.)

- and finally, you should optimize FS above that device stack

(From the kernel point of view, there is no difference
if you put lvm2 over LUKS or vice versa - both should work the same.
Just configuration is different, I have some old slides describing
activation of volumes here http://mbroz.fedorapeople.org/talks/LinuxAlt2008-eng/ )

Milan