On 03/01/2019 17:26, Christoph Anton Mitterer wrote: > On Thu, 2019-01-03 at 09:10 +0100, Milan Broz wrote: >> And maybe LUKS2 format (but not for LUKS1) should set TRIM flag by >> default, >> really would like to see opinions here. > > As mentioned already by Arno... it's a question of mindset: > > Anyone who's making reasonable use (i.e. really wants it and knows what > he wants) of dm-crypt/cryptsetup wants security as primary goal. Unfortunately this is not what I see from many "enterprise" customers. Sometimes it seems that they just need to click the "encrypted" checkbox to get signed paper with some nice certification... But really, there are many situations where discard/TRIM really improves performance and even allows to deploy some solutions with still good threat model. Imagine for example thin provisioned on-demand systems that use FDE - discard here is the operation that signals deallocating of used blocks. Without it you cannot implement dynamically allocated storage on block level. FDE can be used to improve guests isolation etc. We can (and want) to support both sides, just default should be on the secure side. Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
