Home | News | Download | Packages | Forum | Wiki | Github

Luks encrypted SSD & fstrim, empty crypttab

(Steve) #1

I’m trying to setup a new SSD on which I did an FDE and I’m having trouble getting fstrim to work.

I’ve followed a couple different tutorials I’ve found on the net with no luck. I made the following changes:



Followed by:

grub-mkconfig -o /boot/grub/grub.cfg`

And then:


issue_discards = 1

Followed by:

dracut -f

Every tutorial says to edit the /etc/crypttab; however, mine has nothing in it; well, it has several example entries that are not specific to my system, but nothing else. I am hesitant to add anything to that which may mess up my system.

I rebooted and tried

fstrim -v /home

And received the error that the discard option is not supported. Has anybody tried this in Void Linux & got it to work?


If there aren’t already encrypted partitions set up to automount, then you wouldn’t expect there to be anything in /etc/crypttab. I assume the example entries are just comments. If you don’t want to mount the encrypted partition by hand everytime, then you should have the appropriate entry in /etc/crypttab.

(Steve) #3

I did a FDE (Full Disk Encryption) on install and must type my passphrase in every time. Not sure why crypttab is empty, so I’m still looking into how Void Linux does a LUKS FDE without crypttab.


If I’m not wrong you want to do FDE with no password to be promted. You shoud know this password is read form stdin. /etc/crypttab has nothing to do with it (see emacsomancer’s post above). To avoid typing password you should use a keyfile to unlock the system and keep it on pendrive. Assuming we detach on usb /boot partition
also, follow this steps (I hope you are able to use it with wiki guides):

Create mount point for /boot for usb (/dev/sdb)

legacy BIOS

mkdir /mnt/boot
mkfs.ext2 /dev/sdb
mount /dev/sdb /mnt/boot

legacy BIOS GPT

create 1007K sized BIOS boot partition
in this case our /boot partion will be /dev/sdb2

UEFI systems

as example we have 256MB microsd card

create two partitons: for example the first one is sized 238MB (/dev/sdb1) for ESP and the second one sized 1.2MB (/dev/sdb2) for a keyfile

mkfs.vfat -F 32 /dev/sdb1
mkfs.ext2 /dev/sdb2
mkdir /mnt/boot
mount /dev/sdb1 /mnt/boot
mkdir /boot/tmp
mount /dev/sdb2 /mnt/boot/tmp

If you use UEFI change the path to the key accordigly.

Create a keyfile.

dd bs=512 count=4 iflag=fullblock if=/dev/urandom of=/mnt/boot/keyfile.bin ;(for UEFI /mnt/boot/tmp/keyfile.bin)

Create a luks container

cryptsetup luksFormat --cipher aes-xts-plain64 /dev/sda -d /mnt/boot/keyfile.bin

(dracut read from stdin and -d option is suitable for it)

Add keyfile for /dev/sda device to luks keychain:

cryptsetup luksAddKey /dev/sda /mnt/boot/keyfile.bin -d /mnt/boot/keyfile.bin

Open luks container
cryptsetup luksOpen /dev/sda void -d /mnt/boot/keyfile.bin

Create lvm (see wiki)

mount /dev/mapper/void-root /mnt


mkdir /mnt/boot
mount /dev/sdb /mnt/boot


mkdir /mnt/boot
mount /dev/sdb1 /mnt/boot
mount /dev/sdb2 /mnt/boot/tmp

After chroot

vim /etc/dracut.conf.d/mydracut.conf and add

add_drivers+=“xts ecb” # only for non AES_NI devices and encryped with aes-xts-plain64 option.

vim /etc/dracut.conf.d/10-crypt.conf and add

filesystems+=“ext2” # our /boot partition’s file system (for UEFI /boot/tmp partition’s fs)

vim /etc/default/grub and add to GRUB_CMDLINE_DEFAULT_LINUX

“rd.luks.uuid=XXXXXXXX rd.luks.key=/keyfile.bin:UUID=XXXXXXXX rd.auto=1…” (replace Xs with only /dev/sda and /dev/sdb [/dev/sdb2 for UEFI] UUID begining)
In this case “cryptdevice=/dev/sdX:root” is not needed.

For security reasons you could set up a password also. If something goes wrong or your keyfile is lost (if you keep only keyfile detached) you will be promted for password normally.

In /etc/fstab you could add noauto option for boot partiton to take pendrive away after system boots (for UEFI remeber to add this option for /dev/sdb2 /boot/tmp and forget about it). BE CAREFUL in this case and check update packages list every time the system is updated. If kernel or grub is going to be updated so you MUST to mount the boot partiton to do updates correctly.

Would like to cryptsetup /home on second hard drive
(Steve) #5

Thank you, when I get home, I will give this a try. It’s only certain parts of the SSD I want to unencrypt with a key, after I type in the passphrase for the root system. I have the key file working, but, when I boot, it still asks me for the password for that encrypted partition.

So, I hope to:

  • boot into an encrypted LVM
  • Type in passphrase to unlock root
  • Use luks-generated key to unencrypt other partition after successful boot


For automatic partition unlock you have to add to /etc/dracut.conf.d/10-crypt.conf this line:

install_ items+="/path/to/keyfile.bin"

and in /etc/crypttab (it’s example only for automatic unlock encrypted lvm on sda1)’’

pool-root /dev/sda1 /path/to/keyfile.bin luks


To get fstrim to work you need to:

  • add rd.luks.allow-discards to /etc/default/grub (not rd.luks.options=discard)

  • run grub-mkconfig -o /boot/grub/grub.cfg

That will work for your / partition and maybe other luks partitions. If it doesn’t work for other partitions you may need to add luks,discard to the options area of /etc/crypttab. Run fstrim -a -v to verify.

Hope that helps.


pool-root shouldn’t be in crypttab. These are broken instructions from the wiki and need to be fixed.

On my FDE setup I have:

vgname	/dev/sda1	/boot/volume.key	luks

In my 10-crypt.conf I had to add crypttab as well:

install_items+="/boot/volume.key /etc/crypttab"

This works for my FDE setup with encrypted /boot. grub prompts for the passphrase and then the key unlocks it during boot.

Then in fstab I have

/dev/mapper/vgname-root	/	xfs	defaults	0	0
/dev/mapper/vgname-swap	swap	swap	defaults	0	0
/dev/mapper/vgname-home	/home	xfs	defaults	0	0