X60s/200s with SSD, encrypted disk

classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|

X60s/200s with SSD, encrypted disk

Uwe Brauer-2
Hello

I have to upgrade my Kubuntu 10.04 to at least 14.04.
I have alreay upgraded the hard disk of both laptops to a SSD which was
the most notable performance boost I experienced so far.

I would like to consider a 14.04 installation with an entirely encrypted
disk. However I fear performance problems and would welcome any comments
on that subject.

I have seen
http://www.phoronix.com/scan.php?page=article&item=ubuntu_1404_encryption&num=1
but this was tested on a more recent Laptop.



thanks

Uwe Brauer

--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: X60s/200s with SSD, encrypted disk

Joerg Bruehe-2
Hi Uwe, all!


On 19.06.2015 17:22, Uwe Brauer wrote:
> Hello
>
> I have to upgrade my Kubuntu 10.04 to at least 14.04.
> I have alreay upgraded the hard disk of both laptops to a SSD which was
> the most notable performance boost I experienced so far.
>
> I would like to consider a 14.04 installation with an entirely encrypted
> disk. However I fear performance problems and would welcome any comments
> on that subject.

Last September, I got me a T 530, still using a rotating disk.
(It has a dual-core Intel with hyperthreading and 8 GB RAM. Mail me if
you want to see more detailed specifications.)

I shrunk the pre-installed Windows 7 as much as possible and dedicated
the remaining space to Kubuntu 14.04, using full encryption (LUKS) for
the LVM partition that holds everything except /boot.
AFAIR, I followed the instructions published on "ubuntuusers.de".

I have not run any benchmarks, but for my use the system is perfectly
ok, speedy enough, so I don't regret having chosen this setup.

Later, I had to replace the disk in my desktop PC (6-core AMD, 16 GB
RAM) by a larger one (rotating, no SSD), and I used this opportunity to
also apply LUKS to the whole installation (except for /boot). I did not
notice a performance degradation.

While I am aware that encryption does increase the CPU usage on IO, I
cannot claim to notice it on my machines. It will be interesting to read
from those who use a SSD.


HTH,
Jörg

--
Joerg Bruehe  - persoenliche Aeusserung / speaking only for himself
mailto:[hidden email]

--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: X60s/200s with SSD, encrypted disk

Bjørn Mork
In reply to this post by Uwe Brauer-2
Uwe Brauer <[hidden email]> writes:

> Hello
>
> I have to upgrade my Kubuntu 10.04 to at least 14.04.
> I have alreay upgraded the hard disk of both laptops to a SSD which was
> the most notable performance boost I experienced so far.
>
> I would like to consider a 14.04 installation with an entirely encrypted
> disk. However I fear performance problems and would welcome any comments
> on that subject.

If your SSD supports encryption "in hardware", and you don't need to
protect your data against any entity likely to be able to break or
backdoor that implementation, then that's an obvious choice.

Advantages: No performance impact whatsoever (the SSD will run your data
through the same encryption controller whether or not you set a
password).  OS independent.  Encrypting everything, including the boot
loader and boot loader configuration.



Bjørn
--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: X60s/200s with SSD, encrypted disk

Uwe Brauer-2
>> "Bjørn" == Bjørn Mork <[hidden email]> writes:

   > Uwe Brauer <[hidden email]> writes:
   >> Hello
   >>
   >> I have to upgrade my Kubuntu 10.04 to at least 14.04.
   >> I have alreay upgraded the hard disk of both laptops to a SSD which was
   >> the most notable performance boost I experienced so far.
   >>
   >> I would like to consider a 14.04 installation with an entirely encrypted
   >> disk. However I fear performance problems and would welcome any comments
   >> on that subject.

   > If your SSD supports encryption "in hardware", and you don't need to
   > protect your data against any entity likely to be able to break or
   > backdoor that implementation, then that's an obvious choice.

   > Advantages: No performance impact whatsoever (the SSD will run your data
   > through the same encryption controller whether or not you set a
   > password).  OS independent.  Encrypting everything, including the boot
   > loader and boot loader configuration.

Hm, sounds interesting. I have Samsung 840 EVO installed,

    -  how do I know this feature is supported.

    -  how do I enable it?

Any link is welcome.

thanks

Uwe

--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: X60s/200s with SSD, encrypted disk

Bjørn Mork
Uwe Brauer <[hidden email]> writes:

>>> "Bjørn" == Bjørn Mork <[hidden email]> writes:
>
>    > If your SSD supports encryption "in hardware", and you don't need to
>    > protect your data against any entity likely to be able to break or
>    > backdoor that implementation, then that's an obvious choice.
>
>    > Advantages: No performance impact whatsoever (the SSD will run your data
>    > through the same encryption controller whether or not you set a
>    > password).  OS independent.  Encrypting everything, including the boot
>    > loader and boot loader configuration.
>
> Hm, sounds interesting. I have Samsung 840 EVO installed,
>
>     -  how do I know this feature is supported.

See the SSD documentation.  I don't know any other way.  Google found
this, which looks promising:
http://www.samsung.com/global/business/semiconductor/minisite/SSD/global/html/whitepaper/whitepaper06.html

>     -  how do I enable it?

By setting the ATA password.  You can do this in the BIOS setup.

> Any link is welcome.

This is about the Intel 320 SSD, but I believe the answers are
independent of vendor: https://communities.intel.com/thread/20537



Bjørn
--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

SV: Re: [ltp] X60s/200s with SSD, encrypted disk

birger
In reply to this post by Uwe Brauer-2

I have just read that for samsung SSDs on linux you have to disable any use of TRIM, as the disks erase wrong blocks on occasion.

That includes both removing any discard mount options as well as disabling any cron jobs that run fstrim.

Intel disks are said to be safe. A whole lot of samsungs including yours were listed as unsafe.

Sendt fra min Sony Xperia™-smarttelefon



---- Uwe Brauer skrev ----

>> "Bjørn" == Bjørn Mork <[hidden email]> writes:

   > Uwe Brauer <[hidden email]> writes:
   >> Hello
   >>
   >> I have to upgrade my Kubuntu <a href="tel:10.04">10.04 to at least <a href="tel:14.04">14.04.
   >> I have alreay upgraded the hard disk of both laptops to a SSD which was
   >> the most notable performance boost I experienced so far.
   >>
   >> I would like to consider a <a href="tel:14.04">14.04 installation with an entirely encrypted
   >> disk. However I fear performance problems and would welcome any comments
   >> on that subject.

   > If your SSD supports encryption "in hardware", and you don't need to
   > protect your data against any entity likely to be able to break or
   > backdoor that implementation, then that's an obvious choice.

   > Advantages: No performance impact whatsoever (the SSD will run your data
   > through the same encryption controller whether or not you set a
   > password).  OS independent.  Encrypting everything, including the boot
   > loader and boot loader configuration.

Hm, sounds interesting. I have Samsung 840 EVO installed,

    -  how do I know this feature is supported.

    -  how do I enable it?

Any link is welcome.

thanks

Uwe

--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: SV: Re: [ltp] X60s/200s with SSD, encrypted disk

Uwe Brauer-2
>> "birger" == birger  <[hidden email]> writes:

   > I have just read that for samsung SSDs on linux you have to disable
   > any use of TRIM, as the disks erase wrong blocks on occasion.

This concerns encryption or is true for any file system. Could you
please provide a link?

I googled around and saw for example
https://bugs.launchpad.net/ubuntu/+source/fstrim/+bug/1449005

After upgrading the firmware fstrim failed with errors. This is not my
case fstrim seems to work fine.

But I would appreciate any link

thanks


Uwe

--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: X60s/200s with SSD, encrypted disk

Uwe Brauer-2
In reply to this post by Bjørn Mork

   > Uwe Brauer <[hidden email]> writes:

   > See the SSD documentation.  I don't know any other way.  Google found
   > this, which looks promising:
   > http://www.samsung.com/global/business/semiconductor/minisite/SSD/global/html/whitepaper/whitepaper06.html


   > By setting the ATA password.  You can do this in the BIOS setup.

In my X200 (and X60) I have a option
in the security section:


set hard disk 1 passwd

Is this the password you mean?? because it does say ATA password

   > This is about the Intel 320 SSD, but I believe the answers are
   > independent of vendor: https://communities.intel.com/thread/20537



   > Bjørn

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: X60s/200s with SSD, encrypted disk

Uwe Brauer-2





   > In my X200 (and X60) I have a option
   > in the security section:


   > set hard disk 1 passwd

   > Is this the password you mean?? because it does say ATA password

To answer my own question.

Yes the HDD password is the ATA password, sorry for the noise




--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: X60s/200s with SSD, encrypted disk

Christoph Schmees
In reply to this post by Uwe Brauer-2
Am 19.06.2015 um 17:22 schrieb Uwe Brauer:

> Hello
>
> I have to upgrade my Kubuntu 10.04 to at least 14.04.
> I have alreay upgraded the hard disk of both laptops to a SSD which was
> the most notable performance boost I experienced so far.
>
> I would like to consider a 14.04 installation with an entirely encrypted
> disk. However I fear performance problems and would welcome any comments
> on that subject.
>

if you own a ThinkPad already, why don't you use the built-in HD
encryption based on the TPM? You can set a password in the BIOS,
and the encryption is totally transparent to any OS you use. I
use it a lot on machines with dual or multi boot. The *whole
disk* is encrypted, and none of the OSes knows about it. I must
admit that I never tested w/ SSD so far, so I don't know if there
is any impact.

hth, Christoph

--
Bitte keine Mails von USA-Providern wie AOL, me.com (Apple),
gmail (Google), hotmail/outlook.com (Microsoft) oder yahoo.
Solche Mails werden ohne Rückmeldung gelöscht.
Siehe <http://www.pc-fluesterer.info/wordpress/downloads>

--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

SV: Re: SV: Re: [ltp] X60s/200s with SSD, encrypted disk

birger
In reply to this post by Uwe Brauer-2

https://blog.algolia.com/when-solid-state-drives-are-not-that-solid/

Sendt fra min Sony Xperia™-smarttelefon



---- Uwe Brauer skrev ----

>> "birger" == birger  <[hidden email]> writes:

   > I have just read that for samsung SSDs on linux you have to disable
   > any use of TRIM, as the disks erase wrong blocks on occasion.

This concerns encryption or is true for any file system. Could you
please provide a link?

I googled around and saw for example
https://bugs.launchpad.net/ubuntu/+source/fstrim/+bug/1449005

After upgrading the firmware fstrim failed with errors. This is not my
case fstrim seems to work fine.

But I would appreciate any link

thanks


Uwe

Reply | Threaded
Open this post in threaded view
|

Re: X60s/200s with SSD, encrypted disk

Fabrice Bellet
In reply to this post by Bjørn Mork

Hi,

On Fri, Jun 19, 2015 at 07:38:33PM +0200, Bjørn Mork wrote:

> Uwe Brauer <[hidden email]> writes:
> >>> "Bjørn" == Bjørn Mork <[hidden email]> writes:
> >
> >    > If your SSD supports encryption "in hardware", and you don't need to
> >    > protect your data against any entity likely to be able to break or
> >    > backdoor that implementation, then that's an obvious choice.
> >
> >    > Advantages: No performance impact whatsoever (the SSD will run your data
> >    > through the same encryption controller whether or not you set a
> >    > password).  OS independent.  Encrypting everything, including the boot
> >    > loader and boot loader configuration.
> >
> > Hm, sounds interesting. I have Samsung 840 EVO installed,
> >
> >     -  how do I know this feature is supported.
>
> See the SSD documentation.  I don't know any other way.  Google found
> this, which looks promising:
> http://www.samsung.com/global/business/semiconductor/minisite/SSD/global/html/whitepaper/whitepaper06.html
>
> >     -  how do I enable it?
>
> By setting the ATA password.  You can do this in the BIOS setup.

Not _exactly_ on my X220. The password you choose in the BIOS is
somewhat "mangled" before being sent to the disk, with the ATA password
mechanism (ATA Security Feature Set). I remember some information,
explaining that _what_ is sent to the disk is somehow related to the
keycodes of the keyboard.

The consequence is that, when the disk is locked in this way, it cannot
be unlocked on another computer (it would probably work with a same
model). Which could be an important feature to recover data when the
hardware needs to be serviced...

For this reason, I reverted back to dm-crypt software encryption,
because I want to be the owner of my encryption key, and I want
to able to unlock my disk everywhere :)

Note that most recent processors handle aes encryption in hardware, and
dm-crypt will use this feature when possible, so performance is quite
decent IMO (grep aes /proc/cpuinfo)

Best wishes,
--
fabrice
--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

[TRIM] (was: [ltp] X60s/200s with SSD, encrypted disk)

Uwe Brauer-2

   > Hi,

   > On Fri, Jun 19, 2015 at 07:38:33PM +0200, Bjørn Mork wrote:

   > Not _exactly_ on my X220. The password you choose in the BIOS is
   > somewhat "mangled" before being sent to the disk, with the ATA password
   > mechanism (ATA Security Feature Set). I remember some information,
   > explaining that _what_ is sent to the disk is somehow related to the
   > keycodes of the keyboard.

   > The consequence is that, when the disk is locked in this way, it cannot
   > be unlocked on another computer (it would probably work with a same
   > model). Which could be an important feature to recover data when the
   > hardware needs to be serviced...
Thanks for your information, maybe you find the following useful
https://github.com/jethrogb/lenovo-password


   > For this reason, I reverted back to dm-crypt software encryption,
   > because I want to be the owner of my encryption key, and I want
   > to able to unlock my disk everywhere :)

Do you mean LMV and dm-crypt. BTW does TRIM work in this setting?

regards

Uwe Brauer

--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: [TRIM] (was: [ltp] X60s/200s with SSD, encrypted disk)

Fabrice Bellet
On Sat, Jun 20, 2015 at 10:19:09PM +0200, Uwe Brauer wrote:

>
>    > Hi,
>
>    > On Fri, Jun 19, 2015 at 07:38:33PM +0200, Bjørn Mork wrote:
>
>    > Not _exactly_ on my X220. The password you choose in the BIOS is
>    > somewhat "mangled" before being sent to the disk, with the ATA password
>    > mechanism (ATA Security Feature Set). I remember some information,
>    > explaining that _what_ is sent to the disk is somehow related to the
>    > keycodes of the keyboard.
>
>    > The consequence is that, when the disk is locked in this way, it cannot
>    > be unlocked on another computer (it would probably work with a same
>    > model). Which could be an important feature to recover data when the
>    > hardware needs to be serviced...
> Thanks for your information, maybe you find the following useful
> https://github.com/jethrogb/lenovo-password

oh thanks, very interesting information!

>
>    > For this reason, I reverted back to dm-crypt software encryption,
>    > because I want to be the owner of my encryption key, and I want
>    > to able to unlock my disk everywhere :)
>
> Do you mean LMV and dm-crypt. BTW does TRIM work in this setting?

yes, trim/discard is transmitted down the stack.
 - issue_discards needs to be enabled in /etc/lvm/lvm.conf for LVM,
 - and allow-discard in /etc/crypttab is needed for dm-crypt.

dm-crypt developpers were reluctant about providing this discard option
due to information disclosure problem, because discarded blocks can be
blanked by the hardware (this was the case with my Intel SSD), which
reveals information about which blocks are encrypted, and which blocks
are not, without having to know the encryption key.

best,
--
fabrice
--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: X60s/200s with SSD, encrypted disk

Leon Weber
In reply to this post by Uwe Brauer-2
On 19.06.2015 17:22:00, Uwe Brauer wrote:
> I would like to consider a 14.04 installation with an entirely encrypted
> disk. However I fear performance problems and would welcome any comments
> on that subject.

I’ve run an X61s with an encrypted SSD for a good while.  As the CPU
does not support AES in hardware, the AES encryption limited the disk
throughput to about 70MB/s (iirc), which is far away from the numbers
that are possible without encryption (somewhere in the 200…300MB/s
ballpark).  I’ve lived with it, as it was a big performance boost
already compared to the spinning disk I had before the SSD.

That also meant I didn’t even have to bother with the unofficial BIOS
upgrade that enables SATA 2 on the X60 series laptops.  If you decide to
go unencrypted or somehow use a hardware AES implementation (built-in in
your SSD or whatever), keep in mind the X60 series officially only
supports SATA 1 link speeds, but google “lenovo X60 sata 2” for an
unofficial BIOS upgrade that enables SATA 2.

    -- Leon.

attachment0 (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [TRIM] (was: [ltp] X60s/200s with SSD, encrypted disk)

Luca Fornasari
In reply to this post by Fabrice Bellet

On Sat, Jun 20, 2015 at 10:43 PM, Fabrice Bellet <[hidden email]> wrote:
 - issue_discards needs to be enabled in /etc/lvm/lvm.conf for LVM,
 - and allow-discard in /etc/crypttab is needed for dm-crypt.

dm-crypt developpers were reluctant about providing this discard option
due to information disclosure problem, because discarded blocks can be
blanked by the hardware (this was the case with my Intel SSD), which
reveals information about which blocks are encrypted, and which blocks
are not, without having to know the encryption key.

dm-crypt does not always honor discard option ... it depends on distros; as an example Red Hat do not support it
______________
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Storage_Administration_Guide/ch-ssd.html
21.1 Deployment Consideration
The only DM targets that do not support discards are dm-snapshot, dm-crypt, and dm-raid45
-------------------------

Cheers,
Luca

Reply | Threaded
Open this post in threaded view
|

Re: X60s/200s with SSD, encrypted disk

Paul Seelig-3
In reply to this post by Leon Weber
On 06/21/2015 11:06 AM, Leon Weber wrote:
> That also meant I didn’t even have to bother with the unofficial
> BIOS upgrade that enables SATA 2 on the X60 series laptops.  If
> you decide to go unencrypted or somehow use a hardware AES
> implementation (built-in in your SSD or whatever), keep in mind
> the X60 series officially only supports SATA 1 link speeds, but
> google “lenovo X60 sata 2” for an unofficial BIOS upgrade that
> enables SATA 2.

There is no "unofficial BIOS upgrade that enables SATA 2" for any X60,
nor T60. The chipset of these machines simply does not support it as
it is a definite hardware limitation. This is a common misperception.

X61 and T61 are a whole different thing: These machines are based on
the so called Santa Rosa chipset which natively supports SATA2, but
has been deliberately limited to SATA1 by Lenovo, in order to prevent
assumed conflicts for the still IDE based UltraBay. The unofficial
BIOS by Middleton only removes this artifical limitation, in order to
enable the chipset to fulfill its dormant promise.

X60/T60 and X61/T61 might have similar looks and also share lots of
common hardware components, but chipset wise they are two completely
different machines. While the *60 chipset is hardware limited to SATA1
and 3GB RAM, with no possible workaround, the *61 machines do support
SATA2 (if unlocked) and can use up to 2x4=8GB of RAM.


--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: X60s/200s with SSD, encrypted disk

Leon Weber
On 21.06.2015 15:47:34, Paul Seelig wrote:
> While the *60 chipset is hardware limited to SATA1 and 3GB RAM, with
> no possible workaround, the *61 machines do support SATA2 (if
> unlocked) and can use up to 2x4=8GB of RAM.

Oh, indeed I didn’t know X60 and X61 were that different.  Thanks for
the correction!

    -- Leon.

attachment0 (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [TRIM]

Uwe Brauer-2
In reply to this post by Luca Fornasari
On 06/21/2015 11:36 AM, Luca Fornasari wrote:

On Sat, Jun 20, 2015 at 10:43 PM, Fabrice Bellet <[hidden email]> wrote:
 - issue_discards needs to be enabled in /etc/lvm/lvm.conf for LVM,
 - and allow-discard in /etc/crypttab is needed for dm-crypt.

dm-crypt developpers were reluctant about providing this discard option
due to information disclosure problem, because discarded blocks can be
blanked by the hardware (this was the case with my Intel SSD), which
reveals information about which blocks are encrypted, and which blocks
are not, without having to know the encryption key.

dm-crypt does not always honor discard option ... it depends on distros; as an example Red Hat do not support it
______________
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Storage_Administration_Guide/ch-ssd.html
21.1 Deployment Consideration
The only DM targets that do not support discards are dm-snapshot, dm-crypt, and dm-raid45
-
I run trim as cron job, since I don't want to fiddle my fstab.

(I am using Kubuntu)

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: X60s/200s with SSD, encrypted disk

Uwe Brauer-2
In reply to this post by Christoph Schmees
On 06/19/2015 10:55 PM, Christoph Schmees wrote:
Am 19.06.2015 um 17:22 schrieb Uwe Brauer:
> Hello
> 
> I have to upgrade my Kubuntu 10.04 to at least 14.04.
> I have alreay upgraded the hard disk of both laptops to a SSD which was
> the most notable performance boost I experienced so far. 
> 
> I would like to consider a 14.04 installation with an entirely encrypted
> disk. However I fear performance problems and would welcome any comments
> on that subject.
> 

if you own a ThinkPad already, why don't you use the built-in HD
encryption based on the TPM? You can set a password in the BIOS,
and the encryption is totally transparent to any OS you use. I
use it a lot on machines with dual or multi boot. The *whole
disk* is encrypted, and none of the OSes knows about it. I must
admit that I never tested w/ SSD so far, so I don't know if there
is any impact.

hth, Christoph

problem seems to be: what to do if the machine breaks down, it is not trival to access the content
on the disk then, even if you know the password

see for example


https://github.com/jethrogb/lenovo-password



smime.p7s (4K) Download Attachment
12