On 3/18/2020 3:44 PM, Ben Hutchings wrote: > On Wed, 2020-03-18 at 11:27 +0100, john doe wrote: >> Package: debian-installer >> Version: debian-10.3.0-amd64-netinst.iso >> >> After installing debian-10.3.0-amd64-netinst.iso with encrypted LVM, the >> crypttab file is populated with the discard' option in the fourth field. >> >> According to (1), the discard option has security implication: >> >> "discard >> Allow discard requests to be passed through the encrypted block device. >> This improves performance on SSD storage but has security implications." > > As I recall, the security implication is a minor information leak - it > makes it possible to determine how much, and which parts, of the disk > are used. Hardly anyone should care about that, so this is a > reasonable defualt. >
Reading (1), I don't see that has a reasonable default. You clearly need to understand when to use this flag. 1) http://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html > Ben. > >> I would suggest that the debian-installer populates the first two >> mandatory fields of '/etc/crypttab'. Changing 'luks,discard' to 'key-slot=0' would be more appropriate. -- John Doe
