Hi everyone,
as my thread from yesterday about shredding SSD’s the right way already was very helpful, another follow-up topic came to my mind, which may also be interesting for me and maybe others too.
Since many PC’s often use SSD’s and less harddrives nowadays it may be interesting to discuss the full-disk encryption of it.
First of all some questions, which came to my mind:
- Does the encryption of a SSD decrease its performance (read/write-speed) significantly?
- How does the encryption affect the wear-leveling of the SSD and what should be considered to ensure a safe encryption?
- Will functionalities like hibernation still work? Are maybe other functionalities affected in a negative way?
I already successfully full-disk encrypted my old laptop (harddrive) with the instructions from StackExchange. My computer has a 1TB SSD + 1TB harddrive and I wish to encrypt completely everything, that’s not technically necessary. I want to use Debian as my distro. Could this instruction work the same way as with harddrives?
I’m interested in your knowledge about this.
~sp3ctre
It should work almost exactly the same as hard drive encryption. In my experience, the read/write overhead from encryption is negligible. Encryption shouldn’t affect wear-leveling, and it’s still possible to TRIM the drive to discard any unused blocks (although TRIM may leak some filesystem metadata).
If you want to ensure any previous unencrypted is erased on the SSD, consider formatting and trimming it before encryption (using something like blkdiscard). Hibernation should still work, it will just prompt you for your encryption passphrase then resume your session. I’m not sure about any lost functionality, but it’s been seamless for me.
Depending on your threat model, keep in mind that full disk encryption typically leaves the boot partition (usually containing the kernel, initrd, and bootloader) unencrypted since it’s needed to boot the system. This can leave you susceptible to evil maid attacks or modifications from another operating system (if dual booting). For most people though I assume this shouldn’t be an issue.