Fedora enabling Fstrim as default with FDE

FDE with fstrim is very problematic and can be considered a security issue.

In majority of distros like Arch, fstrim service is never enabled if FDE is used with
archinstall, this is really good for users that wants to use FDE.

According with some blogs and tests FDE with Fstrim brings a vulnerability in SSDs
allows to third-party acess arbitraty data trimmed by fstrim, exposing file system internals
and when using this is impossible to revert, because of this i will need to return to arch after this post.

Fedora: Fedora Silverblue 40

Result of systemd:

sudo systemctl disable --now fstrim.timer 
Removed "/etc/systemd/system/timers.target.wants/fstrim.timer"
1 Like

Added atomic-desktops, luks2, security, ssd

Is this Silverblue specific? Could you maybe use a few less abbreviations, add some links and explain what fstrim is?

The fstrim timer is enabled by default, but it doesn’t trim encrypted disks. It does trim other unencrypted disks that are in the fstab, so it is still useful even on systems with full disk encryption.

To verify run $ sudo fstrim --fstab --verbose. The output should show that 0 bytes are trimmed on the encrypted disk. This is because luks by default discards trim commands. So unless you did run something like $ cryptsetup --allow-discards --persistent refresh /dev/mapper/$PARTITION or edited your crypttab to enable trim on the disk, the timer should do nothing.