Solved Check that encrypted GELI pass TRIM from ZFS to SDD?

loveydovey · Monday at 2:28 AM

So, on Linux if you had plain encryption and then the mapped partition inside of it used TRIM, you must have added allow_discards to the mounting of the partition. That's the only way SDD would know what to discard (because it only sees the encrypted blocks).

In FreeBSD, it seems like geli has -t/-T options, but it's unclear from geli's manpage if TRIM is on by default, and it looks like geli cannot display whether TRIM is on or off, which is weird. It seems you can dump metadata with geli, but there's no clear way to check if TRIM is enabled or not via this method?

My questions are:
1) does encrypted GELI partition pass TRIM from ZFS to the hardware by default?
2) how can I check that encrypted GELI for a partition has TRIM enabled?

Assume ZFS autotrim is on or doing a manual trim.

T-Daemon · Monday at 8:39 AM

loveydovey said:
1) does encrypted GELI partition pass TRIM from ZFS to the hardware by default?

No idea, perhaps the developers on http://lists.freebsd.org know more (freebsd-general@ or freebsd-current@).

loveydovey said:
2) how can I check that encrypted GELI for a partition has TRIM enabled?

Looking through the source code, TRIM is enabled by default, when disabled, geli list will show NODELETE flag for the provider [1] [2]:

[1] lib/geom/eli/geom_eli.c

Rich (BB code):

        if (gctl_get_int(req, "notrim"))
                md.md_flags |= G_ELI_FLAG_NODELETE;

[2]

Rich (BB code):

# geli list | grep -e name -e Flags
Geom name: nda0p4.eli
Flags: BOOT, GELIBOOT, AUTORESIZE

# geli configure -T nda0p4

# geli list | grep -e name -e Flags
Geom name: nda0p4.eli
Flags: BOOT, NODELETE, GELIBOOT, AUTORESIZE

geli(8)

Rich (BB code):

     configure  Change configuration of the given providers.

                -T
                   Disable TRIM/UNMAP passthru.

loveydovey · Monday at 9:16 AM

T-Daemon said:
Looking through the source code, TRIM is enabled by default, when disabled, geli list will show NODELETE flag for the provider [1] [2]:

This is so beautiful, thank you,

T-Daemon said:
configure Change configuration of the given providers. -T Disable TRIM/UNMAP passthru.

There's a caveat here. This does not work if you do this via /dev/da0p3.eli or whatever. This can only be done on the gpt/zfs0.eli!

loveydovey · Monday at 9:19 AM

T-Daemon said:
Looking through the source code, TRIM is enabled by default, when disabled, geli list will show NODELETE flag for the provider [1] [2]:

I think this must be added to the geli(8) manpage.

siladi · Monday at 9:14 PM

Just add the required trim_zfs stuff in your periodic.conf disabled and do an ocassional trim through cron job.

not too often, just enough

...

----

Code:

# 800.scrub-zfs
daily_scrub_zfs_enable="YES"
daily_scrub_zfs_pools="zroot"                           # empty string selects all pools
daily_scrub_zfs_default_threshold="35"          # days between scrubs
#daily_scrub_zfs_${poolname}_threshold="35"     # pool specific threshold

# 801.trim-zfs
daily_trim_zfs_enable="NO"
daily_trim_zfs_pools=""                         # empty string selects all pools
daily_trim_zfs_flags=""                         # zpool-trim(8) flags

#zpool status
  pool: zroot
 state: ONLINE
  scan: scrub repaired 0B in 00:07:17 with 0 errors on Sun Nov 30 04:05:15 2025
config:

        NAME            STATE     READ WRITE CKSUM
        zroot           ONLINE       0     0     0
          mirror-0      ONLINE       0     0     0
            ada0p3.eli  ONLINE       0     0     0
            ada1p3.eli  ONLINE       0     0     0
            ada2p3.eli  ONLINE       0     0     0

errors: No known data errors

Alain De Vos · Monday at 10:55 PM

Why not ,not use GELI and use encrypted zfs ?

loveydovey · 2025-12-09T04:52:17+0000

Alain De Vos said:
Why not ,not use GELI and use encrypted zfs ?

That's a good question.

Different layers, different aproaches.

With ZFS encryption - you can encrypt only parts of your partition, but no multiple keys, no salts, no bootable encrypted root partition via bootloader, exposes more metadata, etc.

siladi · 2025-12-09T07:24:01+0000

It is better to do periodic trims rather than have autotrim turned on. As matter of fact that is how most Linux does it now as well , not favoring discard mount option anylonger.

Does not look like daily_trim_zfs_default_threshold= made it into periodic 801.trim-zfs so for now an explicit cronjob works just as well.

Making sure you're not a bot!