Ubuntu – How to add an SSD cache to an encrypted HDD for desktop/GUI use

dm-cacheencryptionlvmcachessd

SSHDs seem to be stuck at 4TB and 8GB SSD cache (one model is available with 1TB/32GB) while bigger SSDs are widely available and some solutions exist to to pair an HDD with an SSD in Linux. I'm looking for a solution that is easy to use on a desktop once it's set up. Ideally one needs to click one or two launcher icons, enter passwords for the encrypted storage and mount the drive in Nautilus without needing to remember any particular commands.

All storage and cache data must be stored encrypted.
A seprate large HDD is available for data migration to new partition schemes or what ever is required.

Best Answer

non-root LVM on LUKS

Introduction

Info:

I just started using LVM because of this feature and my intention was to use an encryted data partition with an SSD for caching.
I usually use ZFS on Linux (see also ARC) for data archiving and redundancy, which appears to be easier to administer and to setup. You may want to look at ZFS if you want to use more than one HDD, an advantage that LVM has over ZFS on Linux however is that it doesn't rely on a DKMS built kernel module which may not build and run correctly if you need to use mainline kernels from the kernel PPA for example. (May be I'm doing something wrong there with ZFS, but some articles on Phoronix read as if that is how it is.)
This is intended for workstation usage and GUI-way solutions are preferred, to possbily show what can be achived with GUIs currently.

Caveat:

Don't just add any SSD as a cache to your HDD and expect big performance increases. The BX200 with 480GB I currently use looks reasonable but showed slower write speeds than HDDs in benchmarks and product reviews. Also note that both devices have to write the data by default at the same time when not in writeback cache mode — which has a higher risk of data corruption — so don't be confused by doubled total transfer rates and slow writes in tools like indicator-multiload.

Overview:

To provide some more insight, here is what I set up in a VM after reading the articles in the question before trying it on actual hardware. The luks- named devices are automatically created when using the GUI to unlock the encrypted devices, LVM will detect that the devices have become available and will offer you to mount the filesystems in nautilus as usual.

lwbt@vxenial:~$ lsblk
…    
sdb                                           8:16   0    8G  0 disk
└─luks-6bc875f1-de30-4698-ba74-eea2c5d5bb87 252:0    0    8G  0 crypt 
  └─vg0-datalv_corig                        252:5    0  7,9G  0 lvm
    └─vg0-datalv                            252:1    0  7,9G  0 lvm
sdc                                           8:32   0    8G  0 disk
└─luks-e20dd038-9886-4895-b786-855ba4c31c7e 252:2    0    8G  0 crypt 
  ├─vg0-cache_cdata                         252:3    0    8G  0 lvm 
  │ └─vg0-datalv                            252:1    0  7,9G  0 lvm 
  └─vg0-cache_cmeta                         252:4    0   12M  0 lvm 
    └─vg0-datalv                            252:1    0  7,9G  0 lvm 


lwbt@vxenial:~$ ll /dev/mapper/
total 0
drwxr-xr-x  2 root root     180 Sep  6 02:54 ./
drwxr-xr-x 20 root root    4420 Sep  6 02:54 ../
crw-------  1 root root 10, 236 Sep  6 00:37 control
lrwxrwxrwx  1 root root       7 Sep  6 02:54 luks-6bc875f1-de30-4698-ba74-eea2c5d5bb87 -> ../dm-0
lrwxrwxrwx  1 root root       7 Sep  6 02:54 luks-e20dd038-9886-4895-b786-855ba4c31c7e -> ../dm-2
lrwxrwxrwx  1 root root       7 Sep  6 02:54 vg0-cache_cdata -> ../dm-3
lrwxrwxrwx  1 root root       7 Sep  6 02:54 vg0-cache_cmeta -> ../dm-4
lrwxrwxrwx  1 root root       7 Sep  6 02:54 vg0-datalv -> ../dm-1
lrwxrwxrwx  1 root root       7 Sep  6 02:54 vg0-datalv_corig -> ../dm-5

The output of lsblk might have an additional layer if you partition the block devices (SSD/HDD) instead of straight encrypting them with LUKS. Of course if you have no interest in LUKS encryption you can skip these steps in the following instructions which is fine too.

Instructions

Install the required packages:

sudo apt install lvm2 thin-provisioning-tools cryptsetup

The commands in the following section will destroy all existing data on the drives.

Encrypt each individual device:

sudo cryptsetup luksFormat ${device_name}
sudo cryptsetup luksOpen ${device_name} ${mapper_name_hdd_or_ssd}

_{Note: gnome-disks has an options to encrypt and mount encrypted devices, but it also creates EXT4 filesystems which would have to be deleted to continue following the instructions.}

Then add the device as a physical volume to LVM, create a volume group (named vg0) and a logical volume (named datalv) on the HDD which will be formatted later to hold all the data:

pvcreate /dev/mapper/${mapper_name_hdd}
vgcreate vg0 /dev/mapper/${mapper_name_hdd}
lvcreate -l 100%pvs -n datalv vg0 /dev/mapper/${mapper_name_hdd}

_{Note: 100%pvs will create a volume which spans over the entire device you have chosen (e.g. the encrypted container or a partition). More details and options can be found in lvmcache and other related manpages.}

Now extend the LVM configuration by adding the SSD to the volume group:

pvcreate /dev/mapper/${mapper_name_ssd}
vgextend vg0 /dev/mapper/${mapper_name_ssd}

Create a cache-pool volume named cache in vg0 on the SSD, then add the new cache pool as a cache to datalv:

lvcreate --type cache-pool -l 100%pvs -n cache vg0 /dev/mapper/${mapper_name_ssd}
lvconvert --type cache --cachepool vg0/cache vg0/datalv

_{Note: lvcreate will automatically choose the optimal sizes for cache_cdata and cache_cmeta for you this way.}

After making changes to an LVM configuration it may be necessary to rescan pv, vg and lv to activate the LVM devices, if you want to avoid rebooting:

pvscan
vgscan
lvscan
vgchange -ay

The following command deactivates all LVM volumes when no name is provided:

vgchange -an

Finally it's time to format the logical volume and transfer data.

Example for formatting using the Gparted GUI
```
pkexec gparted /dev/mapper/vg0-datalv
```
Example for formatting using command line tools:
```
sudo mkfs.ext4 /dev/mapper/vg0-datalv
```

Now the new filesystem should show up in Nautilus.

Usage

The many LVM commands make the setup look quite complex while it may not even leverage the full potential of LVM to experienced users, but once it's setup and the computer rebooted you just need to mount the encrypted disks from the Unity launcher or from within gnome-disks, then mount the volume that shows up in Nautilus like any other filesystem or disk. No memorizing of complex commands is required. To my knowledge there is currently no GUI tool available to handle the LVM setup of a cache pool in Ubuntu.

Notes:

I prefer to mount the smaller encrypted cache SSD device before mounting the HDD
The cache can be removed and replaced see Cache Removal in lvmcache manpage.

To display all metrics about the cache you can use the following command:

sudo lvs -o+cache_total_blocks,cache_used_blocks,cache_dirty_blocks,cache_read_hits,cache_read_misses,cache_write_hits,cache_write_misses,cachemode,cache_policy,cache_settings

Related Solutions

Ubuntu – What are the advantages/disadvantages of different SSD to HDD cacheing options (dm-cache, flashcashe…)

I really don’t know where to start, since all this is excellent information. I will start with some info about SSD’s, then a description of all the different caching methods, and just go from there. I hope that you

Advantages/Disadvantages

Price: SSDs are somehow expensive
Maximum and Common Capacity: High capacity SSD’s are very rare and expensive
Speed: This is where SSDs gets the edge
Durability: An SSD has no moving parts

Best to have a hybrid system, to have the best of both worlds (capacity, reliability, speed, etc.)

The Linux 3.9 kernel (made available on April 28, 2013) introduces SSD caching. The kernel's Device mapper now includes a cache target called dm-cache that enables SSDs or other storage device to be used as a cache for a hard drive. It essentially speeds up data writes and reads as it allows the faster SSD to first cache data and then transfer it to the slower hard drive.

^Source:Iwn

Flashcache is a module originally written and released by Facebook(Mohan Srinivasan, Paul Saab and Vadim Tkachenko) in April of 2010. It is a kernel module that allows Writethrough caching of a drive on another drive. This is most often used for caching a rotational drive on a smaller solid-state drive for performance reasons. This gives you the speed of an SSD and the size of a standard rotational drive for recently cached files. FlashCache is a general purpose writeback block cache for Linux.

^{Source:ArchLinux}

Bcache is a Linux kernel block layer cache. It allows one or more fast disk drives such as flash-based solid state drives (SSDs) to act as a cache for one or more slower hard disk drives.

Hard drives are cheap and big, SSDs are fast but small and expensive. Wouldn't it be nice if you could transparently get the advantages of both? With Bcache, you can have your cake and eat it too.

Bcache patches for the Linux kernel allow one to use SSDs to cache other block devices. It's analogous to L2Arc for ZFS, but Bcache also does writeback caching (besides just write through caching), and it's filesystem agnostic. It's designed to be switched on with a minimum of effort, and to work well without configuration on any setup. By default it won't cache sequential IO, just the random reads and writes that SSDs excel at. It's meant to be suitable for desktops, servers, high end storage arrays, and perhaps even embedded.

The design goal is to be just as fast as the SSD and cached device (depending on cache hit vs. miss, and writethrough vs. writeback writes) to within the margin of error. It's not quite there yet, mostly for sequential reads. But testing has shown that it is emphatically possible, and even in some cases to do better - primarily random writes.

^{Source:Bcache}

Bcache has a big disadvantage, and that it takes away memory from the system to implement the cache.

EnhanceIO is a solution that runs beneath the application layer, enabling applications to utilize the performance benefits of SSDs without major IT infrastructure changes. An SSD cache can yield most of the benefits of switching from HDDs to SSDs at a fraction of the cost of an all-SSD system. A cached system typically operates on less power than an HDD-based system of similar performance, and that creates a side benefit by reducing cooling requirements.

An SSD cache can also extend the useful life of an existing system by improving performance to meet growing demands through an incremental investment, rather than through a wholesale upgrade/replacement of the existing system.

Caching also enables faster access to the data without the extra storage administration overhead to acquire and install new disk shelves, configuring new LUNs and migrating data to the new LUNs. Caching is almost transparent and requires little if any downtime. EnhanceIO is based upon Flashcache.

^{Source:Stec-Inc}

bcache is the most worthless of all because it requires specially prepared (formatted) data partition. This makes it difficult (if possible) to attach cache to existing partition with data as one would need 200% capacity and to perform long data-moving in order to activate/deactivate caching.

The brilliance of EnhanceIO is that it doesn't need intermediate device at all and can be attached to any block device on-the-fly even when device is already mounted. Another super-cool thing is that you can attach EnhanceIO cache not just to partition but to partitioned block device to cache all its partitions at once. Just like flashcache enchanceio modules are built with DKMS and can be used with older kernels.

^{Source: Debian}

DM Cache Advantages

DM caches use a simplified architecture, which makes them adaptable and easy to customize. Users can adjust the block size and the cache capacity based on the amount of data it will have to handle or on the value of the data. If a particular application needs to store a great deal of data in sequence, users can configure the cache for that purpose. If a user wants to record information in a database simultaneously with the cache, that won't interfere with the cache's operations.

DM Cache Dis-Advantages

One drawback to using a DM cache is that the Linux operating system has limited space for storing metadata. If the cache is large, and includes lots of small blocks, that adds up to a lot of metadata for the stored information. To solve this problem, the user must increase the block size. Another possible problem is that, after a server crash, the cache metadata may no longer match the cache contents, though it is possible to restore the correct configuration eventually.

^{Source: Complements of Fraser Sherman}

So from the above information it’s clear that EnhanceIO is the way to go, but in my opinion since it’s based on Flashcache, I would go with flash cache. But I will definitely try both of them before making a final decision.

Ubuntu – How to install Ubuntu with both disk encryption AND SSD caching

LVM on LUKS on bcache

Here the russian doll game is a little deeper with 3 stacks/layers...

My initial idea about this question was to use a default Ubuntu install with LVM on LUKS and convert it into a bcache backing device with blocks but it did not work for me on my test with LVM.

Moreover, the ubuntu installer (ubiquity) is too limited to install inside a bcache device prepared in advance (at least with LUKS on LVM), so we fallback to a method of doing things manually.

Boot into the live CD/USB and choose "Try Ubuntu" and open up a terminal

Pre-install

sudo -i
# Define some variable to avoid confusion and error
luks_part=/dev/sda3
boot=/dev/sda2                    # boot partition
caching_bcache=/dev/sdb           # SSD or partition in SSD

# Do secure erase of encrypted backing and caching device (see Notes [1])
dd if=/dev/urandom of=$luks_part || dd if=/dev/urandom of=$caching_bcache
# Go and grab some coffe, this will take a while...

apt-get install bcache-tools
# Setup bcache caching and backing devices
make-bcache -C $caching_bcache -B $luks_part
# (Optional) Tweak bcache
echo writeback > /sys/block/bcache0/bcache/cache_mode

# Below we now create manually what ubiquity should have done for us
# Setup LUKS device on bcache device
cryptsetup --key-size 512 luksFormat /dev/bcache0
cryptsetup luksOpen /dev/bcache0 crypted

# Setup LVM on LUKS
# You can skip that part if you don't want to use a swap
# or don't want to use multiple partition. Use /dev/mapper/crypted
# as you root latter on
pvcreate  /dev/mapper/crypted
vgcreate vg /dev/mapper/crypted
lvcreate -L 1G vg -n swap
lvcreate -l 100%FREE vg -n root

Installation

Keep the terminal opened and now run the installation. Choose "Something else" when partitioning and specify

your boot partition (/dev/sda2)
your root partition (/dev/mapper/vg-root)
your swap (/dev/mapper/vg-swap)

and check the checkbox to format your partitions

At the end of the installation, don't reboot but just click "Continue trying ubuntu"

Post-install

In our opened terminal

# Install bcache-tools to add bcache module to initramfs
mount /dev/mapper/vg-root /mnt
mount $boot /mnt/boot
mount -o bind /sys /mnt/sys
mount -o bind /proc /mnt/proc
mount -o bind /dev /mnt/dev
chroot /mnt
# To get apt-get running in the chroot
echo 'nameserver 8.8.8.8' > /run/resolvconf/resolv.conf
apt-get install bcache-tools

# Create /etc/crypttab to add crypted bcached partition
echo "crypted UUID=`blkid -o value /dev/bcache0|head -1` none luks" > /etc/crypttab

exit
sync
umount /mnt/sys
umount /mnt/proc
umount /mnt/dev
umount /mnt/boot
umount /mnt
vgchange -an /dev/mapper/crypted
cryptsetup luksClose crypted
sync

# Reboot & enjoy

There is a known Ubuntu 15.04 reboot bug from Live CD/USB so you might have to force reboot/shutdown

Check

Once booted, you can check that /dev/bcache0 is in fact a LUKS partition with

if sudo cryptsetup isLuks /dev/bcache0; then \
    echo "crypted";\
    else echo "unencrypted";\
fi

This is because it is the cache of your LUKS partition, and you now access your data via the device /dev/bcache0 and never from the original backing device (/dev/sda3 here)

References

http://bcache.evilpiepirate.org/

https://wiki.archlinux.org/index.php/Bcache

https://wiki.archlinux.org/index.php/Dm-crypt

bcache-status is not officially merged into bcache-tools, yet. You can have it here: https://gist.github.com/djwong/6343451

[1] There might be better ways to do this wiping