LUKS Disk Encryption
LUKS (Linux Unified Key Setup) provides full disk encryption.
Create Encrypted Volume
Format with LUKS
# Wipe existing data (optional but recommended)
sudo dd if=/dev/urandom of=/dev/sdX bs=1M count=10
# Create LUKS container
sudo cryptsetup luksFormat --type luks2 /dev/sdX
# Recommended options
sudo cryptsetup luksFormat --type luks2 \
--cipher aes-xts-plain64 \
--key-size 512 \
--hash sha256 \
--iter-time 5000 \
/dev/sdXOpen and Format
# Open LUKS container
sudo cryptsetup luksOpen /dev/sdX cryptdata
# Create filesystem
sudo mkfs.ext4 /dev/mapper/cryptdata
# Mount
sudo mount /dev/mapper/cryptdata /mnt/encryptedKey Management
Add Additional Key
# Add passphrase to new slot
sudo cryptsetup luksAddKey /dev/sdX
# Use key file
sudo dd if=/dev/urandom of=/root/luks.key bs=1 count=4096
sudo chmod 600 /root/luks.key
sudo cryptsetup luksAddKey /dev/sdX /root/luks.keyRemove Key
# Remove specific key slot
sudo cryptsetup luksKillSlot /dev/sdX 1
# Remove by passphrase
sudo cryptsetup luksRemoveKey /dev/sdXBackup Header
# Backup LUKS header (CRITICAL!)
sudo cryptsetup luksHeaderBackup /dev/sdX --header-backup-file luks-header.img
# Restore header
sudo cryptsetup luksHeaderRestore /dev/sdX --header-backup-file luks-header.imgAuto-Mount at Boot
/etc/crypttab
# /etc/crypttab format:
# name device key-file options
cryptdata /dev/disk/by-uuid/UUID none luks
cryptdata /dev/disk/by-uuid/UUID /root/luks.key luks/etc/fstab
# /etc/fstab
/dev/mapper/cryptdata /mnt/encrypted ext4 defaults 0 2Status and Info
# View LUKS info
sudo cryptsetup luksDump /dev/sdX
# Check status
sudo cryptsetup status cryptdata
# Verify container
sudo cryptsetup isLuks /dev/sdX && echo "Valid LUKS"LUKS2 vs LUKS1
| Feature | LUKS1 | LUKS2 |
|---|---|---|
| Header size | 2MB | 4MB+ |
| Argon2 KDF | No | Yes |
| Token support | No | Yes |
| Integrity | No | Optional |
Recommendation: Use LUKS2 for new deployments.
- luks
- disk encryption
- cryptsetup
- dm-crypt
- security