In this tutorial, you will learn how to encrypt drives with LUKS in Linux. LUKS, the Linux Unified Key Setup, is a standard for disk encryption. It adds a standardized header at the start of the device, a key-slot area directly behind the header and the bulk data area behind that. The whole set is called a ‘LUKS container‘. The device that a LUKS container resides on is called a ‘LUKS device‘.
Table of Contents
Encrypting Drives with LUKS in Linux
The DOs and DON’Ts of LUKS
According to Fedora Docs, below are the DOs and DON’Ts of LUKS;
DOs;
- LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop disk drives.
- The underlying contents of the encrypted block device are arbitrary. This makes it useful for encrypting
swapdevices. This can also be useful with certain databases that use specially formatted block devices for data storage. - LUKS uses the existing device mapper kernel subsystem.
- LUKS provides passphrase strengthening which protects against dictionary attacks.
- LUKS devices contain multiple key slots, allowing users to add backup keys or passphrases.
DON’Ts;
- LUKS is not well-suited for applications requiring more than eight users to have distinct access keys to the same device.
- LUKS is not well-suited for applications requiring file-level encryption.
Install cryptsetup Utility
cryptsetup is a utility that is used to manage LUKS encrypted volumes. Therefore, you need to install this package;
On Ubuntu/Debian systems, run the command below to install cryptsetup utility.
apt install cryptsetup
On CentOS and similar derivatives, simply run the command below;
yum install cryptsetup
For any other distro, consult your specific distro package manager on how to install cryptsetup utility.
Create a Block Device to Encrypt with LUKS
You can encrypt the entire root partition (easily done during initial system install), specific partition, a logical volume or RAID device with LUKS.
In this guide, we already created a partition, /dev/sdb1 and this is what we will use as an example.
To list the block devices on the system, simply run lsblk command.
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 15G 0 disk
├─sda1 8:1 0 13G 0 part /
├─sda2 8:2 0 1K 0 part
└─sda5 8:5 0 2G 0 part [SWAP]
sdb 8:16 0 4G 0 disk
└─sdb1 8:17 0 4G 0 part
Format the Device with LUKS
Once you have created a device, you need to initialize the device as a LUKS partition and sets the initial passphrase (for key-slot 0). To do this, you can use the luksFormat option for the cryptsetup command in the format below;
cryptsetup [OPTION] luksFormat <device>So for example, to encrypt the /dev/sdb1 partition above, with LUKS key, you would run the command below;
cryptsetup -y -v luksFormat /dev/sdb1
Note that this command overwrites any data on the disk, hence, if it an already used drive, ensure you back up your data.
When command runs you are prompted to
- confirm that formatting,
- enter and confirm the passphrase (for the first key slot (0), if the drive had no other passphrase already).
WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdb1:
Verify passphrase:
Key slot 0 created.
Command successful.
NOTE: The passphrase is not recoverable if lost, so keep it safe and do not forget it.
If you do not want to be prompted for passphrase, then you can use key file instead.
echo "mypassphrase" > ~/luks-key
Next, you can specify a path to the file containing your phrase on command line as;
cryptsetup -y -v luksFormat /dev/sdb1 ~/luks-key
Display LUKS Device Header Information
To view the details of the LUKS device, you can use the luksDump LUKS action;
cryptsetup luksDump /dev/sdb1
LUKS header information
Version: 2
Epoch: 3
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 242c24d8-ac65-413d-b3a2-eb7f2f0993b0
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2i
Time cost: 4
Memory: 1003317
Threads: 2
Salt: b3 c8 b0 69 db 38 cb bd 1c 58 d0 a2 8a b8 92 12
05 47 ca dd c7 3d dd 94 c0 f7 51 04 12 fb 3a 56
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 133338
Salt: e1 9b 70 5e 87 25 46 d6 08 20 43 60 6c ae 2c 06
42 fa 61 32 f0 fc ca 5f 10 f9 3d 63 dd 22 a4 96
Digest: e9 62 ab 83 4c 3c 81 88 52 08 42 9b 47 c2 e1 b6
d5 8a 59 88 5c 17 02 54 c4 89 36 7e 5f e0 f5 ec
Obtain the UUID of LUKS Device
If you want to easily get the UUID of the LUKS device, use the luksUUID action;
cryptsetup luksUUID /dev/sdb1
This should print the UUID which matches the one from the luksDump output, 242c24d8-ac65-413d-b3a2-eb7f2f0993b0.
Mounting LUKS Encrypted Device in Linux
Now that you have encrypted your drive/device with LUKS, it has to be mounted in order for you to access and store content in it.
Create LUKS Drive Device Mapping
Device mapping is a generic way to provide virtual block devices which you will then create a filesystem on it and mount it to access your encrypted drive to store data.
To create a device mapping for the LUKS encrypted drive, you can use such a command;
cryptsetup luksOpen <device> <name>
Where:
- <device> is the device you just set LUKS encryption on, like /dev/sdb1. You can also use device UUID instead of device drive number.
- <name> is a unique name you can assign to the mapped virtual block device. This will be listed as
/dev/mapper/<name>. To cerate a unique name, you can you can useluks-UUID, where UUID is obtained above.
See example below;
cryptsetup luksOpen /dev/sdb1 luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0
If you used a key file while formatting the device, then you can specify the use of the same key file as follows;
cryptsetup luksOpen /dev/sdb1 luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 --key-file ~/luks-key
If you want, you can use device UUID;
blkid | grep sdb1Sample output;
/dev/sda1: UUID="242c24d8-ac65-413d-b3a2-eb7f2f0993b0" TYPE="crypto_LUKS" PARTUUID="22d456fe-9bc7-2f45-9eee-cfa50653606b"So, you can run;
cryptsetup luksOpen /dev/disk/by-uuid/242c24d8-ac65-413d-b3a2-eb7f2f0993b0 luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0This creates a virtual block device as;
/dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0
You can list device mappers using the dmsetup command;
dmsetup ls
luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 (254:0)You can also check the status of the virtual block device using the command cryptsetup -v status <name>.
cryptsetup -v status luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0
/dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 is active.
type: LUKS2
cipher: aes-xts-plain64
keysize: 512 bits
key location: keyring
device: /dev/sdb1
sector size: 512
offset: 32768 sectors
size: 8353792 sectors
mode: read/write
Command successful.
Create Filesystem on LUKS Device
So now that you have a virtual block device for your LUKS encrypted drive, you need to now create a filesystem on it to enable you mount and use the device.
The command below creates an EXT4 filesystem type on our LUKS device.
mkfs.ext4 /dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0
mke2fs 1.44.5 (15-Dec-2018)
Creating filesystem with 1044224 4k blocks and 261120 inodes
Filesystem UUID: e940b45b-dbc8-4c40-aaa5-9acf9fcb2119
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
Mounting LUKS Device in Linux
You can now mount the device using mount command, or put an entry in /etc/fstab file for auto mounting during system boot.
You can create a path to mount location, for example, we want to mount it on /mnt in our case.
mkdir /mnt/luks-242c24d8
To mount the device;
mount /dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 /mnt/luks-242c24d8/
Listing the mounted devices;
df -hT
Filesystem Type Size Used Avail Use% Mounted on
udev devtmpfs 984M 0 984M 0% /dev
tmpfs tmpfs 200M 3.1M 197M 2% /run
/dev/sda1 ext4 13G 3.6G 8.5G 30% /
tmpfs tmpfs 998M 8.0K 998M 1% /dev/shm
tmpfs tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs tmpfs 998M 0 998M 0% /sys/fs/cgroup
tmpfs tmpfs 200M 0 200M 0% /run/user/0
/dev/dm-0 ext4 3.9G 16M 3.7G 1% /mnt/luks-242c24d8
Configure LUKS device auto mounting on system boot;
Automount LUKS Encrypted Device in Linux
Close LUKS Device
To remove existing device mapping and wipe the key from kernel memory, unmount the drive if it mounted and close it;
umount /mnt/luks-242c24d8
cryptsetup -v luksClose luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0
If you need to mount the device again open it with luksOpen action and mount it as shown above.
And there you go.
You have created a device with LUKS encryption and can now use it to store your data.
Other Tutorials
How to Use VeraCrypt on Command Line to Encrypt Drives on Ubuntu 18.04
How to Encrypt Files and Folders with eCryptFS on Ubuntu 18.04
First of all
Excellent tutorial!!!
a question about this, complicating the issue
If instead of a single disk, it is an LVM disk and the encryption is done on the previously created /dev/mapper/logicalvol
how would we add an additional disk to the volume group?
Should we use some specific procedure when adding the new disk or would it be done in the same way as usual?