In this tutorial, you will learn how to encrypt drives with LUKS in Linux. LUKS, the Linux Unified Key Setup, is a standard for disk encryption. It adds a standardized header at the start of the device, a key-slot area directly behind the header and the bulk data area behind that. The whole set is called a ‘
LUKS container‘. The device that a LUKS container resides on is called a ‘
According to Fedora Docs, below are the DOs and DON’Ts of LUKS;
- LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop disk drives.
- The underlying contents of the encrypted block device are arbitrary. This makes it useful for encrypting
swapdevices. This can also be useful with certain databases that use specially formatted block devices for data storage.
- LUKS uses the existing device mapper kernel subsystem.
- LUKS provides passphrase strengthening which protects against dictionary attacks.
- LUKS devices contain multiple key slots, allowing users to add backup keys or passphrases.
- LUKS is not well-suited for applications requiring more than eight users to have distinct access keys to the same device.
- LUKS is not well-suited for applications requiring file-level encryption.
Encrypt Drives with LUKS in Linux
So, how do you encrypt drives with LUKS in Linux?
Install cryptsetup Utility
cryptsetup is a utility that is used to manage LUKS encrypted volumes. Therefore, to be able to encrypt drives with LUKS in Linux, you need to install this package;
On Ubuntu/Debian systems, run the command below to install
apt install cryptsetup
On CentOS and similar derivatives, simply run the command below;
yum install cryptsetup
For any other distro, consult your specific distro package manager on how to install cryptsetup utility.
Create a Block Device to Encrypt with LUKS
You can encrypt the entire root partition (easily done during initial system install), specific partition, a logical volume or RAID device with LUKS.
In this guide, we already created a partition,
/dev/sdb1 and this is what we will use as an example on how to encrypt drives with LUKS in Linux.
To list the block devices on the system, simply run
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 15G 0 disk ├─sda1 8:1 0 13G 0 part / ├─sda2 8:2 0 1K 0 part └─sda5 8:5 0 2G 0 part [SWAP] sdb 8:16 0 4G 0 disk └─sdb1 8:17 0 4G 0 part
Format the Device with LUKS
Once you have created a device, you need to initialize the device as a LUKS partition and sets the initial passphrase (for key-slot 0). To do this, you can use the
luksFormat option for the
cryptsetup command in the format below;
cryptsetup [OPTION] luksFormat <device>
So for example, to encrypt the
/dev/sdb1 partition above, with LUKS key, you would run the command below;
cryptsetup -y -v luksFormat /dev/sdb1
Note that this command overwrites any data on the disk, hence, if it an already used drive, ensure you back up your data.
When command runs you are prompted to
- confirm that formatting,
- enter and confirm the passphrase (for the first key slot (0), if the drive had no other passphrase already).
WARNING! ======== This will overwrite data on /dev/sdb1 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase for /dev/sdb1: Verify passphrase: Key slot 0 created. Command successful.
NOTE: The passphrase is not recoverable if lost, so keep it safe and do not forget it.
If you do not want to be prompted for passphrase, then you can use key file instead.
echo "mypassphrase" > ~/luks-key
Next, you can specify a path to the file containing your phrase on command line as;
cryptsetup -y -v luksFormat /dev/sdb1 ~/luks-key
Display LUKS Device Header Information
To view the details of the LUKS device, you can use the
luksDump LUKS action;
cryptsetup luksDump /dev/sdb1
LUKS header information Version: 2 Epoch: 3 Metadata area: 16384 [bytes] Keyslots area: 16744448 [bytes] UUID: 242c24d8-ac65-413d-b3a2-eb7f2f0993b0 Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: 16777216 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 512 [bytes] Keyslots: 0: luks2 Key: 512 bits Priority: normal Cipher: aes-xts-plain64 Cipher key: 512 bits PBKDF: argon2i Time cost: 4 Memory: 1003317 Threads: 2 Salt: b3 c8 b0 69 db 38 cb bd 1c 58 d0 a2 8a b8 92 12 05 47 ca dd c7 3d dd 94 c0 f7 51 04 12 fb 3a 56 AF stripes: 4000 AF hash: sha256 Area offset:32768 [bytes] Area length:258048 [bytes] Digest ID: 0 Tokens: Digests: 0: pbkdf2 Hash: sha256 Iterations: 133338 Salt: e1 9b 70 5e 87 25 46 d6 08 20 43 60 6c ae 2c 06 42 fa 61 32 f0 fc ca 5f 10 f9 3d 63 dd 22 a4 96 Digest: e9 62 ab 83 4c 3c 81 88 52 08 42 9b 47 c2 e1 b6 d5 8a 59 88 5c 17 02 54 c4 89 36 7e 5f e0 f5 ec
Obtain the UUID of LUKS Device
If you want to easily get the UUID of the LUKS device, use the
cryptsetup luksUUID /dev/sdb1
This should print the UUID which matches the one from the luksDump output,
Mounting LUKS Encrypted Device in Linux
Now that you have encrypted your drive/device with LUKS, it has to be mounted in order for you to access and store content in it.
Create LUKS drive device mapping
Device mapping is a generic way to provide virtual block devices which you will then create a filesystem on it and mount it to access your encrypted drive to store data.
To create a device mapping for the LUKS encrypted drive, you can use such a command;
cryptsetup luksOpen <device> <name>
- <device> is the device you just set LUKS encryption on, like /dev/sdb1.
- <name> is a unique name you can assign to the mapped virtual block device. This will be listed as
/dev/mapper/<name>. To cerate a unique name, you can you can use
luks-UUID, where UUID is obtained above.
See example below;
cryptsetup luksOpen /dev/sdb1 luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0
If you used a key file while formatting the device, then you can specify the use of the same key file as follows;
cryptsetup luksOpen /dev/sdb1 luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 --key-file ~/luks-key
This creates a virtual block device as;
You can list device mappers using the
You can also check the status of the virtual block device using the command
cryptsetup -v status <name>.
cryptsetup -v status luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0
/dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 is active. type: LUKS2 cipher: aes-xts-plain64 keysize: 512 bits key location: keyring device: /dev/sdb1 sector size: 512 offset: 32768 sectors size: 8353792 sectors mode: read/write Command successful.
Create Filesystem on LUKS Device
So now that you have a virtual block device for your LUKS encrypted drive, you need to now create a filesystem on it to enable you mount and use the device.
The command below creates an EXT4 filesystem type on our LUKS device.
mke2fs 1.44.5 (15-Dec-2018) Creating filesystem with 1044224 4k blocks and 261120 inodes Filesystem UUID: e940b45b-dbc8-4c40-aaa5-9acf9fcb2119 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736 Allocating group tables: done Writing inode tables: done Creating journal (16384 blocks): done Writing superblocks and filesystem accounting information: done
Mounting LUKS Device in Linux
You can now mount the device using
mount command, or put an entry in
/etc/fstab file for auto mounting during system boot.
You can create a path to mount location, for example, we want to mount it on
/mnt in our case.
To mount the device;
mount /dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 /mnt/luks-242c24d8/
Listing the mounted devices;
Filesystem Type Size Used Avail Use% Mounted on udev devtmpfs 984M 0 984M 0% /dev tmpfs tmpfs 200M 3.1M 197M 2% /run /dev/sda1 ext4 13G 3.6G 8.5G 30% / tmpfs tmpfs 998M 8.0K 998M 1% /dev/shm tmpfs tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs tmpfs 998M 0 998M 0% /sys/fs/cgroup tmpfs tmpfs 200M 0 200M 0% /run/user/0 /dev/dm-0 ext4 3.9G 16M 3.7G 1% /mnt/luks-242c24d8
Configure LUKS device auto mounting on system boot;
Close LUKS Device
To remove existing device mapping and wipe the key from kernel memory, unmount the drive if it mounted and close it;
cryptsetup -v luksClose luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0
If you need to mount the device again open it with
luksOpen action and mount it as shown above.
And there you go.
You have created a device with LUKS encryption and can now use it to store your data.
That concludes our guide on how to encrypt drives with LUKS in Linux.