-
Initialize and Encrypt a Disk with LUKS
Format a partition with LUKS encryption:
sudo cryptsetup luksFormat /dev/sdX
Using a key file instead of a passphrase:
sudo dd if=/dev/random of=/root/luks-keyfile bs=4096 count=1
sudo chmod 600 /root/luks-keyfile
sudo cryptsetup luksFormat /dev/sdX /root/luks-keyfile
- Open and Map a LUKS Encrypted Device
Unlock the encrypted partition:
sudo cryptsetup luksOpen /dev/sdX my_encrypted_volume
Using a key file:
sudo cryptsetup luksOpen /dev/sdX my_encrypted_volume –key-file /root/luks-keyfile
- Create a Filesystem on the Encrypted Partition
After unlocking, format it with a filesystem:
sudo mkfs.ext4 /dev/mapper/my_encrypted_volume
- Mount and Unmount the Encrypted Volume
Mount the filesystem:
sudo mount /dev/mapper/my_encrypted_volume /mnt/encrypted
Unmount when done:
sudo umount /mnt/encrypted
Close the encrypted volume:
sudo cryptsetup luksClose my_encrypted_volume
- Automatically Unlock LUKS at Boot
Edit /etc/crypttab to include:
my_encrypted_volume UUID=your-uuid /root/luks-keyfile luks
Find UUID with:
blkid /dev/sdX
Then add to /etc/fstab:
/dev/mapper/my_encrypted_volume /mnt/encrypted ext4 defaults 0 2
Update initramfs:
sudo update-initramfs -u
- Add and Remove LUKS Keys
Add a new key:
sudo cryptsetup luksAddKey /dev/sdX /root/luks-keyfile
Remove an old key:
sudo cryptsetup luksRemoveKey /dev/sdX
List key slots:
sudo cryptsetup luksDump /dev/sdX
- Backup and Restore LUKS Header
Backup the LUKS header:
sudo cryptsetup luksHeaderBackup /dev/sdX –header-backup-file luks-header.img
Restore the LUKS header:
sudo cryptsetup luksHeaderRestore /dev/sdX –header-backup-file luks-header.img
- Resize LUKS Encrypted Partition
If the partition was resized, update LUKS metadata:
sudo cryptsetup resize my_encrypted_volume
sudo resize2fs /dev/mapper/my_encrypted_volume
- Securely Wipe LUKS Partition
To erase LUKS metadata and make recovery impossible:
sudo cryptsetup luksErase /dev/sdX
To wipe the entire partition:
sudo dd if=/dev/urandom of=/dev/sdX bs=1M status=progress