{"id":1007,"date":"2025-02-21T09:50:36","date_gmt":"2025-02-21T06:50:36","guid":{"rendered":"https:\/\/itgen.itbumper.com\/?page_id=1007"},"modified":"2025-02-21T09:50:37","modified_gmt":"2025-02-21T06:50:37","slug":"luks-cheat-sheet","status":"publish","type":"page","link":"https:\/\/itgen.itbumper.com\/?page_id=1007","title":{"rendered":"LUKS Cheat Sheet"},"content":{"rendered":"<ol>\n<li>\n<p><strong> Initialize and Encrypt a Disk with LUKS<\/strong><\/p>\n<\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\">Format a partition with LUKS encryption:<\/span><\/p>\n<p><strong><em>sudo cryptsetup luksFormat \/dev\/sdX<\/em><\/strong><\/p>\n<\/p>\n<p><span style=\"text-decoration: underline;\">Using a key file instead of a passphrase:<\/span><\/p>\n<p><em><strong>sudo dd if=\/dev\/random of=\/root\/luks-keyfile bs=4096 count=1<\/strong><\/em><\/p>\n<p><em><strong>sudo chmod 600 \/root\/luks-keyfile<\/strong><\/em><\/p>\n<p><em><strong>sudo cryptsetup luksFormat \/dev\/sdX \/root\/luks-keyfile<\/strong><\/em><\/p>\n<\/p>\n<ol start=\"2\">\n<li><strong>Open and Map a LUKS Encrypted Device<\/strong><\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\">Unlock the encrypted partition:<\/span><\/p>\n<p><strong><em>sudo cryptsetup luksOpen \/dev\/sdX my_encrypted_volume<\/em><\/strong><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Using a key file:<\/strong><\/span><\/p>\n<p><em><strong>sudo cryptsetup luksOpen \/dev\/sdX my_encrypted_volume &#8211;key-file \/root\/luks-keyfile<\/strong><\/em><\/p>\n<\/p>\n<ol start=\"3\">\n<li><strong> Create a Filesystem on the Encrypted Partition<\/strong><\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\">After unlocking, format it with a filesystem:<\/span><\/p>\n<p><em><strong>sudo mkfs.ext4 \/dev\/mapper\/my_encrypted_volume<\/strong><\/em><\/p>\n<\/p>\n<ol start=\"4\">\n<li><strong> Mount and Unmount the Encrypted Volume<\/strong><\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\">Mount the filesystem:<\/span><\/p>\n<p><em><strong>sudo mount \/dev\/mapper\/my_encrypted_volume \/mnt\/encrypted<\/strong><\/em><\/p>\n<p><span style=\"text-decoration: underline;\">Unmount when done:<\/span><\/p>\n<p><strong><em>sudo umount \/mnt\/encrypted<\/em><\/strong><\/p>\n<p><span style=\"text-decoration: underline;\">Close the encrypted volume:<\/span><\/p>\n<p><strong><em>sudo cryptsetup luksClose my_encrypted_volume<\/em><\/strong><\/p>\n<\/p>\n<ol start=\"5\">\n<li><strong> Automatically Unlock LUKS at Boot<\/strong><\/li>\n<\/ol>\n<p>Edit <span style=\"text-decoration: underline;\"><strong>\/etc\/crypttab<\/strong><\/span> to include:<\/p>\n<p><em><strong>my_encrypted_volume\u00a0 UUID=your-uuid\u00a0 \/root\/luks-keyfile\u00a0 luks<\/strong><\/em><\/p>\n<p><span style=\"text-decoration: underline;\">Find UUID with:<\/span><\/p>\n<p><strong><em>blkid \/dev\/sdX<\/em><\/strong><\/p>\n<p>Then add to<span style=\"text-decoration: underline;\"><strong> \/etc\/fstab<\/strong><\/span>:<\/p>\n<p><strong><em>\/dev\/mapper\/my_encrypted_volume\u00a0 \/mnt\/encrypted\u00a0 ext4\u00a0 defaults\u00a0 0\u00a0 2<\/em><\/strong><\/p>\n<p><span style=\"text-decoration: underline;\">Update initramfs:<\/span><\/p>\n<p><em><strong>sudo update-initramfs -u<\/strong><\/em><\/p>\n<\/p>\n<ol start=\"6\">\n<li><strong> Add and Remove LUKS Keys<\/strong><\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\">Add a new key:<\/span><\/p>\n<p><em><strong>sudo cryptsetup luksAddKey \/dev\/sdX \/root\/luks-keyfile<\/strong><\/em><\/p>\n<p><span style=\"text-decoration: underline;\">Remove an old key:<\/span><\/p>\n<p><em><strong>sudo cryptsetup luksRemoveKey \/dev\/sdX<\/strong><\/em><\/p>\n<p><span style=\"text-decoration: underline;\">List key slots:<\/span><\/p>\n<p><em><strong>sudo cryptsetup luksDump \/dev\/sdX<\/strong><\/em><\/p>\n<\/p>\n<ol start=\"7\">\n<li><strong>Backup and Restore LUKS Header<\/strong><\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\">Backup the LUKS header:<\/span><\/p>\n<p><em><strong>sudo cryptsetup luksHeaderBackup \/dev\/sdX &#8211;header-backup-file luks-header.img<\/strong><\/em><\/p>\n<p><span style=\"text-decoration: underline;\">Restore the LUKS header:<\/span><\/p>\n<p><em><strong>sudo cryptsetup luksHeaderRestore \/dev\/sdX &#8211;header-backup-file luks-header.img<\/strong><\/em><\/p>\n<\/p>\n<ol start=\"8\">\n<li><strong> Resize LUKS Encrypted Partition<\/strong><\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\">If the partition was resized, update LUKS metadata:<\/span><\/p>\n<p><em><strong>sudo cryptsetup resize my_encrypted_volume<\/strong><\/em><\/p>\n<p><em><strong>sudo resize2fs \/dev\/mapper\/my_encrypted_volume<\/strong><\/em><\/p>\n<\/p>\n<ol start=\"9\">\n<li><strong> Securely Wipe LUKS Partition<\/strong><\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\">To erase LUKS metadata and make recovery impossible:<\/span><\/p>\n<p><em><strong>sudo cryptsetup luksErase \/dev\/sdX<\/strong><\/em><\/p>\n<p><span style=\"text-decoration: underline;\">To wipe the entire partition:<\/span><\/p>\n<p><strong><em>sudo dd if=\/dev\/urandom of=\/dev\/sdX bs=1M status=progress<\/em><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Initialize and Encrypt a Disk with LUKS Format a partition with LUKS encryption: sudo cryptsetup luksFormat \/dev\/sdX Using a key file instead of a passphrase: sudo dd if=\/dev\/random of=\/root\/luks-keyfile bs=4096 count=1 sudo chmod 600 \/root\/luks-keyfile sudo cryptsetup luksFormat \/dev\/sdX \/root\/luks-keyfile Open and Map a LUKS Encrypted Device Unlock the encrypted partition: sudo cryptsetup luksOpen \/dev\/sdX &hellip; <a href=\"https:\/\/itgen.itbumper.com\/?page_id=1007\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;LUKS Cheat Sheet&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"categories":[],"tags":[],"_links":{"self":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/1007"}],"collection":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1007"}],"version-history":[{"count":1,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/1007\/revisions"}],"predecessor-version":[{"id":1008,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=\/wp\/v2\/pages\/1007\/revisions\/1008"}],"wp:attachment":[{"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1007"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1007"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itgen.itbumper.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}