LUKS (Linux Unified Key Setup) is the standard for full-disk encryption on Linux, and it’s surprisingly straightforward to set up.
Let’s encrypt a disk. We’ll use a simulated disk file for demonstration, but the process is identical for a physical disk or partition.
First, create a disk image file:
dd if=/dev/zero of=~/encrypted_disk.img bs=1M count=1024
This creates a 1GB file filled with zeros.
Now, set up LUKS on this "disk":
cryptsetup luksFormat ~/encrypted_disk.img
It will ask for confirmation (type YES) and then prompt you for a passphrase. Choose a strong one – this is your only key.
Next, open the LUKS container:
cryptsetup luksOpen ~/encrypted_disk.img encrypted_volume
This maps the encrypted container to a device node at /dev/mapper/encrypted_volume. You’ll be prompted for your passphrase.
Now, format the newly opened, unencrypted volume with a filesystem, for example, ext4:
mkfs.ext4 /dev/mapper/encrypted_volume
Finally, mount the filesystem:
mkdir ~/decrypted_mount
mount /dev/mapper/encrypted_volume ~/decrypted_mount
You can now read and write files to ~/decrypted_mount as if it were a regular directory.
To close and re-encrypt the volume, unmount it and then close the LUKS device:
umount ~/decrypted_mount
cryptsetup luksClose encrypted_volume
The data is now inaccessible without the passphrase.
The most surprising thing about LUKS is how it handles multiple passphrases. You’re not limited to just one. You can add additional passphrases, which is incredibly useful for recovery scenarios or for sharing access with trusted individuals. Each passphrase is itself encrypted by a master key, and LUKS stores multiple copies of the master key, each protected by a different passphrase. This means if you forget one passphrase, you can still unlock the disk with another.
To add a new passphrase:
cryptsetup luksAddKey ~/encrypted_disk.img
You’ll be prompted for an existing passphrase to authenticate, and then asked to enter and verify the new passphrase.
To remove a passphrase:
cryptsetup luksRemoveKey ~/encrypted_disk.img
Again, you’ll need an existing passphrase to remove another.
The luksFormat command initializes the LUKS header, which is stored at the beginning of the device. This header contains metadata, including the encrypted master keys. When you luksOpen a device, cryptsetup reads this header, prompts for your passphrase, uses it to decrypt one of the master keys, and then uses that master key to decrypt the actual data on the rest of the device.
The device node /dev/mapper/encrypted_volume is a virtual device created by the Device Mapper, a framework in the Linux kernel. It presents the decrypted contents of the LUKS container as a standard block device, allowing you to format it with any filesystem and mount it like any other drive.
The performance overhead of LUKS is generally minimal for modern CPUs due to hardware-accelerated AES (Advanced Encryption Standard) instructions. You’re unlikely to notice a significant performance hit unless you’re performing extremely I/O-intensive operations on a very old or underpowered CPU.
When you cryptsetup luksFormat, you are not just creating an encrypted container; you are also writing a LUKS header. This header is critical. If this header becomes corrupted, your data is lost, even if you remember your passphrase. For critical systems, it’s wise to back up the LUKS header separately. You can do this with:
cryptsetup luksHeaderBackup ~/encrypted_disk.img --header-backup-file ~/encrypted_disk.img.header
This command backs up the header to a file named encrypted_disk.img.header. Store this backup securely, ideally on a different physical medium. If your main encrypted volume is lost or corrupted, you can restore the header and then potentially recover your data using your passphrase.
The next step in managing encrypted volumes is often integrating them into system startup, such as encrypting the root filesystem or swap partitions.