LUKS full-disk encryption on Linux is surprisingly easy to set up, but most people miss the critical step of creating a strong, unique passphrase that’s impossible to guess and easy to remember.
Let’s encrypt a fresh drive. We’ll use /dev/sdb as our example, but replace this with your actual device name.
First, make sure the drive is clean. If there’s any data on it, back it up now.
sudo sgdisk --zap-all /dev/sdb
This command wipes all existing partition tables and data from /dev/sdb. It’s brutal but necessary for a clean slate.
Now, we create the LUKS container. This is where your encrypted data will live.
sudo cryptsetup luksFormat /dev/sdb
You’ll be prompted to enter your passphrase twice. Choose a passphrase that is long, complex, and unique. Think of a passphrase, not a password. Something like "MyCatAteMyHomeworkOnTuesday" is better than "password123".
You’ll see a warning about overwriting data. Type YES in uppercase to confirm.
Next, we open the LUKS container. This creates a decrypted mapping in /dev/mapper/, which we can then format with a standard filesystem.
sudo cryptsetup open /dev/sdb crypted_drive
Here, crypted_drive is the name for our decrypted device. It will appear as /dev/mapper/crypted_drive. You’ll be prompted for the passphrase you just set.
Now, format the decrypted device with a filesystem, like ext4.
sudo mkfs.ext4 /dev/mapper/crypted_drive
This creates the filesystem structure on the decrypted volume.
Finally, we can mount it.
sudo mkdir /mnt/encrypted
sudo mount /dev/mapper/crypted_drive /mnt/encrypted
You can now access your encrypted storage at /mnt/encrypted. When you’re done, always close the LUKS container:
sudo umount /mnt/encrypted
sudo cryptsetup close crypted_drive
The data is now inaccessible without the passphrase.
The most surprising part of LUKS is how it handles key management. While your passphrase unlocks the data, LUKS actually uses this to derive a symmetric encryption key. Your passphrase itself isn’t stored on disk; instead, the derived key is encrypted with a master key, and that is stored in the LUKS header. This is why you can have multiple passphrases (or key files) for the same LUKS container – each one encrypts the same master key.
To make this persistent across reboots, you’ll need to configure /etc/crypttab and /etc/fstab.