Linux disk encryption

Дусал нэвтэрхий толь-с
20:08, 24 Аравдугаар сар 2020-ий байдлаарх Almas (Яриа | оруулсан хувь нэмэр) хэрэглэгчийн хийсэн залруулга

nixCraft Linux Tips, Hacks, Tutorials, And Ideas In Blog

   Howtos & Tutorials
   Linux Shell Scripting Tutorial

How To Linux Hard Disk Encryption With LUKS [ cryptsetup encrypt command ] Author: Vivek Gite Last updated: August 21, 2020 47 comments

Dear nixCraft,

   I carry my Linux powered laptop just about everywhere. How do I protect my private data stored on partition or removable storage media against bare-metal attacks where anyone can get their hands on my laptop or usb pen drive while traveling?

–Sincerely, Worried about my data.


Linux Hard Disk Encryption

That’s actually a great question. Many enterprises, small businesses, and government users need to encrypt their laptops to protect confidential information such as customer details, files, contact information, and much more. Linux supports the following cryptographic techniques to protect a hard disk, directory, and partition. All data that is written on any one of the following techniques will automatically encrypted and decrypted on the fly. Linux encryption methods

There are two methods to encrypt your data: Filesystem stacked level encryption

   eCryptfs – It is a cryptographic stacked Linux filesystem. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decrypted with the proper key in the Linux kernel keyring. This solution is widely used, as the basis for Ubuntu’s Encrypted Home Directory, natively within Google’s ChromeOS, and transparently embedded in several network attached storage (NAS) devices.
   EncFS -It provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE library and Linux kernel module to provide the filesystem interface. You can find links to source and binary releases below. EncFS is open source software, licensed under the GPL.

Block device level encryption

   Loop-AES – Fast and transparent file system and swap encryption package for linux. No source code changes to linux kernel. Works with 3.x, 2.6, 2.4, 2.2 and 2.0 kernels.
   VeraCrypt – It is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X and Linux based on TrueCrypt codebase.
   dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, removable media, partitions, software RAID volumes, logical volumes, and files.

In this tutorial, I will explain how to encrypt your partitions using Linux Unified Key Setup-on-disk-format (LUKS) on your Linux based computer or laptop. Step 1: Install cryptsetup utility on Linux

You need to install the following package. It contains cryptsetup, a utility for setting up encrypted filesystems using Device Mapper and the dm-crypt target. Debian / Ubuntu Linux user type the following apt-get command or apt command:

  1. apt-get install cryptsetup

OR $ sudo apt install cryptsetup

Sample outputs:

Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed:

 console-setup console-setup-linux cryptsetup-bin kbd keyboard-configuration xkb-data

Suggested packages:

 dosfstools keyutils

The following NEW packages will be installed:

 console-setup console-setup-linux cryptsetup cryptsetup-bin kbd keyboard-configuration xkb-data

0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded. Need to get 3,130 kB of archives. After this operation, 13.2 MB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 stretch/main amd64 kbd amd64 2.0.3-2+b1 [343 kB] Get:2 stretch/main amd64 keyboard-configuration all 1.164 [644 kB] Get:3 stretch/main amd64 console-setup-linux all 1.164 [983 kB] Get:4 stretch/main amd64 xkb-data all 2.19-1 [648 kB] Get:5 stretch/main amd64 console-setup all 1.164 [117 kB] Get:6 stretch/main amd64 cryptsetup-bin amd64 2:1.7.3-4 [221 kB] Get:7 stretch/main amd64 cryptsetup amd64 2:1.7.3-4 [174 kB] Fetched 3,130 kB in 0s (7,803 kB/s) Preconfiguring packages ... Selecting previously unselected package kbd. (Reading database ... 22194 files and directories currently installed.) Preparing to unpack .../0-kbd_2.0.3-2+b1_amd64.deb ... Unpacking kbd (2.0.3-2+b1) ... Selecting previously unselected package keyboard-configuration. Preparing to unpack .../1-keyboard-configuration_1.164_all.deb ... Unpacking keyboard-configuration (1.164) ... Selecting previously unselected package console-setup-linux. Preparing to unpack .../2-console-setup-linux_1.164_all.deb ... Unpacking console-setup-linux (1.164) ... Selecting previously unselected package xkb-data. Preparing to unpack .../3-xkb-data_2.19-1_all.deb ... Unpacking xkb-data (2.19-1) ... Selecting previously unselected package console-setup. Preparing to unpack .../4-console-setup_1.164_all.deb ... Unpacking console-setup (1.164) ... Selecting previously unselected package cryptsetup-bin. Preparing to unpack .../5-cryptsetup-bin_2%3a1.7.3-4_amd64.deb ... Unpacking cryptsetup-bin (2:1.7.3-4) ... Selecting previously unselected package cryptsetup. Preparing to unpack .../6-cryptsetup_2%3a1.7.3-4_amd64.deb ... Unpacking cryptsetup (2:1.7.3-4) ... Setting up keyboard-configuration (1.164) ... Setting up xkb-data (2.19-1) ... Setting up kbd (2.0.3-2+b1) ... Processing triggers for systemd (232-25+deb9u1) ... Setting up cryptsetup-bin (2:1.7.3-4) ... Processing triggers for man-db ( ... Setting up console-setup-linux (1.164) ... Created symlink /etc/systemd/system/ → /lib/systemd/system/keyboard-setup.service. Created symlink /etc/systemd/system/ → /lib/systemd/system/console-setup.service. Setting up console-setup (1.164) ... Setting up cryptsetup (2:1.7.3-4) ... update-initramfs: deferring update (trigger activated) Processing triggers for systemd (232-25+deb9u1) ... Processing triggers for initramfs-tools (0.130) ... update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64

Tools needed to encrypt your Hard drive in RHEL/CentOS/Fedora Linux

RHEL / CentOS / Oracle / Scientific Linux user type the following yum command:

  1. yum install cryptsetup-luks

Fedora Linux user use the dnf command:

  1. dnf install cryptsetup-luks

Step 2: Configure LUKS partition [Warning examples may crash your computer and data] WARNING! The following command will remove all data on the partition that you are encrypting. You WILL lose all your information! So make sure you backup your data to an external source such as NAS or hard disk before typing any one of the following command.

Open the terminal to list all Linux partitions/disks and then use the cryptsetup command:

  1. fdisk -l

The syntax is: cryptsetup luksFormat --type luks1 /dev/DEVICE cryptsetup luksFormat --type luks2 /dev/DEVICE

In this example, I’m going to encrypt /dev/xvdc. Type the following command:

  1. cryptsetup -y -v luksFormat /dev/xvdc

For example, set up cryptsetup on /dev/sdc with luks2 format, run: Sample outputs:



This will overwrite data on /dev/xvdc irrevocably.

Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful.

  1. cryptsetup -y -v --type luks2 luksFormat /dev/sdc

This command initializes the volume, and sets an initial key or passphrase. Please note that the passphrase is not recoverable so do not forget it.Type the following command create a mapping:

  1. cryptsetup luksOpen /dev/xvdc backup2

Sample outputs:

Enter passphrase for /dev/xvdc:

You can see a mapping name /dev/mapper/backup2 after successful verification of the supplied key material which was created with luksFormat command extension:

  1. ls -l /dev/mapper/backup2

Sample outputs:

lrwxrwxrwx 1 root root 7 Oct 19 19:37 /dev/mapper/backup2 -> ../dm-0

You can use the following command to see the status for the mapping:

  1. cryptsetup -v status backup2

Sample outputs:

/dev/mapper/backup2 is active.

 type:    LUKS1
 cipher:  aes-cbc-essiv:sha256
 keysize: 256 bits
 device:  /dev/xvdc
 offset:  4096 sectors
 size:    419426304 sectors
 mode:    read/write

Command successful.

You can dump LUKS headers using the following command:

  1. cryptsetup luksDump /dev/xvdc

Sample outputs:

LUKS header information for /dev/xvdc

Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha256 Payload offset: 4096 MK bits: 256 MK digest: 21 07 68 54 77 96 11 34 f2 ec 17 e9 85 8a 12 c3 1f 3e cf 5f MK salt: 8c a6 3d 8c e9 de 16 fb 07 fd 8e d3 72 d7 db 94

              	7e e0 75 f9 e0 23 24 df 50 26 fb 92 f8 b5 dd 70 

MK iterations: 222000 UUID: 4dd563a9-5bff-4fea-b51d-b4124f7185d1

Key Slot 0: ENABLED Iterations: 2245613 Salt: 05 a8 b4 a2 54 f7 c6 ee 52 db 60 b6 12 7f 2f 53 3f 5d 2d 62 fb 5a b1 c3 52 da d5 5f 7b 2d 38 32 Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED

Step 3: Format Linux LUKS partition

First, you need to write zeros to /dev/mapper/backup2 encrypted device. This will allocate block data with zeros. This ensures that outside world will see this as random data i.e. it protect against disclosure of usage patterns:

  1. dd if=/dev/zero of=/dev/mapper/backup2

The dd command may take many hours to complete. I suggest that you use pv command to monitor the progress:

  1. pv -tpreb /dev/zero | dd of=/dev/mapper/backup2 bs=128M

Sample outputs:

dd: error writing '/dev/mapper/backup2': No space left on device ]

200GiB 0:16:47 [ 203MiB/s] [                      <=>                                                                                                                      ]

1600+1 records in 1599+1 records out 214746267648 bytes (215 GB, 200 GiB) copied, 1008.19 s, 213 MB/s

You can also pass the status=progress option to the dd command:

  1. dd if=/dev/zero of=/dev/mapper/backup2 status=progress

Sample outputs:

2133934592 bytes (2.1 GB, 2.0 GiB) copied, 142 s, 15.0 MB/s

Next, create a filesystem i.e. format filesystem, enter:

  1. mkfs.ext4 /dev/mapper/backup2

Sample outputs:

mke2fs 1.42.13 (17-May-2015) Creating filesystem with 52428288 4k blocks and 13107200 inodes Filesystem UUID: 1c71b0f4-f95d-46d6-93e0-cbd19cb95edb Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872

Allocating group tables: done Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done

To mount the new filesystem at /backup2, enter:

  1. mkdir /backup2
  2. mount /dev/mapper/backup2 /backup2
  3. df -H
  4. cd /backup2
  5. ls -l

Linux Hard Disk Encryption Demo

Encrypt your hard drive in Linux using LUKS2 How do I unmount and secure data?

Type the following commands:

  1. umount /backup2
  2. cryptsetup luksClose backup2

How do I mount or remount encrypted partition?

Type the following command:

  1. cryptsetup luksOpen /dev/xvdc backup2
  2. mount /dev/mapper/backup2 /backup2
  3. df -H
  4. mount

Sample outputs: Fig.01: Encrypted partition mounted on /backup2

Fig.01: Encrypted partition mounted on /backup2 See shell script wrapper that opens LUKS partition and sets up a mapping for nas devices.

Can I run fsck on LUKS based partition / LVM volume?

Yes, you can use the fsck command On LUKS based systems:

  1. umount /backup2
  2. fsck -vy /dev/mapper/backup2
  3. mount /dev/mapper/backup2 /backu2

See how to run fsck On LUKS (dm-crypt) based LVM physical volume for more details. How do I change LUKS passphrase (password) for encrypted partition?

Type the following command

      1. see key slots, max -8 i.e. max 8 passwords can be setup for each device ####
  1. cryptsetup luksDump /dev/xvdc
  2. cryptsetup luksAddKey /dev/xvdc

Enter any passphrase: Enter new passphrase for key slot: Verify passphrase:

Remove or delete the old password:

  1. cryptsetup luksRemoveKey /dev/xvdc

Please note that you need to enter the old password / passphrase. What next?

You can store files or store backups using following software:

   Debian / Ubuntu Linux Install and Configure Remote Filesystem Snapshot with rsnapshot Incremental Backup Utility
   How To Set Red hat / CentOS Linux Remote Backup / Snapshot Server 

Check out related media

This tutorial also available in video format:

(Video 01: cryptsetup command demo)


You now have an encrypted partition for all of your data. Pros:

   LUKS encrypts entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media (usb pen) or laptop disk drives.
   You can also use with your nas server to protect backups.
   Intel and AMD cpus with AES-NI (Advanced Encryption Standard Instruction Set) can accelerate dm-crypt based encryption for Linux kernel v2.6.32+. This will speed up harddisk encryption.
   Works with swap partition too so that your laptop can use hibernation feature (suspend-to-disk) that writes out the contents of RAM to the swap partition before turning off the machine.


   LUKS only support upto 8 passwords i.e. only 8 users can have distinct access keys to the same device.
   LUKS is also not recommend for applications requiring file-level encryption.


In this tutorial, we learned about hard disk encryption on Linux. For more information, see the cryptsetup man page and read RHEL 6.x documentation: man cryptsetup

This entry is 1 of 2 in the The Linux Unified Key Setup (LUKS) is a disk encryption Tutorial series. Keep reading the rest of the series:

   Linux Hard Disk Encryption With LUKS
   Backup and restore LUKS header on Linux

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:

   RSS feed or Weekly email newsletter
   Share on Twitter • Facebook • 47 comments... add one ↓


   30 Cool Open Source Software I Discovered in 2013
   Linux Tutorial: Install Ansible Configuration Management And IT Automation Tool
   Top 32 Nmap Command Examples For Linux Sys/Network Admins
   How to backup and restore LUKS header on Linux
   How To Use Vagrant To Create Small Virtual Test Lab on a Linux / OS X / MS-Windows
   ls* Commands Are Even More Useful Than You May Have Thought
   16 Places To Buy A Linux Laptop With Linux Preloaded

Category List of Unix and Linux commands File Management cat Firewall Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 Network Utilities dig • host • ip • nmap OpenVPN CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 Package Manager apk • apt Processes Management bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time Searching grep • whereis • which User Information groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w WireGuard VPN Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04

ADVERTISEMENTS 47 comments… add one

   Cae Oct 19, 2012 @ 22:50
   Truecrypt – It is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X and Linux.
   You may want to check your statement about Truecrypt.
   If it’s not available in Debian, it cannot be opensource.
   Reply Link
       Isaac Oct 20, 2012 @ 21:52
       No, TrueCrypt is Open Source (at least that’s what their website says), though it has its own license (non-GPL), which might be why most distros don’t have it.
       You can download the source here:
       Besides, not even Debian could have absolutely every piece of Free and Open Source Software out there.
       And if you need it, here is a program based off of TrueCrypt:
       Another thing: Fedora stopped providing TrueCrypt as well. Here is their opinion on it.
       Reply Link
       syncher Mar 13, 2015 @ 1:49
       cryptsetup can handle truecrypt containers and tcplay is a cli tool for it , and even a GUI version ZuluCrypt.
       Reply Link
   Unix Lover Oct 20, 2012 @ 1:43
   How do you do this on FreeBSD?
   Reply Link
       Nmonk Oct 20, 2012 @ 8:25
       This may help:
       FreeBSD disk encryption
       Reply Link
   Rizky Ariestiyansyah Oct 20, 2012 @ 9:25
   Hello NixCraft, good tutorial using cryptsetup,
   just advice cryptsetup now had new release by 3 days ago,, :D
   *compile from source will help us to know more ;)
   Reply Link
   Neo Oct 20, 2012 @ 12:25
   usbs can be carried within a baggy or balloon within a user’s rectum once slid into the anus.
   Reply Link
       galactusx Apr 30, 2014 @ 3:16
       And just how often do you use this technique?
       Reply Link
       syncher Mar 13, 2015 @ 1:45
       . Look up ‘microSD coin container’ so you don’t have to violate yourself.
       Reply Link
   agresor Oct 21, 2012 @ 8:40
   “RHEL / CentOS / Fedora Linux user type the following yum command:
   # apt-get install cryptsetup-luks”
   # yum install cryptsetup-luks
   Reply Link
       🐧 nixCraft Oct 21, 2012 @ 8:46
       Thanks for the heads up!
       Reply Link
   Ashish Nov 3, 2012 @ 12:57
   I have a RHEL 6.3 laptop with 500GB hard disk. The entire disk is encrypted via LUKS.
   I want to create a 250 GB partition on my disk to be able to install Windows7 on it. I wish to have RHEL/Windows dual boot on my laptop.
   But, I think without de-crypting the entire HDD, its not possible to create a new partition. Can you please help me on this? I would be greatly helpful to you.
   Reply Link
       Ashish Nov 3, 2012 @ 12:58
       Oops… typo in last sentence…. I would be greatly thankful to you !!!
       Reply Link
           🐧 nixCraft Nov 4, 2012 @ 6:28
           Read this thread. If I were you I will backup all data before resizing anything. Good luck!
           Reply Link
   Guest Apr 27, 2013 @ 16:36
   For pv -tpreb /dev/zero | dd of=/dev/mapper/backup2 bs=128M I have a 1TB drive. The bs=128 is that OK?
   Reply Link
   Arjun Ram Jun 17, 2013 @ 14:38
   My entire disk is encrypted using LUKS ..Mistakenly i deleted one imporatnt *.nsf file. Using some software i could restore that deleted file but it says PGP/MIME encrypted header ..Do we have any way to decrypt the single file ..
   Reply Link
   Mayur Pipaliya Aug 2, 2013 @ 23:43
   # I strive on raring ringtail (gnome) backed by crypt-luks (entire 500GB) + encfs (over dropbox/google drive). m/
   Reply Link
   mtz Sep 2, 2013 @ 20:41
   There is a project that gives a GUI tool to manage cryptsetup LUKS and PLAIN volumes as well as truecrypt volumes.The project is hosted at:
   Reply Link
   Kendall Oct 1, 2013 @ 20:59
   Regarding monitoring of the dd process, an easier to remember and more portable method is as such:
   # kill -USR1 $pid_of_dd
   This will cause the to output the number of bytes copied, current run time and throughput to the terminal running the ‘dd’ command.
   Reply Link
   safeuser Jan 4, 2014 @ 18:03
   I think there are mistake. You should initially fill device my random bytes not zeros i.e.
   pv -tpreb /dev/urandom | dd of=/dev/mapper/backup2 bs=128M
   dd if=/dev/urandom of=/dev/mapper/backup2
   Reply Link
       MeAndJuliaDownByTheSchoolYard May 19, 2014 @ 13:37
       Indeed, it is bad advice to use /dev/zero to fill the device. I use ‘dd if=/dev/urandom of=foo bs=1M’ which is a little quicker than using the default 4k block size.
       Reply Link
           Alister Amo Nov 24, 2014 @ 23:44
           /dev/zero is sufficient and much faster. It’s not necessary to use /dev/urandom because the disk is already encrypted and the randomness is provided by the cypher, you just have to make sure that the device is filled. It should not be possible to distinguish encrypted zero-fill data and encrypted random data :)
           Reply Link
               Paul M Mar 23, 2015 @ 0:38
               no, because filling the plain text layer with all zeroes gives anyone trying to break the security a head start.
               it’s basic cryptography101, don’t ever let the attacker know what the plain text is for a given cipher output.
               Reply Link
                   Charles Staal May 31, 2015 @ 23:51
                   It’s not ONLY zeros. Once one bit of data is in there your argument is null. Even so, its still null with modern ciphers. Maybe if you knew more than just ‘101’…
                   Reply Link
                       Paul M Jun 2, 2015 @ 8:47
                       ok, you still have sector headers and so on, and these are predictable. An attacker trying to crack your encrypted disk will be looking specifically for patterns which may be caused because the disk was filled with zeroes.
                       Since basic cryptography says you should never give an attacker the plain text and the cipher text, you’re leaking information.
                       Reply Link
                           HaroldCallahan Sep 23, 2015 @ 0:36
                           Modern encryption schemes are specifically designed to withstand attack from adversaries who know both plaintext and ciphertext. They have to be, since there is too much known plaintext on the internet. (For example, an adversary can observe the IP addresses that your web browser is connecting to, and connect to those web sites himself, thereby learning a plaintext/ciphertext pair.)
                           There is no concern whatsoever from leaking known plaintext. None. I’m a professional cryptographer. Anyone who says otherwise is at best misguided and at worst vulnerable to disaster because they’re worrying about the wrong thing.
                           Reply Link
       DucKienTruong May 29, 2014 @ 11:18
       /dev/zero is sufficient and much faster. It’s not necessary to use /dev/urandom because the disk is already encrypted and the randomness is provided by the cypher, you just have to make sure that the device is filled. It should not be possible to distinguish encrypted zero-fill data and encrypted random data :)
       Reply Link
   Jacobo Jan 31, 2014 @ 7:06
   Only use the filesystem with root? if you going step by step the default use is for root.
   Reply Link
   Ben Yau Apr 23, 2014 @ 17:05
   I’ve read you can use shred on a device also
   shred -v –iterations=1 /dev/[devicename]
   Reply Link
   Johan May 10, 2014 @ 15:40
   1. But this way you can only edit the usb if you are root? Is it possible to change this with
   # chmod 777 backup2
   To make the usb not read-only?
   2. usb:s often often have name like /sdf or /sdf1. which one should I use when I type the commands – sdf or sdf1?
   Reply Link
   hem May 14, 2014 @ 5:47
   Hi, I need full disk encryption in my db server where the db is in /usr/local/bin and its suse Linux 11. Please let me know how to perform this on my system.
   Reply Link
   MeAndJuliaDownByTheSchoolYard May 19, 2014 @ 13:43
   The new cryptsetup syntax for open and close of luks devices is ‘cryptsetup open –type luks /dev/sdg1 backup’ and ‘cryptsetup close –type luks backup’. Strnagely similar syntax for ‘format’, ‘dump’, etc doesn’t seem to be implemented yet.
   Reply Link
   anonymous May 30, 2014 @ 9:13
   Reply Link
   Ofnuts Dec 21, 2014 @ 14:43
   Wondering: if you fill with /dev/zero, then until the disk is full there will be large regions that will just hold an encrypted /dev/zero (assuming disk space is not allocated at random). Could someone take advantge of this (clear data: all zeroes, plus encrypted data: what is found on the disk) to recompute the key?
   Missing: how to add automatic open/mount to boot/config sequence to automatically mount a second fixed disk at boot.
   This said, nice and clear instructions.
   Reply Link
   ddd Feb 27, 2015 @ 11:28
   Why write zeroes to the encrypted partition? Why not fill the drive with zeroes before it is encrypted? This should be much faster
   Reply Link
       Paul M Mar 23, 2015 @ 0:40
       because then any attacker would know where you were storing your data, and given a linux file system has a standard layout would have a head start correlating cipher text with the likely plain text.
       Reply Link
   ddd Feb 27, 2015 @ 11:29
   Thanks for this great article, very helpful and straight to the point. Luks is faster than Truecrypt on my Banana Pi ARM computer!
   Reply Link
   syncher Mar 13, 2015 @ 1:40
   Skip the delay contributed by dd an just ‘pv -tpreb /dev/urandom > /dev/to_be_wiped’ and do it BEFORE cryptsetup , not to the already crypt-formatted
   /dev/mapper/backup2. ( However the author’s method works too).
   And save the header with ‘cryptsetup luksHeaderBackup –header-backup-file ‘ , accidents do happen and if the header is lost kiss the encrypted data goodbye . ( Make sure the saved header does not get in hands of an adversary who’ll then be able to decrypt your data with it…though not very easily). Just look how many people on the web asking how to restore a corrupted one way or another LUKS volume only to find the hard way it’s not possible. With the LUKS header saved the volume is recoverable. While at it save the partition layout as well with ‘sfdisk -d /dev/your_disk > disk_part.backup’ , if it’s partitioned prior to crypt-formatting it, or if you partition inside the volume ‘sfdisk -d /dev/mapper/backup2 > backup2-part.backup’
   Reply Link
       HaroldCallahan Sep 23, 2015 @ 0:45
       On any Intel CPU with AES-NI (anything manufactured after 2008), the dd command is likely to be faster. Encryption uses AES, which is considerably accelerated by AES-NI in hardware. Even very old CPUs achieve about 3 cycles per byte with AES-NI; at this rate, the encryption is likely faster than the disk bandwidth. /dev/urandom by contrast uses hashing operations, which are performed in software. The upcoming Skylake CPUs are supposed to include hardware-accelerated SHA extensions, which may make hashing competitive with encryption, but we’ll have to wait for the hardware to come out before we can compare performance.
       Reply Link
   Victor R. May 27, 2015 @ 3:40
   Thanks dude. Added to Favorites.
   Reply Link
   J Jun 26, 2015 @ 17:20
   Looking for someone to attempt data recovery of a LUKs partition?
   Anyone interested. Can pay with BTC if you get it back.
   Reply Link
   madan vsh Dec 2, 2015 @ 13:01
   Is There any way to setup luks encryption after installing Fedora 22 ??
   Reply Link
       Fred B. Jan 20, 2016 @ 1:00
       Install the package that contains cryptsetup if its not already on there.
       Reply Link
   Fred B. Jan 19, 2016 @ 17:23
   Should I make a partition first? Like /dev/sdb1 and run the dd command on sdb1, and make sdb1 the luks container? Or should I run dd on /dev/sdb first, then create sdb1 and make that my luks container? (sdb1 will be the full partition size)
   Reply Link
   Satish Tiwary Feb 10, 2016 @ 9:30
   # cryptsetup luksRemoveKey /dev/sda5
   This command not working in my rhel5.4
   Reply Link
   Anand Aug 12, 2020 @ 3:29
   I have a customer who wants to encrypt a thumb drive and have it bootable when need to update firmware on a HP server running on Windows Server 2016. He will probably update the firmware individually or from SPP. Please advise on how i can achieve this. Thank you!
   Reply Link
       🐧 Vivek Gite Aug 12, 2020 @ 19:05
       This is Linux specific info. I doubt it will support Windows server 2006.
       Reply Link

Leave a Reply

Your email address will not be published. Required fields are marked *


Name *

Email *


, ... and ... for code samples.

Next post: agedu: Unix / Linux Command For Tracking Down Wasted Disk Space

Previous post: Convert HTML Page To a PDF Using Open Source Tool [ Linux / OS X / Windows ] ©2020 nixCraft • Privacy • ToS • Contact/Email • Search • Sponsored by Linode      


2. Create the key file in the unencrypted /boot partition

# dd if=/dev/urandom of=/boot/keyfile bs=1024 count=4
or # dd bs=256 count=1 if=/dev/random | base64 > keyfile

3. Set permissions

# chmod 0400 /boot/keyfile

Encrypt the disk using LUKS

We’re now ready to get to the fun part, and encrypt the disk or partition.

To start, check the name of the disk you want to use, using lsblk:

$ lsblk
sda       8:0    0   30G  0 disk
├─sda1    8:1    0 29.9G  0 part /
├─sda14   8:14   0    4M  0 part
└─sda15   8:15   0  106M  0 part /boot/efi
sdb       8:16   0    4G  0 disk
└─sdb1    8:17   0    4G  0 part /mnt
sdc       8:32   0   32G  0 disk

In this example, I’m going to use the sdc disk. This is likely going to be different for you, so make sure you replace the disk name in all the commands below.

   Watch out! The commands below will delete all files on the drive you select.

Before we start, install the cryptsetup utility:

# Debian, Ubuntu, Raspbian…
apt install -y cryptsetup

# CentOS, Fedora, RedHat
yum install -y cryptsetup-luks

First, if your disk doesn’t have a partition yet (like mine), create a GPT partition table and a partition (without formatting it):

# Replace sdc with the drive you want to use
parted /dev/sdc mklabel gpt
parted -a opt /dev/sdc mkpart datadisk ext4 0% 100%

Encrypt the sda5 partition using LUKS, create an ext4 volume in that partition, and then close the encrypted volume. In all commands that require a keyfile.

# Encrypt the disk
# Replace sda5 with the correct partition!
cryptsetup -d - -v luksFormat /dev/sda5 

# Open the encrypted volume, with the name "data"
# Replace sdc1 with the correct partition!
/etc/luks/ | cryptsetup -d - -v luksOpen /dev/sda5 data

# Create a filesystem on the encrypted volume
mkfs.ext4 -F /dev/mapper/data

# Close the encrypted volume
cryptsetup -v luksClose data

4. Add the new file as unlock key to the encrypted volume

# cryptsetup -v luksAddKey /dev/sda5 /boot/keyfile
Enter any passphrase:

Enter your old/existing passphrase here. Expected output:

Key slot 0 unlocked.
Command successful.

Note:The device names may vary depending on the hypervisor: XenServer would assign "xvda", Proxmox would assign "vda", while VMware would stick to "sda". 5. Find the UUID of /dev/sda1

# ls -l /dev/disk/by-uuid/

6. Edit /etc/crypttab

Edit the contents of file /etc/crypttab (use the UUID of /dev/sda1 from the previous step)

# vi /etc/crypttab

This contents should be:

sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee none luks

(The UUID may be different)

The changes we'll be making:

   Replace the 3rd parameter ‐ none ‐ with /dev/disk/by-uuid/<uuid>:/keyfile with the UUID for sda1
   Replace the 4th parameter ‐ luks‐ with luks,keyscript=/lib/cryptsetup/scripts/passdev

The final result:

sda5_crypt UUID=9b7200b5-0e0a-447a-93a8-7eb8f1f4a1ee /dev/disk/by-uuid/2a5e9b7f-2128-4a50-83b6-d1c285410145:/keyfile luks,keyscript=/lib/cryptsetup/scripts/passdev

In this case the UUID for our /dev/sda1 UUID was 2a5e9b7f....

If you run into any issues with file permissions, run:

# chmod 0777 /etc/crypttab

After editing, run the following to reset the permissions:

# chmod 0440 /etc/crypttab

7. Generate a new initramfs disk

# mkinitramfs -o /boot/initrd.img-4.9.0-7-amd64 \

(Make sure 4.9.0-7 is your version, as on step 1)

8. Cross your fingers and reboot

# reboot

Congratulations: You have effectively short-circuited the security of the encrypted drive. Be careful now!