dm-crypt is the Linux kernel’s device mapper encryption subsystem. LUKS (Linux Unified Key Setup) is the standard on-disk format for LUKS-encrypted partitions. it handles key management, metadata, and up to 8 key slots (passphrases or keyfiles). This guide covers creating encrypted partitions for data drives, adding keyfiles, and setting up automatic mounting.
Prerequisites
Install cryptsetup
sudo apt install cryptsetup
Verify kernel module is loaded
lsmod | grep dm_crypt
If empty:
sudo modprobe dm_crypt
Step 1 - Identify Your Target Disk
List block devices
lsblk -f
More detail
sudo fdisk -l
Identify the disk you want to encrypt (e.g., /dev/sdb)
All data on this device will be destroyed
For this guide, the target device is /dev/sdb. Replace with your actual device path.
Step 2 - Create a LUKS Container
Format the device with LUKS2 (default in modern cryptsetup)
Uses AES-256-XTS (XTS mode is standard for disk encryption)
sudo cryptsetup luksFormat /dev/sdb
Or specify parameters explicitly
sudo cryptsetup luksFormat \
--type luks2 \
--cipher aes-xts-plain64 \
--key-size 512 \
--hash sha256 \
--pbkdf argon2id \
--pbkdf-memory 131072 \
--pbkdf-parallel 4 \
/dev/sdb
Confirm by typing YES (all caps)
AES-XTS with 512-bit keys means AES-256 for both the data key and the tweak key. argon2id as the PBKDF (Password-Based Key Derivation Function) makes brute-forcing your passphrase expensive.
Step 3 - Open the Encrypted Container
Open the LUKS container and map it to /dev/mapper/mydata
sudo cryptsetup open /dev/sdb mydata
You will be prompted for your passphrase
The device is now available at /dev/mapper/mydata
Step 4 - Create a Filesystem on the Encrypted Device
Format with ext4
sudo mkfs.ext4 -L "encrypted-data" /dev/mapper/mydata
Or with XFS for better performance on large files
sudo mkfs.xfs -L "encrypted-data" /dev/mapper/mydata
Create a mount point and mount
sudo mkdir -p /mnt/encrypted
sudo mount /dev/mapper/mydata /mnt/encrypted
Verify
df -h /mnt/encrypted
Step 5 - Use the Encrypted Partition
Create files as normal
sudo cp -r /home/user/documents /mnt/encrypted/
Change ownership if you want non-root access
sudo chown -R user:user /mnt/encrypted/
Step 6 - Unmount and Close
Unmount the filesystem
sudo umount /mnt/encrypted
Close the LUKS container (re-encrypts key material and removes mapping)
sudo cryptsetup close mydata
Verify it's closed
ls /dev/mapper/
After closing, the data on /dev/sdb is completely inaccessible without the passphrase.
Step 7 - Add a Keyfile (Second Key Slot)
LUKS supports multiple key slots. A keyfile lets you unlock the partition without typing a passphrase. useful for automated unlocking:
Generate a strong keyfile (512 bytes of random data)
sudo dd if=/dev/urandom of=/root/luks-keyfile bs=512 count=1
sudo chmod 400 /root/luks-keyfile
Add the keyfile to slot 1 (slot 0 has your passphrase)
sudo cryptsetup luksAddKey /dev/sdb /root/luks-keyfile
You will be prompted for your existing passphrase to authorize the addition
Now you can open the device with the keyfile instead of the passphrase:
sudo cryptsetup open --key-file /root/luks-keyfile /dev/sdb mydata
Step 8 - Automatic Mounting with /etc/crypttab and /etc/fstab
To mount automatically at boot (on a server where the keyfile is on the root disk):
Add to /etc/crypttab:
name device keyfile options
mydata /dev/sdb /root/luks-keyfile luks
Add to /etc/fstab:
/dev/mapper/mydata /mnt/encrypted ext4 defaults,nofail 0 2
For removable devices, use UUID instead of device path (more reliable):
Get the UUID of the LUKS container (not the filesystem)
sudo cryptsetup luksDump /dev/sdb | grep UUID
/etc/crypttab
mydata UUID=a1b2c3d4-... /root/luks-keyfile luks
Step 9 - Inspect LUKS Metadata
Show key slots and LUKS header info
sudo cryptsetup luksDump /dev/sdb
Check which slot a passphrase uses
sudo cryptsetup --verbose open --test-passphrase /dev/sdb
Remove a key slot (e.g., remove slot 0 passphrase after adding keyfile)
Make sure you have another way in first
sudo cryptsetup luksKillSlot /dev/sdb 0
Step 10 - Encrypt a Loop File (No Partition Needed)
You can encrypt a file rather than a whole partition. useful for creating portable encrypted containers:
Create a 5GB container file
dd if=/dev/zero of=/home/user/secure.img bs=1M count=5120
Format it as LUKS
sudo cryptsetup luksFormat /home/user/secure.img
Open it
sudo cryptsetup open /home/user/secure.img securedata
Format and mount
sudo mkfs.ext4 /dev/mapper/securedata
sudo mount /dev/mapper/securedata /mnt/secure
Close when done
sudo umount /mnt/secure && sudo cryptsetup close securedata
Backup the LUKS Header
If the LUKS header at the start of the disk is corrupted, the entire partition becomes unrecoverable. Back it up:
Backup header (does NOT expose key material. safe to store offsite)
sudo cryptsetup luksHeaderBackup /dev/sdb \
--header-backup-file /root/luks-header-backup.bin
Restore if needed
sudo cryptsetup luksHeaderRestore /dev/sdb \
--header-backup-file /root/luks-header-backup.bin
Store this backup in a separate encrypted location from the device itself.
Related Reading
- How to Use BorgBackup for Encrypted Backups
- Secure Boot Chain Verification on Linux
- How To Create Encrypted Mailing List For Private Group
- AI Coding Assistant Session Data Lifecycle
-
How to Audit What Source Code AI Coding Tools Transmit
Related Articles