LUKS encrypts block devices. It can be used both to encrypt individual partitions within a disk, or entire LVM volumes, in which case you can have multiple partitions under an encrypted container.
The encryption headers and other metadata will be stored at the start of the drive. It has space for multiple passphrases, so in cases of a shared drive each user can have their own passphrase without needing to share it. Be careful when manipulating partition tables on encrypted drives – erasing these headers will lead to total and unrecoverable data loss.
You can get a list of your devices using
lsblk -o NAME,PATH,MODEL,VENDOR,SIZE,FSUSED,FSUSE%,TYPE,MOUNTPOINT NAME PATH MODEL VENDOR SIZE FSUSED FSUSE% TYPE MOUNTPOINT sda /dev/sda WDC W ATA 465.8G disk ├─sda1 /dev/sda1 512M 75.7M 15% part /boot └─sda2 /dev/sda2 465.3G part └─luksdev /dev/mapper/luksdev sdb /dev/sdb 3.7T disk └─sdb1 /dev/sdb1 3.7T part
As you can see, I already have a “luksdev” device, which is my laptopt’s encrypted SSD.
If the device is mounted, you will need to back up all data from it then unmount it.
Then, if you want to create a new partition:
The above will open the drive with fdisk. Typing
m will pop up the help menu.
If it’s a new disk, you’ll most likely need to set up a new gpt partition table with
g, then create a new partition with
If you just want a new partition on an already configured disk, you’ll only need to use
n, then specify the sectors.
Once you have the partition set up, you will need to install
# Debian/ubuntu based systems sudo apt install cryptsetup # Arch based systems sudo pacman -S cryptsetup # Fedora based systems sudo dnf install cryptsetup-luks # RHEL/CentOS/Oracle sudo yum install cryptsetup-luks
This will install the tool used to encrypt and decrypt your partitions.
THE DATA ON THE DRIVE/PARTITION WILL BE LOST!
The next step is the encryption itself:
# Warning - THIS IS A DESTRUCTIVE PROCESS # Whole drive encryption cryptsetup luksFormat --verbose /dev/sdX # Partition encryption cryptsetup luksFormat --verbose /dev/sdX#
The process will walk you through encrpyting the drive/partition, and will ask you for a passphrase. It then formats the device with LUKS, writes the headers and metadata, then closes it.
The device should now be encrypted and ready to be used. You can unlock it with:
cryptsetup luksOpen /dev/sdX# dev_name
You should replace
with a name of your choosing. By default, it will mount the unlocked partition to
If you encrypted the whole device, you will need to create partitions on it with a disk manager such as
fdisk. You will need to grab
/dev/mapper/dev_name in the tool, and set up the partitions as you want. The partitions will then be ready to be used, as they are at this point indivudally unencrypted partitions under an encrypted container.
It’s important that you don’t change the label (partition table) itself on the drive, as it would erase the LUKS headers.
If you’ve only encrypted a partition, it is not yet usable. You will first need to create a filesystem on it, as it currently has none. To create an ext4 fs:
This will create an ext4 file system on your decrypted partition. You can mount it with:
mount /dev/mapper/dev_name /mnt
Your encrypted partition is now ready to be used!