LUKS Encryption Cheat Sheet

2020-10-27

Install and create partition

Install on a Debian based system

apt-get install cryptsetup

Install on a Red Hat based system

yum install cryptsetup

Creating a new LUKS partition

cryptsetup -y -v luksFormat /dev/$DEVICE

Key management

Generate 4096-bit random key file

head -c 512 /dev/random > KEYFILE

Add a key file to next free key slot. This will prompt for a passphrase. You can have up to 8 slots.

cryptsetup luksAddKey /dev/$DEVICE KEYFILE

Add a key file to specific key slot, e.g slot 7

cryptsetup luksAddKey --key-slot 7 /dev/$DEVICE KEYFILE

View key slots (use | grep Slot if needed)

cryptsetup luksDump /dev/$DEVICE

Remove key from key slot. Enter pasphrase or specify key file to remove. The slot will automatically be detected and slot key removed.

cryptsetup luksRemoveKey /dev/$DEVICE
cryptsetup luksRemoveKey /dev/$DEVICE KEYFILE

Mapping, mounting, formatting

Map the partition to /dev/$MAP

cryptsetup luksOpen /dev/$DEVICE $MAP

Map partition using a key file, no need to specify key slot

cryptsetup luksOpen --key-file KEYFILE /dev/$DEVICE $MAP

View status of the map

cryptsetup -v status $MAP

Zero the partition prior to formatting

dd if=/dev/zero of=/dev/mapper/$MAP status=progress

Alternate method of zeroing

dd_rescue -w /dev/zero /dev/mapper/$MAP

Format LUKS partition

mkfs.ext4 /dev/mapper/$MAP

Mount

cryptsetup luksOpen /dev/$DEVICE $MAP
mkdir -p /mnt/$MAP
mount /dev/mapper/$MAP /mnt/$MAP

Unmount and finish up

Unmount

umount /mnt/$MAP

Unmap the LUKS partition

cryptsetup luksClose $MAP

Links