linux · Guide · security

Encrypting Partitions with LUKS using cryptsetup: A Guide

Jan 2, 2025 ~10 min read

Prerequisites

  • Administrative (sudo) privileges
  • A backup of any existing data on the target partition
  • The partition you want to encrypt (in this guide, we’ll use /dev/sdb2)

Installing cryptsetup

Choose the appropriate command for your distribution:

For Debian/Ubuntu:

sudo apt-get install cryptsetup

For distributions using pacman:

sudo pacman -Sy cryptsetup

Encryption Process

1. Initialize LUKS Encryption

WARNING: Before we proceed, please make sure you have a BACKUP OF THE DATA somewhere.

Initialize the LUKS encryption on your partition:

cryptsetup -y -v luksFormat /dev/sdb2
  • This command will initialize the partition and will prompt for a passphrase. Please make sure you note the passphrase for further use.

2. Open the Encrypted Partition

Create a mapping for the encrypted partition:

cryptsetup luksOpen /dev/sdb2 test

Running the following command will prompt for the passphrase you just created. After successful authentication, the encrypted partition will be available at /dev/mapper/test.

3. Verify the Setup

Check the status of your encrypted mapping:

cryptsetup -v status test

To view detailed LUKS header information:

cryptsetup luksDump /dev/sdb2

4. Secure the Partition

Fill the entire encrypted volume with zeros to ensure secure initialization:

pv -tpreb /dev/zero | dd of=/dev/mapper/test bs=128M

This step will:

  • Overwrite the entire partition with zeros
  • This may take some time depending on the size of your device/partition, so we have used the pv command to monitor the progress.

5. Create a File System

Format the encrypted partition with ext4 or any file system:

mkfs.ext4 /dev/mapper/test

6. Mount and Verify

Create a mount point and mount the encrypted partition:

sudo mkdir /test_device
sudo mount /dev/mapper/test /test_device
df -H

Usage Tips

  • Always keep your passphrase in a secure location
  • Consider creating a backup of the LUKS header
  • Remember to close the encrypted partition when not in use: 
    sudo umount /test_device
cryptsetup luksClose test

Note: Whenever you see a guide in my blog, they are primarily for my personal documentation, or I am sharing them in hope they might be useful.