$linuxjunkies
>

cryptsetup(8)

cryptsetup manages LUKS encrypted volumes and dm-crypt device mappings on Linux.

UbuntuDebianFedoraArch

Synopsis

cryptsetup [OPTIONS] <command> [command_options] <device> [arguments]

Description

cryptsetup is the main tool for setting up and managing encrypted block devices using LUKS (Linux Unified Key Setup) and plain dm-crypt encryption. It handles creating encrypted volumes, opening them for use, closing them, and managing passphrases and key slots.

LUKS is the standard encryption format for Linux, storing metadata that allows multiple passphrases to unlock the same encrypted data. Plain dm-crypt mode offers encryption without this metadata layer.

Common options

FlagWhat it does
--type luks|plainSpecify encryption type: luks (default, recommended) or plain dm-crypt
-c, --cipherSet cipher algorithm and mode, e.g. aes-xts-plain64
-s, --key-sizeKey size in bits (256, 512, etc.; default 256 for aes-xts)
-h, --hashHash algorithm for key derivation (sha256, sha512, etc.)
--pbkdfKey derivation function: pbkdf2, argon2i, or argon2id
-i, --iter-timePBKDF iteration time in milliseconds (default 2000)
--use-random, --use-urandomUse /dev/random or /dev/urandom for key material generation
-y, --verify-passphrasePrompt twice for passphrase to confirm it was entered correctly
-d, --key-fileRead key from file instead of prompting interactively
-q, --quietSuppress informational messages
--allow-discardsAllow TRIM/discard requests on encrypted device (weaker security)
-v, --verboseShow detailed progress and debug information

Examples

Initialize /dev/sda3 as a new LUKS encrypted volume, prompting for a passphrase

cryptsetup luksFormat /dev/sda3

Format with AES-XTS cipher and 512-bit key for stronger encryption

cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/sda3

Unlock the encrypted volume and map it to /dev/mapper/mycrypt; prompts for passphrase

cryptsetup open /dev/sda3 mycrypt

Open encrypted device using a key file instead of interactive passphrase

cryptsetup open -d /root/keyfile /dev/sda3 mycrypt

Lock and close the encrypted volume, making it inaccessible

cryptsetup close mycrypt

Add a new passphrase to the volume; requires an existing passphrase first

cryptsetup luksAddKey /dev/sda3

Display LUKS metadata and key slot information for the encrypted device

cryptsetup luksDump /dev/sda3

Create a plain dm-crypt mapping without LUKS metadata (legacy mode)

cryptsetup create --cipher aes-xts-plain64 plainvol /dev/sda2

Related commands