How to Encrypt a Disk with LUKS
Encrypt a full disk or individual partition on Linux using LUKS2 and cryptsetup, including key management, boot integration, and header backups.
Before you start
- ▸A spare disk or partition with no data you need to keep, or a confirmed backup
- ▸Root or sudo access on the host system
- ▸cryptsetup 2.x (LUKS2 support) — verify with cryptsetup --version
LUKS (Linux Unified Key Setup) is the standard for disk encryption on Linux. It sits between your block device and the filesystem, transparently encrypting every sector. Whether you're securing a laptop's entire drive, a removable USB, or a secondary data partition, cryptsetup gives you a consistent, well-documented interface backed by dm-crypt in the kernel. This guide covers both full-disk encryption (FDE) and per-partition encryption, key management, and how to wire everything up so the system unlocks cleanly at boot.
Prerequisites and Concepts
Before touching any device, understand what LUKS actually does. A LUKS header sits at the start of the encrypted device and holds metadata plus up to eight key slots. Each slot can hold a separate passphrase or keyfile — you can add a recovery key to slot 1 and your daily passphrase to slot 0, and either will unlock the volume.
LUKS2 is the current format (cryptsetup ≥2.1, available on any modern distro). It adds Argon2id as the default key derivation function, better header redundancy, and support for authenticated encryption modes. Use LUKS2 unless you have a specific reason to stay on LUKS1.
Install cryptsetup
Most distros include cryptsetup by default; reinstall or verify it is present.
# Debian / Ubuntu
sudo apt install cryptsetup# Fedora / RHEL / Rocky
sudo dnf install cryptsetup# Arch
sudo pacman -S cryptsetupIdentify Your Target Device
Triple-check the device name before you encrypt anything. Encryption writes a new header and destroys existing data on the device.
lsblk -o NAME,SIZE,TYPE,MOUNTPOINTS,FSTYPEOutput will vary but look for your unmounted target disk or partition — for example /dev/sdb for a whole disk or /dev/sdb2 for a specific partition. If the device is mounted, unmount it first.
sudo umount /dev/sdb1Optional: Wipe the Device First
A fresh LUKS container on an empty drive is fine for new hardware. On a drive that held real data, overwrite it with random bytes first so an attacker cannot distinguish ciphertext from old plaintext regions.
# Fast: fill with pseudorandom data via the kernel's fast random source
sudo dd if=/dev/urandom of=/dev/sdb bs=4M status=progressOn large drives this takes time. A faster alternative is to open a temporary LUKS container, write zeros into it (which appear as ciphertext on the raw device), then close it:
sudo cryptsetup open --type plain -d /dev/urandom /dev/sdb wipe_target
sudo dd if=/dev/zero of=/dev/mapper/wipe_target bs=4M status=progress
sudo cryptsetup close wipe_targetFormat the Device with LUKS2
Full-disk encryption (no partition table)
For portable drives or drives where the OS manages everything under LVM, you can encrypt the raw device directly.
sudo cryptsetup luksFormat --type luks2 /dev/sdbYou will be prompted to type YES in uppercase and then enter a passphrase twice. Choose something strong; there is no password reset — losing all key slots means losing the data permanently.
Per-partition encryption
If the disk has multiple partitions and only one needs to be encrypted (common for a separate /home), target just that partition:
sudo cryptsetup luksFormat --type luks2 /dev/sdb2The /boot partition must remain unencrypted for most bootloaders (GRUB with full LUKS2 support is improving but still has caveats — keep /boot on a plain partition unless you know exactly what you are doing).
Review the LUKS header
sudo cryptsetup luksDump /dev/sdbConfirm the version shows LUKS2, the cipher is aes-xts-plain64, and the key size is 512 bits (256-bit AES with XTS doubling). These are the current defaults and are appropriate for most workloads.
Open the Encrypted Volume
Opening maps the decrypted view to a device-mapper node under /dev/mapper/.
sudo cryptsetup open /dev/sdb cryptdataSupply your passphrase when prompted. The mapped device is now /dev/mapper/cryptdata. The name cryptdata is arbitrary — pick something meaningful.
Create a Filesystem
Format the mapper device, not the raw block device.
sudo mkfs.ext4 /dev/mapper/cryptdataOr use XFS or Btrfs if you prefer:
sudo mkfs.btrfs /dev/mapper/cryptdataMount and Use
sudo mkdir -p /mnt/secure
sudo mount /dev/mapper/cryptdata /mnt/secureWhen finished, unmount and close the container:
sudo umount /mnt/secure
sudo cryptsetup close cryptdataPersistent Mount with systemd-cryptsetup
To unlock and mount the volume at boot, edit two files: /etc/crypttab and /etc/fstab.
Get the UUID of the LUKS device
sudo cryptsetup luksUUID /dev/sdbUse the UUID, not the device path — device paths change, UUIDs do not.
Add an entry to /etc/crypttab
# /etc/crypttab format: name source-device key-file options
cryptdata UUID=<your-uuid-here> none luksUsing none as the key-file means the system will prompt for the passphrase at boot. For unattended servers you would specify a keyfile path instead (see the key management section below).
Add an entry to /etc/fstab
/dev/mapper/cryptdata /mnt/secure ext4 defaults 0 2Regenerate the initramfs so it knows about the encrypted root or additional devices:
# Debian / Ubuntu
sudo update-initramfs -u -k all# Fedora / RHEL / Rocky
sudo dracut --force# Arch (with mkinitcpio)
sudo mkinitcpio -PKey Management
Add a keyfile for automated unlock
# Generate a 4 KB keyfile of random data
sudo dd if=/dev/urandom of=/etc/luks-keyfile bs=1k count=4
sudo chmod 400 /etc/luks-keyfile
# Add it to a free LUKS key slot (you'll be prompted for the existing passphrase)
sudo cryptsetup luksAddKey /dev/sdb /etc/luks-keyfileThen update /etc/crypttab to reference /etc/luks-keyfile instead of none. Keep the passphrase slot active as a backup.
Add a second passphrase (backup access)
sudo cryptsetup luksAddKey /dev/sdbRemove a key slot
# Remove the passphrase in slot 0 — make sure another slot still works first!
sudo cryptsetup luksKillSlot /dev/sdb 0Back up the LUKS header
If the header is corrupted (disk damage, accidental overwrite), all data is permanently inaccessible. Back it up to a secure, separate location.
sudo cryptsetup luksHeaderBackup /dev/sdb --header-backup-file /safe/location/sdb-luks-header.binStore that file somewhere safe and encrypted — it contains enough information to brute-force your passphrase offline.
Verify the Setup
# Confirm the device is active and the mapper exists
sudo cryptsetup status cryptdata# List all open LUKS devices
sudo dmsetup ls --target crypt# Run a quick benchmark for your chosen cipher
sudo cryptsetup benchmarkTroubleshooting
- Boot drops to emergency shell asking for passphrase: The UUID in
/etc/crypttabdoes not match the device. Runcryptsetup luksUUID /dev/sdXfrom a live environment and correct it, then rebuild the initramfs. - "Device /dev/mapper/cryptdata already exists": The volume is already open. Run
cryptsetup status cryptdatato confirm, or close it first withcryptsetup close cryptdata. - Slow performance on older hardware: Confirm AES-NI is available with
grep aes /proc/cpuinfo. If it is present but not being used, check your kernel version and ensure no software AES fallback is forced. - "No key available with this passphrase": The passphrase is wrong, or the LUKS header is damaged. Try the header backup:
cryptsetup open --header /safe/location/sdb-luks-header.bin /dev/sdb cryptdata. - luksFormat wiped the wrong device: There is no undo. This is why you verify device names with
lsblkbefore running any destructive command.
Frequently asked questions
- Can I encrypt a partition that already has data on it without wiping it?
- Not directly with LUKS — luksFormat overwrites the start of the device. You must back up the data, format with LUKS, create a new filesystem, and restore. Tools like cryptsetup-reencrypt can encrypt in-place on LUKS2, but it is slow, risky, and requires a full backup beforehand regardless.
- What is the difference between LUKS1 and LUKS2?
- LUKS2 adds Argon2id for key derivation (much stronger against brute-force than the PBKDF2 in LUKS1), a secondary header copy for redundancy, and support for authenticated encryption modes. Use LUKS2 unless your bootloader requires LUKS1, which is increasingly rare.
- Does LUKS encryption hurt performance?
- On hardware with AES-NI instructions (virtually all x86-64 CPUs from the last decade), the overhead is negligible — typically under 5% on sequential I/O. The bottleneck is almost always the storage device, not the cipher.
- How do I unlock a LUKS volume on another machine or from a live USB?
- Install cryptsetup on the live environment, then run cryptsetup open /dev/sdX cryptdata and supply the passphrase. Mount /dev/mapper/cryptdata as usual. The passphrase, not the machine, is what protects the data.
- Can I change my LUKS passphrase later?
- Yes. Use cryptsetup luksChangeKey /dev/sdX, which prompts for the existing passphrase and then the new one. This replaces the key in the current slot without touching other slots or re-encrypting the bulk data.
Related guides
AppArmor Explained
Learn how AppArmor profiles work, how to switch between enforce and complain mode, create new profiles, and diagnose access denials on Ubuntu, Debian, and Arch.
How to Audit a Linux System with auditd
Set up auditd on Linux to track file access, syscalls, and privilege use. Covers persistent rules, file watches, ausearch, and aureport across major distros.
How to Audit Linux Hardening with Lynis
Run Lynis to audit your Linux server, interpret the hardening index and warning output, and work through findings from critical to low-effort wins.
How to Enable Automatic Security Updates
Enable automatic security updates on Debian, Ubuntu, Fedora, and RHEL using unattended-upgrades and dnf-automatic — configured to patch safely without manual effort.