Skip to content

LUKS

LUKS definition

The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux.

While most disk encryption software implements different, incompatible, and undocumented formats, LUKS implements a platform-independent standard on-disk format for use in various tools. This not only facilitates compatibility and interoperability among different programs, but also assures that they all implement password management in a secure and documented manner.

The reference implementation for LUKS operates on Linux and is based on an enhanced version of cryptsetup, using dm-crypt as the disk encryption backend.

LUKS is designed to conform to the TKS1 secure key setup scheme.

LUKS Commands

We use the cryptsetup command to interact with LUKS partitions.

Header management

Get the disk header

cryptsetup luksDump /dev/sda3

Backup header

cryptsetup luksHeaderBackup --header-backup-file {{ file }} {{ device }}

Key management

Add a key

cryptsetup luksAddKey --key-slot 1 {{ luks_device }}

Change a key

cryptsetup luksChangeKey {{ luks_device }} -s 0

Test if you remember the key

Try to add a new key and cancel the process

cryptsetup luksAddKey --key-slot 3 {{ luks_device }}

Delete some keys

cryptsetup luksDump {{ device }}
cryptsetup luksKillSlot {{ device }} {{ slot_number }}

Delete all keys

cryptsetup luksErase {{ device }}

Encrypt hard drive

  • Configure LUKS partition
cryptsetup -y -v luksFormat /dev/sdg
  • Open the container
cryptsetup luksOpen /dev/sdg crypt
  • Fill it with zeros
pv -tpreb /dev/zero | dd of=/dev/mapper/crypt bs=128M
  • Make filesystem
    mkfs.ext4 /dev/mapper/crypt
    

LUKS debugging

Resource busy

  • Umount the lv first
lvscan
lvchange -a n {{ partition_name }}
  • Then close the luks device
cryptsetup luksClose {{ device_name }}

Last update: 2021-07-30