LUKS (Linux Unified Key Setup) is the standard for disk encryption on Linux. It sits on top of dm-crypt and provides a standardized on-disk format, multiple passphrases per volume, and secure key management. Whether you need to encrypt a data partition on a server, secure a laptop disk, or meet compliance requirements for data at rest, LUKS is the tool every Linux admin should know.
This guide covers encrypting partitions with LUKS2, managing keyslots, configuring automatic unlock at boot, and recovering from common problems.
Prerequisites
- Linux system with kernel 4.12+ (for LUKS2 and Argon2id support)
cryptsetup2.0+ installed- Root or sudo access
- A spare partition or disk to encrypt (LUKS formatting is destructive)
- Backup of any data on the target device
LUKS vs Other Linux Encryption Options
Before diving in, here’s how LUKS compares to alternatives:
| Feature | LUKS/dm-crypt | eCryptfs | fscrypt | VeraCrypt |
|---|---|---|---|---|
| Scope | Full partition/disk | Per-directory | Per-directory | Full partition/container |
| Performance | Near-native (AES-NI) | Slower (stacked FS) | Near-native | Near-native |
| Key management | Up to 32 keyslots | Per-user wrapping | Per-directory keys | Single password |
| Boot encryption | Yes (with initramfs) | No | No | Yes (custom bootloader) |
| Standard on Linux | Yes (default) | Deprecated | Ext4/F2FS only | Cross-platform |
LUKS is the right choice for server partitions, full-disk encryption, and any scenario where you need multiple unlock methods (passphrase + key file + recovery key).
Encrypting a Partition with LUKS2
Step 1: Identify Your Target Device
lsblk -fNAME FSTYPE SIZE MOUNTPOINT
sda 100G
├─sda1 ext4 50G /
├─sda2 swap 4G [SWAP]
└─sda3 46GIn this example, /dev/sda3 is the unformatted partition we’ll encrypt. Double-check the device name — luksFormat will destroy all data on it.
Step 2: Install cryptsetup
On Debian/Ubuntu:
sudo apt update && sudo apt install -y cryptsetupOn RHEL/Fedora/AlmaLinux:
sudo dnf install -y cryptsetupVerify the version supports LUKS2:
cryptsetup --versionYou need version 2.0.0 or later. Any modern distribution from 2018 onward includes this.
Step 3: Initialize LUKS Encryption
sudo cryptsetup luksFormat --type luks2 /dev/sda3You’ll see a confirmation prompt and be asked to set a passphrase:
WARNING: Device /dev/sda3 already contains a 'ext4' superblock signature.
WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sda3:
Verify passphrase:Choose a strong passphrase. This is your primary unlock method. If you lose it and have no backup keyslot, the data is gone — that’s the point of encryption.
What luksFormat does under the hood:
- Writes a LUKS2 header (16 MB by default) to the start of the partition
- Generates a random master key (256-bit AES by default)
- Encrypts the master key with your passphrase using Argon2id key derivation
- Stores the encrypted master key in keyslot 0
Step 4: Open the Encrypted Volume
sudo cryptsetup open /dev/sda3 data_cryptThis prompts for your passphrase, then creates /dev/mapper/data_crypt — a virtual block device that transparently encrypts/decrypts all I/O.
Verify it’s open:
ls -la /dev/mapper/data_cryptStep 5: Create a Filesystem and Mount
sudo mkfs.ext4 /dev/mapper/data_crypt
sudo mkdir -p /mnt/encrypted
sudo mount /dev/mapper/data_crypt /mnt/encryptedTest it:
echo "Encryption works" | sudo tee /mnt/encrypted/test.txt
cat /mnt/encrypted/test.txtThe data is now encrypted at rest. Anyone who pulls the disk without the passphrase sees only random bytes.
Managing LUKS Keyslots
LUKS2 supports up to 32 keyslots. Each keyslot holds an independently encrypted copy of the master key. This means you can have multiple passphrases, key files, or recovery keys — all opening the same volume.
Add a Backup Passphrase
sudo cryptsetup luksAddKey /dev/sda3You’ll enter the existing passphrase first, then the new one. This goes into the next available keyslot.
Add a Key File
Key files enable automated unlock (scripts, boot sequences) without typing a passphrase:
sudo dd if=/dev/urandom of=/root/luks-keyfile bs=4096 count=1
sudo chmod 400 /root/luks-keyfile
sudo cryptsetup luksAddKey /dev/sda3 /root/luks-keyfileStore key files securely. If the key file is on the same unencrypted disk, it defeats the purpose. Keep it on a separate encrypted root partition or a hardware token.
List Keyslots
sudo cryptsetup luksDump /dev/sda3 | grep -A5 "Keyslots:"For a cleaner view:
sudo cryptsetup luksDump /dev/sda3 | grep "Key Slot"Remove a Keyslot
sudo cryptsetup luksRemoveKey /dev/sda3Enter the passphrase you want to remove. Or remove by slot number:
sudo cryptsetup luksKillSlot /dev/sda3 1Never remove all keyslots. If you remove the last one, the volume becomes permanently inaccessible. cryptsetup will warn you, but don’t rely on it.
Auto-Unlock LUKS at Boot
For server partitions that need to mount automatically, you have two options:
Option A: Key File on Root Partition
This works when the root partition is already encrypted (or is a trusted boot disk) and you want secondary partitions to unlock without a passphrase prompt.
- Create the key file (if you haven’t already):
sudo dd if=/dev/urandom of=/root/luks-keyfile bs=4096 count=1
sudo chmod 400 /root/luks-keyfile
sudo cryptsetup luksAddKey /dev/sda3 /root/luks-keyfile- Get the UUID of the LUKS partition:
sudo blkid /dev/sda3/dev/sda3: UUID="a1b2c3d4-e5f6-7890-abcd-ef1234567890" TYPE="crypto_LUKS"- Add to
/etc/crypttab:
echo 'data_crypt UUID=a1b2c3d4-e5f6-7890-abcd-ef1234567890 /root/luks-keyfile luks' | sudo tee -a /etc/crypttab- Add to
/etc/fstab:
echo '/dev/mapper/data_crypt /mnt/encrypted ext4 defaults 0 2' | sudo tee -a /etc/fstab- Rebuild the initramfs:
On Debian/Ubuntu:
sudo update-initramfs -uOn RHEL/Fedora:
sudo dracut -fOption B: Passphrase Prompt at Boot
If you want the security of requiring a passphrase on every boot, add only this to /etc/crypttab:
echo 'data_crypt UUID=a1b2c3d4-e5f6-7890-abcd-ef1234567890 none luks' | sudo tee -a /etc/crypttabThe none keyword tells the system to prompt for a passphrase during boot. This is the default for encrypted root partitions.
Checking LUKS Volume Health
View Volume Details
sudo cryptsetup luksDump /dev/sda3This shows the LUKS version, cipher, hash, keyslots, and header size. Useful for verifying encryption parameters.
Benchmark Encryption Performance
cryptsetup benchmark# Tests are approximate using memory only (no storage IO).
PBKDF2-sha256 1547453 iterations per second for 256-bit key
PBKDF2-sha512 987231 iterations per second for 256-bit key
Argon2id 8 iterations, 1048576 memory per thread for 256-bit key
# Algorithm | Key | Encryption | Decryption
aes-xts 256b 3512.0 MiB/s 3498.7 MiB/s
aes-xts 512b 2845.3 MiB/s 2830.1 MiB/sWith AES-NI hardware acceleration (present on any modern x86 CPU), you’ll see throughput of 2-3 GB/s — encryption adds negligible overhead.
Back Up the LUKS Header
If the LUKS header is corrupted (bad sectors, accidental overwrite), you lose access to the entire volume. Always back it up:
sudo cryptsetup luksHeaderBackup /dev/sda3 --header-backup-file /root/sda3-luks-header.bakStore this backup off-system — on a USB drive, secure network share, or vault. Anyone with the header backup and a valid passphrase can decrypt the volume.
Restore it if needed:
sudo cryptsetup luksHeaderRestore /dev/sda3 --header-backup-file /root/sda3-luks-header.bakClosing and Unmounting
When you’re done, cleanly unmount and close the volume:
sudo umount /mnt/encrypted
sudo cryptsetup close data_cryptThe partition is now locked. The data on /dev/sda3 is inaccessible until you open it again with the correct passphrase or key file.
Troubleshooting
“Device /dev/sda3 is in use” when trying to format: The partition is mounted or held by another process. Run lsof /dev/sda3 or fuser -mv /dev/sda3 to find what’s using it.
Boot hangs waiting for passphrase: If you added a LUKS volume to /etc/crypttab without a key file and the volume isn’t critical, add nofail to the options: data_crypt UUID=... none luks,nofail. This lets boot continue after a timeout.
“No key available with this passphrase”: Either wrong passphrase, or the keyslot was removed. Try all passphrases you’ve set. If none work, restore from a header backup.
Slow luksFormat on large disks: The formatting itself is fast (only writes the header). But if you want to securely wipe the partition first, run sudo cryptsetup open --type plain /dev/sda3 wipe && sudo dd if=/dev/zero of=/dev/mapper/wipe bs=1M status=progress && sudo cryptsetup close wipe before formatting.
Cannot resize encrypted partition: Close the volume first, then use cryptsetup resize after resizing the underlying partition with parted or fdisk.
Summary
- LUKS2 is the Linux standard for disk encryption — use
cryptsetup luksFormat --type luks2to encrypt any partition - The encryption is transparent: once opened with
cryptsetup open, all reads and writes are automatically encrypted/decrypted - LUKS supports up to 32 keyslots — use multiple passphrases and key files for flexibility and recovery
- Auto-unlock at boot via
/etc/crypttabwith a key file stored on an encrypted root partition - Always back up the LUKS header with
luksHeaderBackup— header corruption means total data loss - Performance overhead is negligible on modern CPUs with AES-NI hardware acceleration
- You cannot encrypt a partition in-place — always back up data before running
luksFormat
Automate SSL Certificates with Let’s Encrypt and Certbot | Configure UFW Firewall on Ubuntu Server | Restic Backups to Encrypted Cloud Storage