Install LUKS and Create an Encrypted LUKS Partition on Debian

Today’s plan is to install Linux Unified Key Setup (LUKS) software and create an encrypted LUKS volume. The picture I found on some time ago somehow seemed very appropriate to illustrate the post.

General disclaimer applies, no liability will be accepted for any loss or damage, use at your own risk and do frequent backups!

It is strongly advised to read cryptsetup FAQ first.


We’ll be using a Debian Wheezy server:

# uname -rv
3.2.0-4-amd64 #1 SMP Debian 3.2.51-1

Update packages list and install cryptsetup:

# apt-get update && apt-get install cryptsetup

Load a kernel module:

# modprobe dm_crypt

Install pv for progress monitoring that will be used later:

# apt-get install pv

Setup LUKS Partition

Our disk partition table looks like this:

# fdisk -l | grep -i "/dev/sd"
Disk /dev/sda: 32.0 GB, 32017047552 bytes
/dev/sda1 * 2048 60547071 30272512 fd Linux RAID autodetect
/dev/sda2 60547072 62531583 992256 82 Linux swap / Solaris
Disk /dev/sdb: 32.0 GB, 32015965696 bytes
/dev/sdb1 * 2048 60547071 30272512 fd Linux RAID autodetect
/dev/sdb2 60547072 62531182 992055+ 83 Linux

We’ll be setting up a LUKS volume on 1GB size /dev/sdb2 partition (marked in blue).

Create LUKS Partition

We want to verify the passphrase twice, use the verbose mode as well as set the cipher string:

# cryptsetup -v -y -c "aes-cbc-essiv:sha256" luksFormat /dev/sdb2
This will overwrite data on /dev/sdb2 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

[UPDATE]: release 1.6.0 of cryptsetup changed the defaults to an AES cipher in XTS mode. It is advised against using the previous default cipher aes-cbc-essiv because of its known issues and practical attacks against them.

Create a LUKS partition by using the following parameters:

# cryptsetup -v -y --cipher "aes-xts-plain64:sha512" \
  --key-size 512 --hash sha512 --iter-time 5000 \
  --use-random luksFormat /dev/sdb2

Unlock LUKS Partition

Having the partition created, we need to unlock it:

# cryptsetup luksOpen /dev/sdb2 data 
Enter passphrase for /dev/sdb2:

The above command creates:


Format LUKS Volume and Create a Filesystem

We will be overwriting LUKS volume with zeros to ensure that outside world sees this as random data – it protects against disclosure of usage patterns:

# pv -tpreb /dev/zero | dd of=/dev/mapper/data bs=1M
dd: writing `/dev/mapper/data': No space left on device
 966MB 0:00:58 [16.6MB/s] 
0+7729 records in
0+7728 records out
1012924416 bytes (1.0 GB) copied, 70.8432 s, 14.3 MB/s

Once formatted, we can create an ext4 filesystem:

# mkfs.ext4 /dev/mapper/data -L data
mke2fs 1.42 (29-Nov-2011)
Filesystem label=data
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
61824 inodes, 247296 blocks
12364 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=255852544
8 block groups
32768 blocks per group, 32768 fragments per group
7728 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376

Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done

Mount LUKS Volume

Create a new mountpoint for the LUKS volume first:

# mkdir /data

Mount the volume:

# mount /dev/mapper/data /data

LUKS volume can be dismounted and closed by doing:

# umount /data
# cryptsetup luksClose /dev/mapper/data

Next thing on a list: add a backup key and backup the LUKS header.

Leave a Reply

Your email address will not be published. Required fields are marked *