Encrypting data partitions using LUKS

To encrypt a Linux partition using Linux Unified Key Setup (LUKS).


  1. Install the cryptsetup-luks package. This package contains cryptsetup utility used for setting up encrypted file systems. To install cryptsetup-luks, follow these steps:

    On RHEL or Cent OS, run:

    # yum install cryptsetup-luks

    On Ubuntu or Debian, run:

    # apt-get install cryptsetup
  2. Configure LUKS partition.
    1. Get the list of all the partitions using following command:
      # fdisk -l
      # blkid
    2. Use the cryptsetup luksFormat command to set up the partition for encryption. The example below uses the cryptsetup luksFormat command to encrypt the /dev/xvdc partition.
      # cryptsetup -y -v luksFormat /dev/xvdc
      Note: The above command will remove all data on the partition that you are encrypting.
    3. Create a logical device-mapper device, mounted to the LUKS-encrypted partition. In the example below, backup2 is the user given name of the mapping name for the opened LUKS partition.
      # cryptsetup luksOpen /dev/xvdc backup2
      Enter passphrase for /dev/xvdc:
      Note: This command initializes the volume, and sets an initial key or passphrase. Please note that the passphrase is not recoverable.
    4. You can use the following command to view the mapping details:
      # ls -l /dev/mapper/backup2
      lrwxrwxrwx 1 root root 7 Oct 19 19:37 /dev/mapper/backup2 -> ../dm-0
    5. You can use the following command to view the status of the mapping:
      # cryptsetup -v status backup2
      /dev/mapper/backup2 is active.
      type:    LUKS1
      cipher:  aes-cbc-essiv:sha256
      keysize: 256 bits
      device:  /dev/xvdc
      offset:  4096 sectors
      size:    419426304 sectors
      mode:    read/write
      Command successful. 
    6. Use the cryptsetup luksDump command to check that the device has been formatted for encryption successfully:
      # cryptsetup luksDump /dev/xvdc
  3. Format LUKS partition.
    1. Write zeros to the LUKS-encrypted partition using the following command:
      # dd if=/dev/zero of=/dev/mapper/backup2
      This command will allocate block data with zeros. This ensures that outside world will see this as random data i.e. it protect against disclosure of usage patterns.
      Note: The dd command may take many hours to complete. It is recommended that you use pv command to monitor the progress:
      # pv -tpreb /dev/zero | dd of=/dev/mapper/backup2 bs=128M
    2. Format the new partition with your favorite file system. The following example used the ext4 file system:
      # mkfs.ext4 /dev/mapper/backup2
    3. Mount the new file system. The example below mounts the new file system at /backup2.
      # mkdir /backup2
      # mount /dev/mapper/backup2 /backup2
      # df -H
      # cd /backup2
      # ls -l