Full disk encryption (FDE) protects your data if your laptop is stolen or seized — without the passphrase, the drive contents are cryptographically inaccessible. LUKS (Linux Unified Key Setup) is the standard disk encryption format on Linux, built on top of the dm-crypt kernel subsystem. This guide covers enabling LUKS encryption during Ubuntu/Debian installation and manually encrypting an existing partition post-install.
What LUKS Protects Against
FDE with LUKS protects against:
- Physical theft — a stolen laptop’s drive contains only ciphertext
- Cold boot attacks — limited protection; see notes below
- Forensic imaging — disk images are useless without the key
LUKS does not protect:
- Running system attacks — once you’ve entered the passphrase and the OS is running, an attacker with root access can read everything
- Evil maid attacks — if someone has physical access while the system is off and modifies your bootloader or kernel, they could extract your key on next unlock (mitigated by Secure Boot + TPM)
- Weak passphrases — LUKS encryption is only as strong as your passphrase
Option 1: Enable During Ubuntu Installation (Recommended)
The cleanest approach is enabling FDE during OS installation.
- Boot the Ubuntu 24.04 LTS installer USB
- Select language and keyboard
- At the Installation type screen, select Advanced features → Use LVM with the new Ubuntu installation → Check Encrypt the new Ubuntu installation for security
- Click Install Now
- You’ll be prompted to set a Security key (your LUKS passphrase)
Choose a strong passphrase — at least 20 characters with mixed case, numbers, and symbols. Consider a passphrase like correct-horse-battery-staple-42! — long, memorable, and resistant to brute force.
The installer handles everything: creating the encrypted LVM volume, generating the LUKS header, and configuring initramfs to prompt for the passphrase at boot.
Option 2: Manual LUKS Encryption (Existing System or Custom Setup)
This approach gives more control and works on Debian, Arch, or any distro.
Prerequisites
Boot from a live USB (Ubuntu Live, System Rescue, Kali). You cannot encrypt the partition the live system is running from while it’s mounted.
Install Required Tools
sudo apt install cryptsetup lvm2Identify Your Target Drive
lsblk
# Look for your drive, e.g., /dev/sda or /dev/nvme0n1
fdisk -l /dev/nvme0n1Warning: The following steps erase all data on the target partition. Back up first.
Create the LUKS Container
# Initialize LUKS encryption on the partition
sudo cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 /dev/nvme0n1p2You’ll be asked to confirm (type YES in uppercase) and enter your passphrase.
Cipher explanation:
aes-xts-plain64— AES in XTS mode, the standard for disk encryption--key-size 512— 512-bit key (256 bits per XTS half), extremely strong--hash sha512— used for key derivation
Open the LUKS Container
sudo cryptsetup luksOpen /dev/nvme0n1p2 encrypted_root
# Creates /dev/mapper/encrypted_rootCreate a Filesystem on the Mapped Device
sudo mkfs.ext4 /dev/mapper/encrypted_root
# Or use btrfs for modern features:
sudo mkfs.btrfs /dev/mapper/encrypted_rootMount and Install
sudo mount /dev/mapper/encrypted_root /mnt
# Proceed with OS installation targeting /mntChecking LUKS Status
On a running encrypted system:
# Show LUKS info for a device
sudo cryptsetup luksDump /dev/nvme0n1p2
# Check if a device is LUKS encrypted
sudo cryptsetup isLuks /dev/nvme0n1p2 && echo "Yes" || echo "No"
# Show open LUKS mappings
ls /dev/mapper/Managing LUKS Keys
LUKS supports up to 32 key slots, meaning you can have multiple passphrases or key files — useful for recovery.
Adding a Backup Passphrase
sudo cryptsetup luksAddKey /dev/nvme0n1p2
# Enter existing passphrase, then set the new passphraseAdding a Key File (for Automated Unlocking)
Create a random key file:
sudo dd if=/dev/urandom of=/root/luks-keyfile bs=4096 count=1
sudo chmod 600 /root/luks-keyfile
sudo cryptsetup luksAddKey /dev/nvme0n1p2 /root/luks-keyfileRemoving a Key Slot
# List key slots
sudo cryptsetup luksDump /dev/nvme0n1p2 | grep "Key Slot"
# Kill a specific slot
sudo cryptsetup luksKillSlot /dev/nvme0n1p2 1LUKS Header Backup
The LUKS header contains all key material. If it’s corrupted (disk damage, power failure during write), your data is permanently unrecoverable.
Always back up the LUKS header:
sudo cryptsetup luksHeaderBackup /dev/nvme0n1p2 --header-backup-file /secure-backup/luks-header-backup.imgStore this backup securely — on a USB drive kept physically separate from the encrypted device, or encrypted on another system.
Performance Impact
LUKS with AES-XTS is hardware-accelerated on all modern CPUs (Intel AES-NI, AMD AES-NI). Performance impact is typically 2–10% on reads/writes, often undetectable in daily use.
Check for hardware acceleration:
grep -m1 aes /proc/cpuinfo # Should show "aes" in flagsTest encryption speed:
cryptsetup benchmarkOutput shows throughput for various ciphers — AES-XTS 512b typically achieves 3,000–10,000+ MB/s with hardware acceleration.
Securing the Boot Process
LUKS encryption protects data at rest, but the bootloader (/boot) is typically unencrypted. An attacker with physical access could modify the bootloader to capture your passphrase.
Mitigations:
- Encrypt /boot too (LUKS2 supports this with GRUB 2.06+)
- Enable Secure Boot — prevents unsigned bootloader modifications
- Use TPM binding with systemd-cryptenroll — unlocks automatically when TPM PCRs match expected values, but seals with a PIN for attacker scenarios
For most users, standard LUKS2 encryption provides excellent protection against the most common threat: data exposure from a stolen or lost device.