LUKS (Linux Unified Key Setup) is the standard disk encryption specification for Linux, implemented through cryptsetup. It protects your data at rest — if your laptop is seized or stolen, the encrypted drive is useless without the passphrase or key file. This guide covers setting up LUKS2 encryption during installation and on existing drives, managing keys, and advanced techniques like detached headers.
LUKS2 vs LUKS1
Always use LUKS2 unless you have a specific requirement for LUKS1 compatibility (e.g., GRUB on older distros).
| Feature | LUKS1 | LUKS2 |
|---|---|---|
| Key slots | 8 | 32 |
| Header size | 2 MB | 16 MB |
| Integrity protection | No | Yes (optional) |
| Argon2 KDF | No | Yes |
| Hardware token support | Limited | Full |
LUKS2 with Argon2id as the key derivation function is significantly more resistant to GPU brute-force attacks than LUKS1’s PBKDF2.
Encrypting a New Drive or Partition
Prerequisites
Install cryptsetup if not already available:
sudo apt install cryptsetup # Debian/Ubuntu
sudo dnf install cryptsetup # Fedora
sudo pacman -S cryptsetup # ArchCreating a LUKS2 Container
Identify your target drive or partition:
lsblk
# Example output shows /dev/sdb as the target driveWarning: The following command will destroy all data on the device.
sudo cryptsetup luksFormat --type luks2 \
--cipher aes-xts-plain64 \
--key-size 512 \
--hash sha512 \
--pbkdf argon2id \
--iter-time 3000 \
/dev/sdbOptions explained:
--cipher aes-xts-plain64— AES in XTS mode, standard for disk encryption--key-size 512— 512-bit key (256 bits per XTS half)--pbkdf argon2id— Memory-hard KDF resistant to GPU cracking--iter-time 3000— 3 seconds of computation to unlock (increases brute-force cost)
Opening the Container
sudo cryptsetup luksOpen /dev/sdb my_encrypted_drive
# The decrypted device appears at /dev/mapper/my_encrypted_driveFormatting and Mounting
sudo mkfs.ext4 /dev/mapper/my_encrypted_drive
sudo mkdir /mnt/secure
sudo mount /dev/mapper/my_encrypted_drive /mnt/secureClosing the Container
sudo umount /mnt/secure
sudo cryptsetup luksClose my_encrypted_driveFull System Encryption During OS Installation
Most Linux installers (Ubuntu, Fedora, Arch) offer full disk encryption during setup. For Ubuntu:
- During installation, select “Erase disk and install Ubuntu”
- Check “Encrypt the new Ubuntu installation for security”
- Set a strong passphrase
This creates a LUKS-encrypted root partition with a small unencrypted /boot partition for GRUB.
Arch Linux Full Disk Encryption (Manual)
# Partition the disk
fdisk /dev/sda
# Create: /dev/sda1 (512MB, EFI) and /dev/sda2 (remaining, LUKS)
# Encrypt root
cryptsetup luksFormat --type luks2 /dev/sda2
cryptsetup luksOpen /dev/sda2 cryptroot
# Create filesystems
mkfs.fat -F32 /dev/sda1
mkfs.ext4 /dev/mapper/cryptroot
# Mount and install system
mount /dev/mapper/cryptroot /mnt
mkdir /mnt/boot
mount /dev/sda1 /mnt/bootAdd to /etc/crypttab:
cryptroot UUID=YOUR-UUID none luks,discardGet the UUID with:
cryptsetup luksUUID /dev/sda2Managing Key Slots
LUKS2 supports 32 key slots — you can have multiple passphrases or key files, all unlocking the same volume.
Adding a Second Passphrase
sudo cryptsetup luksAddKey /dev/sdb
# Enter existing passphrase, then set new passphraseAdding a Key File
# Generate a random key file
sudo dd if=/dev/urandom of=/root/luks-keyfile bs=4096 count=1
sudo chmod 400 /root/luks-keyfile
# Add key file to LUKS
sudo cryptsetup luksAddKey /dev/sdb /root/luks-keyfileStore the key file on a hardware token (YubiKey, Nitrokey) for two-factor disk encryption.
Removing a Key Slot
# List key slots
sudo cryptsetup luksDump /dev/sdb | grep ENABLED
# Remove a specific slot
sudo cryptsetup luksKillSlot /dev/sdb 1Detached LUKS Headers
By default, LUKS stores its header (which reveals the device is encrypted) at the start of the device. Detached headers separate the header from the data partition, providing deniability — the partition looks like random data with no LUKS signature.
# Create LUKS container with detached header
sudo cryptsetup luksFormat --type luks2 \
--header /path/to/header-file \
/dev/sdb
# Open using detached header
sudo cryptsetup luksOpen \
--header /path/to/header-file \
/dev/sdb my_hidden_driveStore the header file separately (USB stick, different encrypted volume). Without the header file, the partition cannot be identified as LUKS or decrypted.
Checking LUKS Volume Status
# View LUKS header information
sudo cryptsetup luksDump /dev/sdb
# Check if a device is a LUKS device
sudo cryptsetup isLuks /dev/sdb && echo "LUKS volume"
# View active mappings
sudo dmsetup ls --target cryptBenchmarking Cipher Performance
# Test available cipher speeds on your hardware
sudo cryptsetup benchmarkOn modern CPUs with AES-NI hardware acceleration, AES-XTS typically achieves 3–8 GB/s — no meaningful performance penalty for daily use.
Backup Your LUKS Header
If the LUKS header is corrupted, your data is permanently lost. Back it up:
sudo cryptsetup luksHeaderBackup /dev/sdb \
--header-backup-file /secure-backup/sdb-luks-header.imgStore this backup in a separate secure location — encrypting it again with GPG before storing is recommended:
gpg --symmetric --cipher-algo AES256 /secure-backup/sdb-luks-header.imgAutomatic Unlocking with TPM2
On systems with a TPM 2.0 chip, you can bind the LUKS key to the TPM so the drive unlocks automatically on your trusted hardware but remains locked if removed:
sudo apt install clevis-tpm2 clevis-luks
sudo clevis luks bind -d /dev/sda2 tpm2 '{"pcr_ids":"7"}'PCR 7 contains measurements of the UEFI Secure Boot state, so the volume unlocks only when the correct boot chain is intact.
Final Thoughts
LUKS2 encryption on Linux is mature, performant, and essential for any laptop or portable device holding sensitive data. The AES-NI hardware acceleration available in virtually all modern processors means there’s no practical performance reason not to encrypt. Set it up at installation time for the cleanest experience, back up your header, manage your key slots carefully, and your data at rest is effectively impenetrable.