Linux Unified Key Setup (LUKS) is a Best Disk Encryption in Linux

Purpose of this article is to explain the importance of LUKS encryption in Linux and how to use it. In this article, we will setup LUKS encryption in Linux and automatically mount the encrypted partition.

Importance of LUKS Encryption

LUKS encryption is crucial for securing sensitive data on Linux systems. It provides an additional layer of protection against unauthorized access, data breaches, and potential cyber threats. By encrypting your data, you ensure that even if your system is compromised, the attacker cannot access your sensitive information without the decryption key or passphrase.

Key Concepts

LUKS (Linux Unified Key Setup): A disk encryption specification that provides a standard on-disk format for data encryption.
Encryption: The process of converting data into an unreadable format, which can only be accessed with a decryption key or passphrase.
cryptsetup: The command-line tool used to manage LUKS encrypted volumes.
Mapper Device: A virtual device created by LUKS that provides access to the decrypted volume (e.g., /dev/mapper/vault1).
Key File: A file containing the encryption key, used instead of a passphrase.
Passphrase: A secret password used to unlock the encrypted volume.
fstab: A system configuration file that defines how file systems are mounted at boot time.
crypttab: A system configuration file specifically for defining LUKS encrypted volumes to be unlocked at boot time (Used with fstab).
systemd: A system and service manager for Linux operating systems, used here to automate the unlocking and mounting of LUKS volumes.
UUID (Universally Unique Identifier): A unique identifier for a partition or disk, ensuring consistent mounting regardless of device name changes. This documentation uses /dev/disk/by-id/ instead.

Let’s Begin

Make sure you have a backup of your data before proceeding with the encryption process. If you don’t have a backup, you may lose all your data permanently. Check you have LUKS installed if not then install it using the following command:

# Check if LUKS is installed
command -v cryptsetup
# Install LUKS if not installed
sudo apt-get install cryptsetup

1. Attach the Disk to your system.

2. Check your attached disk

lsblk

It will show you all the disks attached to your system. Let’s say your disk is /dev/sdb. We will go through the steps to setup LUKS encryption on it.

3. Create a LUKS partition

sudo cryptsetup luksFormat /dev/sdb

This will create a LUKS partition on /dev/sdb.

4. If you want to use a encryption key file then use the following:

If you don’t want to use a key file, you can use a passphrase instead. Then skip this step.

sudo dd if=/dev/urandom of=/root/.mykey.img bs=1024 count=4

Add the key file to the LUKS partition:

sudo cryptsetup luksAddKey /dev/sdb /root/.mykey.img
sudo chmod 600 /root/.mykey.img

5. Open the LUKS partition

vault1 is a mapper name for the LUKS partition. LUKS will create a mapper device /dev/mapper/vault1 which you can use to mount the partition.

# If you want to use a key file
sudo cryptsetup open --key-file /root/.mykey.img /dev/sdb vault1
# If you want to use a passphrase
sudo cryptsetup open /dev/sdb vault1

6. Format the LUKS partition

This step needs to be performed only once. It will format the partition and create a filesystem on it.

# check avialable partition using
lsblk
# Format it using ext4 format
sudo mkfs.ext4 /dev/mapper/vault1

7. Mount partition

/mnt/vault1 is a mount point where you can mount your partition.

sudo mkdir /mnt/vault1
sudo mount /dev/mapper/vault1 /mnt/vault1

Once mounted, you can use it as a normal partition.

8. Unmount partition

sudo umount /mnt/vault1

9. Close the LUKS partition

This will close the LUKS partition and remove the mapper device /dev/mapper/vault1 and lock the partition.

sudo cryptsetup close vault1

Here we have completed the setup of LUKS encryption on /dev/sdb. To use it you only need to perform steps 5, 7, 8 and 9. Don’t use step 6 it will format the partition again.

Automate the process

Let’s talk about automating the process of unlocking, mounting and closing the LUKS partition for daily use.

Using fstab: If you are using internal hard drive, you can automate the process using crypttab and fstab. In this case error of the hard drive can lead to failure of system boot.
Using systemd: If you are using any drive, internal or external doesn’t matter, you can automate it. In this case we will use systemd to automate the process. No system boot failure will occur.

Both cases will be use disk unique id instead of the partition name. So, it will be unique and reliable. To get the unique id of the disk, use the following command:

ls -l /dev/disk/by-id/ | grep "sdb"

It should display output like this-

lrwxrwxrwx 1 root root  9 Jul 30 18:51 ata-VBOX_HARDDISK_VB5e1011c9-a737040b -> ../../sdb
lrwxrwxrwx 1 root root  9 Jul 30 18:51 scsi-0ATA_VBOX_HARDDISK_VB5e1011c9-a737040b -> ../../sdb
lrwxrwxrwx 1 root root  9 Jul 30 18:51 scsi-1ATA_VBOX_HARDDISK_VB5e1011c9-a737040b -> ../../sdb
lrwxrwxrwx 1 root root  9 Jul 30 18:51 scsi-SATA_VBOX_HARDDISK_VB5e1011c9-a737040b -> ../../sdb

Here you will notice the id starting with ata- is the unique id of the disk. Here I have used virtual hard disk. In your case, you will see manufacturer name, serial number, etc. So, we will use ata-VBOX_HARDDISK_VB5e1011c9-a737040b for the future steps.

1. Using `fstab`

Edit /etc/crypttab file and add the following line:

vault1 /dev/disk/by-id/ata-VBOX_HARDDISK_VB5e1011c9-a737040b /root/.mykey.img luks

Edit /etc/fstab file and add the following line:

/dev/mapper/vault1 /mnt/vault ext4 defaults 0 0

Update initramfs:
1 sudo update-initramfs -u

2. Using `systemd`

Create a file /usr/local/bin/luks-mount.sh with the following content:

#!/bin/sh
# Env will be set by systemd
# System define variables
DISK_PATH="/dev/disk/by-id/${DRIVE_ID}"
# Operations
if [ ! -e "$DISK_PATH" ]; then
  echo "❌ Drive ${DRIVE_ID} not present"
  exit 1
fi
# Check if already unlocked
if [ -e "/dev/mapper/$MAPPER_NAME" ]; then
  echo "🔓 Volume '$MAPPER_NAME' is already unlocked."
else
  echo "🔐 Unlocking encrypted volume..."
  if [ -n "$KEY_FILE_PATH" ] && [ -f "$KEY_FILE_PATH" ]; then
      echo "🔑 Using key file to unlock..."
      sudo cryptsetup luksOpen "$DISK_PATH" "$MAPPER_NAME" --key-file "$KEY_FILE_PATH"
  else
      echo "📝 Using passphrase to unlock..."
      echo "$PASSPHRASE" | sudo cryptsetup luksOpen "$DISK_PATH" "$MAPPER_NAME"
  fi
  if [ $? -ne 0 ]; then
      echo "❌ Failed to unlock the volume."
      exit 2
  fi
  echo "✅ Volume unlocked as /dev/mapper/$MAPPER_NAME"
fi
# Mount the device
if mountpoint -q "$MOUNT_POINT"; then
  echo "📁 Already mounted at $MOUNT_POINT"
else
  sudo mkdir -p "$MOUNT_POINT"
  sudo mount "/dev/mapper/$MAPPER_NAME" "$MOUNT_POINT"
  echo "✅ Mounted at $MOUNT_POINT"
fi

This script will be reused if you have multiple disks.

Create a file /usr/local/bin/luks-umount.sh with the following content:

#!/bin/sh
# Env will be set by systemd
# System define variables
DISK_PATH="/dev/disk/by-id/${DRIVE_ID}"
# Check if disk exists
if [ ! -e "$DISK_PATH" ]; then
  echo "⚠️  Drive ${DRIVE_ID} not present (may already be removed or unmounted)."
fi
# Unmount if mounted
if mountpoint -q "$MOUNT_POINT"; then
  echo "📤 Unmounting $MOUNT_POINT..."
  sudo umount "$MOUNT_POINT"
  if [ $? -ne 0 ]; then
      echo "❌ Failed to unmount $MOUNT_POINT"
      exit 1
  fi
  echo "✅ Unmounted $MOUNT_POINT"
else
  echo "ℹ️  $MOUNT_POINT is not mounted."
fi
# Close the encrypted volume if mapped
if [ -e "/dev/mapper/$MAPPER_NAME" ]; then
  echo "🔒 Closing encrypted volume $MAPPER_NAME..."
  sudo cryptsetup luksClose "$MAPPER_NAME"
  if [ $? -ne 0 ]; then
      echo "❌ Failed to close volume $MAPPER_NAME"
      exit 2
  fi
  echo "✅ Volume $MAPPER_NAME closed."
  echo "🧹 Deleting mount point $MOUNT_POINT..."
  sudo rmdir "$MOUNT_POINT"
  echo "🧹 Mount point $MOUNT_POINT deleted."
else
  echo "ℹ️  Volume $MAPPER_NAME is not open."
fi

This script will be reused if you have multiple disks.

Give executable permission to the script:

sudo chmod +x /usr/local/bin/luks-mount.sh
sudo chmod +x /usr/local/bin/luks-umount.sh

Create a env file /etc/vault1.env with the following content:

DRIVE_ID=ata-VBOX_HARDDISK_VB5e1011c9-a737040b
MAPPER_NAME=vault1
MOUNT_POINT=/mnt/vault1
PASSPHRASE=your_passphrase_here
KEY_FILE_PATH=/path/to/optional-keyfile

Give permission to the env file:
1 sudo chmod 600 /etc/vault1.env

Create a systemd service file /etc/systemd/system/mount-vault1.service with the following content:

[Unit]
Description=Unlock and mount LUKS volume vault1
After=cryptsetup-pre.target local-fs.target
Requires=local-fs.target
[Service]
Type=oneshot
EnvironmentFile=/etc/vault1.env
ExecStart=/usr/local/bin/luks-mount.sh
ExecStop=/usr/local/bin/luks-umount.sh
RemainAfterExit=true
[Install]
WantedBy=multi-user.target

Enable the service:

sudo systemctl daemon-reload
sudo systemctl enable mount-vault1.service

Start the service:

sudo systemctl start mount-vault1.service

Unmount can be done automatically when the system shuts down.

If you want to manually take out your disk, you can use the following command:

sudo systemctl stop mount-vault1.service
sudo systemctl disable mount-vault1.service
sudo systemctl daemon-reload

Congrats! You have successfully set up a LUKS encrypted disk in Linux.

Tips

Always better to take backup of header of the disk using:

sudo cryptsetup luksHeaderBackup /dev/disk/by-id/ata-VBOX_HARDDISK_VB5e1011c9-a737040b --header-backup-file /path/to/ata-VBOX_HARDDISK_VB5e1011c9-a737040b_header_backup.img

If you want to add additional passphrase to the LUKS volume:

sudo cryptsetup luksAddKey /dev/disk/by-id/ata-VBOX_HARDDISK_VB5e1011c9-a737040b

If you want to remove a passphrase from the LUKS volume:

sudo cryptsetup luksRemoveKey /dev/disk/by-id/ata-VBOX_HARDDISK_VB5e1011c9-a737040b

Read manual page for more information:
1 man cryptsetup