Drive encryption using LUKS


  1. Setup encryption on drive or partition
  2. Opening
  3. Closing

Setup encryption on drive or partition #

sdX can be either sda or sda1 to select a whole drive or partition

cryptsetup -s 512 --verify-passphrase luksFormat /dev/sdX

-s 512 sets the SHA512 algorithm and --verify-passphare lets to type the passphare twice to make sure you don't make typos.

Warning: All data on the drive or partition gets wiped!

Now you can open the encrypted drive, it will get mounted to a mapped location that is decrypted

Opening #

cryptsetup open /dev/sdX cryptdata

If first time, create filesystem first. Otherwise:

mount /dev/mapper/cryptdata /mnt/mymountpoint

Now you want to create a filesystem on your encrypted device. If you only need one partition you can do this in the usual way but if you need multiple partitions e.g. a root and a swap you need to use a different solution.


Logical Volume Manager (LVM) lets you create logical volumes inside the encrypted partition.

First, setup a physical volume and volume group:

pvcreate /dev/mapper/cryptdata
vgcreate vg1 /dev/mapper/cryptdata # Create a volume group with the name vg1

Now we can create logical volumes:

lvcreate -L 8G -n swap vg1 # Create 8GB logical volume in vg1 with name 'swap'
lvcreate -l 100%FREE -n root vg1 # Create root volume that uses all unallocated space in vg1

The volumnes will be available under /dev/vg1/

BTRFS filesystem #

In BTRFS you can use subvolumes instead of partitions to organize data:

sudo mkfs.btrfs /dev/mapper/cryptdata

Closing #

sudo umount /dev/mapper/cryptdata		
sudo cryptsetup close cryptdata