How to work with LUKS encryption

This note was created on 2024-04-02
This note was last edited on 2024-04-02

The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and originally intended for Linux.

=== Create encrypted file system on your drive ===
1. Use "cryptsetup" to format your drive:
   # cryptsetup luksFormat /dev/sdb1
2. Open LUKS-formated partition as "example":
   # cryptsetup luksOpen /dev/sdb1 example
3. Format LUKS-formated partition with EXT4 file system:
   # mkfs.ext4 -L MyFiles /dev/mapper/example
4. Create local mountpoint for our encrypted drive:
   # mkdir /media/example
5. Mount filesystem in our LUKS-encrypted drive to your local system:
   # mount /dev/mapper/example /media/example
6. Unmount your LUKS-encrypted drive from your local system:
   # umount /media/example
7. Close your LUKS-encrypted drive:
   # cryptsetup close example

=== Create encrypted file container ===
1. Create empty 2GB file to use as a container:
   $ dd if=/dev/zero of=~/Vaults/example.img bs=1 count=0 seek=2G
2. Use "cryptsetup" to format the file for LUKS:
   # cryptsetup luksFormat ~/Vaults/example.img
3. Open LUKS-formated file:
   # cryptsetup luksOpen ~/Vaults/example.img example
4. Format LUKS-formated file with FAT32 file system:
   # mkfs.fat -F 32 /dev/mapper/example
5. Create local mountpoint for our encrypted file container:
   # mkdir /media/example
6. Mount filesystem in our LUKS-encrypted file container to your local system:
   # mount /dev/mapper/example /media/example
7. Unmount your LUKS-encrypted file container from your local system:
   # umount /media/example
8. Close your LUKS-encrypted file container:
   # cryptsetup close example

=== Backup and restore LUKS header ===
List encryted disks and volumes:
# dmsetup ls --target crypt

Dump LUKS header:
# cryptsetup luksDump /dev/sdb1

Backup LUKS header:
# cryptsetup luksHeaderBackup /dev/sdb1 --header-backup-file ./sdb1-luks-header.bin

Show information about header backup file:
# file ./sdb1-luks-header.bin
# stat ./sdb1-luks-header.bin
# cryptsetup luksDump ./sdb1-luks-header.bin

Restore LUKS header:
# cryptsetup luksHeaderRestore /dev/sdb1 --header-backup-file /path/to/sdb1-luks-header.bin

=== Add a second (backup) LUKS key ===
1. Dump LUKS header and check which key slots are in use:
   # cryptsetup luksDump /dev/sdb1
2. If only slot 0 in use, add a second key to slot 1:
   # cryptsetup luksAddKey --key-slot 1 /dev/sdb1
There are now two passphrases for LUKS-encrypted partition "/dev/sdb1".

=== Change LUKS password ===
1. Dump LUKS header to check key slots:
   # cryptsetup luksDump /dev/sdb1
2. Change key on slot 1:
   # cryptsetup luksChangeKey --key-slot 1 /dev/sdb1

=== Remove LUKS key ===
There's two ways to remove LUKS key:
1. "luksRemoveKey" - removes a key by specifying its passphrase/keyfile.
2. "luksKillSlot" - removes a key by specifying its slot (needs another valid key).

Check password and it's slot:
# cryptsetup --test-passphrase -v open /dev/sdb1

Remove key by providing password:
# cryptsetup luksRemoveKey /dev/sdb1

Remove key by providing key slot number:
# cryptsetup luksKillSlot /dev/sdb1 1