LUKS Disk Encryption

Encrypt a disk or partition at rest using LUKS, protect data on VPS block storage, external drives, and backup volumes

LUKS (Linux Unified Key Setup) is the standard disk encryption for Linux. It encrypts entire block devices so data is unreadable without the correct passphrase, even if the disk is removed or a snapshot is taken.

LUKS encrypts data at rest, it protects against physical theft or unauthorized snapshot access. It does not protect data in transit or while the system is running with the volume mounted.

Use cases

Encrypting a secondary data volume (databases, user files)
Encrypting backup volumes before offsite transfer
Compliance requirements (GDPR, HIPAA, PCI-DSS) for data at rest

Do not encrypt your root/boot partition on a VPS unless you have console access (VNC) to enter the passphrase at boot, otherwise you'll lock yourself out permanently.

Install LUKS tools

sudo apt update
sudo apt install cryptsetup -y
cryptsetup --version

Create an encrypted volume on a new disk

Identify the target disk (e.g. /dev/sdb: a secondary block device):

lsblk

WARNING: This destroys all data on the device.

# Initialize LUKS (you'll set a passphrase)
sudo cryptsetup luksFormat /dev/sdb

# Open/unlock the volume
sudo cryptsetup open /dev/sdb mydata

# Create a filesystem on the decrypted device
sudo mkfs.ext4 /dev/mapper/mydata

# Mount it
sudo mkdir -p /mnt/mydata
sudo mount /dev/mapper/mydata /mnt/mydata

Encrypt an existing disk image (backup volumes)

For encrypting files you want to send offsite:

# Create a 10 GB encrypted container file
dd if=/dev/zero of=/backup/encrypted.img bs=1M count=10240
sudo cryptsetup luksFormat /backup/encrypted.img
sudo cryptsetup open /backup/encrypted.img backupvol
sudo mkfs.ext4 /dev/mapper/backupvol
sudo mount /dev/mapper/backupvol /mnt/backup

Auto-mount at boot (with a keyfile)

For a data volume you want to mount automatically without a passphrase prompt:

Create a keyfile

sudo dd if=/dev/urandom of=/etc/luks/mydata.key bs=512 count=8
sudo chmod 400 /etc/luks/mydata.key
sudo mkdir -p /etc/luks

Add the keyfile to the LUKS volume

sudo cryptsetup luksAddKey /dev/sdb /etc/luks/mydata.key

Configure `/etc/crypttab`

sudo nano /etc/crypttab

# name        device         keyfile            options
mydata         /dev/sdb       /etc/luks/mydata.key   luks

Configure `/etc/fstab`

sudo nano /etc/fstab

/dev/mapper/mydata   /mnt/mydata   ext4   defaults,_netdev   0   2

On next boot, the volume will be unlocked automatically using the keyfile.

Manual open/close

# Unlock
sudo cryptsetup open /dev/sdb mydata
sudo mount /dev/mapper/mydata /mnt/mydata

# Lock (must unmount first)
sudo umount /mnt/mydata
sudo cryptsetup close mydata

LUKS key management

# Show LUKS header info (key slots used)
sudo cryptsetup luksDump /dev/sdb

# Add another passphrase (LUKS supports up to 8 key slots)
sudo cryptsetup luksAddKey /dev/sdb

# Remove a passphrase
sudo cryptsetup luksRemoveKey /dev/sdb

# Change a passphrase
sudo cryptsetup luksChangeKey /dev/sdb

Backup the LUKS header

If the LUKS header is corrupted, all data is permanently lost. Always back it up:

sudo cryptsetup luksHeaderBackup /dev/sdb --header-backup-file /secure/luks-header-sdb.bak

Store this backup somewhere safe (not on the same disk). Restore with:

sudo cryptsetup luksHeaderRestore /dev/sdb --header-backup-file /secure/luks-header-sdb.bak

Check encryption status

# Is the device encrypted?
sudo cryptsetup isLuks /dev/sdb && echo "LUKS" || echo "Not LUKS"

# Detailed info
sudo cryptsetup luksDump /dev/sdb

# Is the volume currently open?
ls /dev/mapper/

Performance impact

LUKS uses the AES-NI CPU instruction set, on modern CPUs, the performance overhead is typically 5-15% for sequential I/O and negligible for random I/O.

Benchmark your system:

sudo cryptsetup benchmark

Use aes-xts-plain64 with 256-bit keys (the default) for the best balance of security and performance.

On this page