LUKS and dm-crypt

Basic operations

Creating a new, non-bootable filesystem

Read the warnings in the Cryptsetup FAQ or cryptsetup(8).

Generally, device should be a partition. Avoid using non-ASCII characters for the passphrase.

wipefs /dev/device cryptsetup luksFormat /dev/device cryptsetup luksOpen /dev/device mapperDevice mkfs.ext4 /dev/mapper/mapperDevice cryptsetup luksClose /dev/mapper/mapperDevice cryptsetup luksHeaderBackup --header-backup-file backupFile /dev/device


cryptsetup luksOpen /dev/device mapperDevice mount /dev/mapper/mapperDevice mountpoint


umount mountpoint cryptsetup luksClose mapperDevice


Emergency wipe

This subsection describes data destruction procedures. Following these instructions may cause data loss.
The data may still be accessible if the attacker has access to a copy of the LUKS headers and keyslots.

To remove the LUKS header and keyslot data, unmount and close the device and run the command below.

head -c 10485760 /dev/zero > /dev/device; sync # note: destroys first 10MiB of device

A filesize of 1052672 can be used for the default setup, but 10485760 is encouraged just to be sure. If you use the proper filesize, you will still be able to access the data if you have a copy of the LUKS headers and keyslots.

See also

cryptsetup(8) (online)

Cryptsetup FAQ

openSUSE Wiki: Encrypted filesystems

ArchWiki: Dm-crypt