Articles / Privacy /

LUKS and dm-crypt

Basic operations

Creating a new, non-bootable filesystem

Read the warnings in the Cryptsetup FAQ or cryptsetyp(8).

Generally, device should be a partition. Avoid using non-ASCII characters for the passphrase.

cryptsetup luksFormat /dev/device cryptsetup luksOpen /dev/device mapperDevice mkfs.ext4 /dev/mapper/mapperDevice cryptsetup luksClose /dev/mapper/mapperDevice cryptsetup luksHeaderBackup --header-backup-file backupFile /dev/device

Mounting

cryptsetup luksOpen /dev/device mapperDevice mount /dev/mapper/mapperDevice mountpoint

Unmounting

umount mountpoint cryptsetup luksClose mapperDevice

Security

Emergency wipe

This subsection describes data destruction procedures. Following these instructions may cause data loss.
The data may still be accessible if the attacker has access to a copy of the LUKS headers and keyslots.

To remove the LUKS header and keyslot data, unmount and close the device and run the command below.

head -c 10485760 /dev/zero > /dev/device; sync # note: destroys first 10MiB of device

A filesize of 1052672 can be used for the default setup, but 10485760 is encouraged just to be sure. If you use the proper filesize, you will still be able to access the data if you have a copy of the LUKS headers and keyslots.

See also

cryptsetup(8) (online)

Cryptsetup FAQ

openSUSE Wiki: Encrypted filesystems

ArchWiki: Dm-crypt