Basic operations
Creating a new, non-bootable filesystem
Read the warnings in the Cryptsetup FAQ or
cryptsetup(8).
Generally, device should be a partition. Avoid using non-ASCII characters for the passphrase.
wipefs /dev/device
cryptsetup luksFormat /dev/device
cryptsetup luksOpen /dev/device mapperDevice
mkfs.ext4 /dev/mapper/mapperDevice
cryptsetup luksClose /dev/mapper/mapperDevice
cryptsetup luksHeaderBackup --header-backup-file backupFile /dev/device
Mounting
cryptsetup luksOpen /dev/device mapperDevice
mount /dev/mapper/mapperDevice mountpoint
Unmounting
umount mountpoint
cryptsetup luksClose mapperDevice
Security
Emergency wipe
This subsection describes data destruction procedures. Following these instructions may cause data loss.
The data may still be accessible if the attacker has access to a copy of the LUKS headers and keyslots.
To remove the LUKS header and keyslot data, unmount and close the device and run the command below.
head -c 10485760 /dev/zero > /dev/device; sync # note: destroys first 10MiB of device
A filesize of 1052672 can be used for the default setup, but 10485760 is encouraged just to be sure. If you use the proper filesize, you will still be able to access the data if you have a copy of the LUKS headers and keyslots.
See also
cryptsetup(8) (online)