Encrypting disk(s) with LUKS


If you are planning to encrypt your disk, encrypting disks will wipe clean the disk. Make sure that there is no data on the disk you are planning to encrypt. This post is based on my use case. I just want to make that clear.

Why encrypt the disks? There are too many reasons why. You can fire-up your favorite search engine and look it up. For me, I like to encrypt my disks just in case someone was to break-in my home and take my server with them. It gives me peace of mind. I also do this to our desktops and laptops.

The software I am going to be using is Linux Unified Key Setup (LUKS). LUKS comes in cryptsetup package that can be installed on any Linux distribution. To install LUKS on CentOS or Debian.

# CentOS, RHEL, Fedora
dnf install cryptsetup

# Debian 
apt install cryptsetup

I have two types of storage. The primary one is the internal disks and the other is the removable disks such as USB storage. For the internal disk, I will be encrypting the partition. For the removable storage, I will be encrypting the device itself. There are several things to be done to encrypt the disk.

  1. Locate/identify the target disk
  2. Create a partition
  3. Encrypt the partition
  4. Open the encrypted partition
  5. Create a filesystem
  6. Backing up the LUKS Header
  7. Mount the disk

We can also auto-open and mount the encrypted disk. There are several ways to accomplish this, but I was using the Clevis/Tang setup because this seems to be the simplest and easiest method I could find. Check this post on how I am utilizing Clevis and Tang method.

Locating the target disk

There are several ways to locate the target disk especially if you have multiple disks already installed. In this post, I will be using lsblk. The disks I am going to encrypt is the disk with the serial number of WD-WMAJHROEL72C and the USB flash drive with the serial number of 07018JKLDO873X15.

  • -d – do not print holder devices
  • -o – specifies the output to print.
    • Try lsblk --help to see other options
[root@darktower ~]# lsblk -d -o name,size,serial,type,tran
sda  111.8G DBKLSK3M1414E    disk usb
sdb    9.1T JEJUL35N         disk sas
sdc    9.1T JEHOP0U3         disk sas
sdd   10.9T X19RH1DL         disk sas
sde   10.9T X9OL25LA         disk sas
sdf  698.7G WD-WMAJHROEL72C  disk sas
sdg    3.7T WD-WCC4E5LPW21H  disk sas
sdh    9.1T JEHMNKIU         disk sas
sdi   14.5G 07018JKLDO873X15 disk usb 

Create a partition

The output above shows based on the serial number WD-WMAJHROEL72C device is sdf and based on the transport type, the device is the sdi. To create a partition for the target HDD, I’m going to be using fdisk. I am only going to make a 1 primary partition for this disk.

The following are the options

  • n – add new partition
  • p – primary partition
  • 1 – create 1 partition
  • w – write the changes
[root@darktower ~]# fdisk /dev/sdf

Welcome to fdisk (util-linux 2.32.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0xc3c4515a.

Command (m for help): n
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): 

Using default response p.
Partition number (1-4, default 1): 
First sector (2048-1465149167, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-1465149167, default 1465149167): 

Created a new partition 1 of type 'Linux' and of size 698.7 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.


One the a partition has been created, we can encrypt the partition using LUKS. Fcor the portable device /dev/sdi, I will be encrypting the device itself.

Encrypt the partition and the portable storage device

I am going to start with the HDD with a single partition then the portable device.

#To encrypt the HDD
# device is the device e.g. sdf
# X is the partition number
#cryptsetup  -y -v luksFormat --type luks2 /dev/<deviceX> 
[root@darktower ~]# cryptsetup -y -v luksFormat /dev/sdf1

This will overwrite data on /dev/sdf1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdf1: <enter-your-passphrase>
Verify passphrase: <re-enter-your-passphrase>
Key slot 0 created.
Command successful.
[root@darktower ~]# 

# To encrypt the portable device
[root@darktower ~]# cryptsetup -y -v luksFormat /dev/sdi
WARNING: Device /dev/sdi already contains a 'iso9660' superblock signature.
WARNING: Device /dev/sdi already contains a 'dos' partition signature.

This will overwrite data on /dev/sdi irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdi: <enter-your-passphrase>
Verify passphrase: <re-enter-your-passphrase>
Existing 'iso9660' superblock signature (offset: 32769 bytes) on device /dev/sdi will be wiped.
Existing 'dos' partition signature (offset: 510 bytes) on device /dev/sdi will be wiped.
Key slot 0 created.
Command successful.
[root@darktower ~]# 

Open the LUKS Partition

To create a filesystem to these encrypted HDD partition and encrypted portable device, we need to open them first.

# Opening the encrypted HDD partition
[root@darktower ~]# cryptsetup luksOpen /dev/sdf1 luks_disk11
Enter passphrase for /dev/sdf1: 
[root@darktower ~]# 

# Opening the encrypted flash drive
[root@darktower ~]# cryptsetup luksOpen /dev/sdi luks_flash_drive
Enter passphrase for /dev/sdi: 
[root@darktower ~]# 

Create a filesystem

Once the disk has been opened, we need to create a filesystem so that we can use the disk and add it to the array. The filesystem I am going to be using is XFS for my disk.

# -L is a label for easy identification and it can be used for mounting
[root@darktower ~]# mkfs.xfs -L DISK11 /dev/mapper/luks_disk11 
meta-data=/dev/mapper/luks_disk11 isize=512    agcount=4, agsize=45784824 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=1, sparse=1, rmapbt=0
         =                       reflink=1
data     =                       bsize=4096   blocks=183139294, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0, ftype=1
log      =internal log           bsize=4096   blocks=89423, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0
[root@darktower ~]# 

For the portable device, we need to create a partition before we can create a filesystem.

  • The t option is to specify the partition type
  • The 7 option is the HPFS/NTFS/exFAT partition type
# Create a partition
[root@darktower ~]# mkfs.msdos /dev/mapper/luks_flash_drive 
mkfs.fat 4.1 (2017-01-24)

LUKS Header backup and restore

Backing up the header

Make sure to save this backups outside of the server. According to arch wiki:

If the header of a LUKS encrypted partition gets destroyed, you will not be able to decrypt your data. It is just as much of a dilemma as forgetting the passphrase or damaging a key-file used to unlock the partition. Damage may occur by your own fault while re-partitioning the disk later or by third-party programs misinterpreting the partition table. Therefore, having a backup of the header and storing it on another disk might be a good idea.

# Syntax format
cryptsetup luksHeaderBackup /dev/deviceX --header-backup-file <name>.bin

cryptsetup luksHeaderBackup /dev/sdf1 --header-backup-file disk11_123456.bin

Restoring the backup header

In case that something really did happened that you are required to restore the LUKS header, this is how you would restore the header.

# Syntax format
cryptsetup luksHeaderRestore /dev/deviceX --header-backup-file <name>.bin

cryptsetup luksHeaderRestore /dev/sdf1 --header-backup-file disk11_123456.bin

Mount the disk

Once we got disk and portable device prepped, we need to mount them to the system so that we can use them. I like to mount the devices under /mnt, so I will be creating a directory for mount point.

# Create a directory for the HDD and for the portable device
mkdir /mnt/disk11
mkdir /mnt/flashdrive

Once the directories are created, we can now mount the devices.

# Mount the HDD
mount /dev/mapper/luks_disk11 /mnt/disk11

# Mount the flash drive
mount /dev/mapper/luks_flashdrive /mnt/flashdrive

This is it. At this point, you should be able to use the HDD and the portable drive. The process looks hard, but it is a really simple process once you get used to it.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x