luks-cheatsheet

LUKS Cheat Sheet – Complete cryptsetup Guide for Linux Disk Encryption

✅ Full LUKS1 & LUKS2 Guide
✅ Complete cryptsetup Commands
✅ Password & Keyslot Management
✅ Keyfile Authentication
✅ LUKS Header Backup & Restore
✅ Auto Unlock with crypttab & fstab
✅ File-Based Encrypted Containers
✅ LPIC-2 & LPIC-3 Ready

This is a complete and professional LUKS Cheat Sheet written for Linux system administrators, DevOps engineers, and security students.

---

📑 Table of Contents

• What is LUKS?
• Basics & Concepts
• Installation
• Formatting a Disk with LUKS
• Open & Close
• Create Filesystem & Mount
• Password & Keyslot Management
• Keyfile Authentication
• LUKS Header Backup & Restore
• Resize Encrypted Device
• Status, UUID & Recovery
• Auto Unlock at Boot
• File-Based LUKS Container
• Suspend & Resume
• Security Best Practices
• Author

---

🔍 SEO Keywords

LUKS cheat sheet
cryptsetup cheat sheet
linux disk encryption
luks encryption guide
luks header backup
luks keyfile
luks fstab crypttab
luks full disk encryption
luks tutorial

---

📌 What is LUKS?

LUKS (Linux Unified Key Setup) is the standard disk encryption system for Linux.
It provides strong encryption at the block-device level and is widely used for:

• Full Disk Encryption (FDE)
• Encrypted partitions
• Encrypted USB drives
• Secure containers
• Encrypted virtual machines

---

✅ LUKS / cryptsetup – Ultimate Complete Cheat Sheet

---

1. Basics & Concepts

• LUKS → Linux disk encryption standard
• cryptsetup → LUKS management tool
• Block device encryption → /dev/sdX, /dev/nvmeX, LVM, RAID
• Keyslot → Each password stored in a separate slot
• LUKS1 → Legacy compatibility
• LUKS2 → Modern, secure, flexible metadata
• Mapping name → /dev/mapper/<name>

---

2. Installation

Debian / Ubuntu / Kali

sudo apt update
sudo apt install cryptsetup

RHEL / CentOS / Rocky / Alma

sudo dnf install cryptsetup

Arch Linux

sudo pacman -S cryptsetup

Check version:

cryptsetup --version

---

3. Formatting a Disk with LUKS (ALL DATA ERASED)

Default (LUKS2)

sudo cryptsetup luksFormat /dev/sdX1

Force Version

sudo cryptsetup luksFormat --type luks1 /dev/sdX1
sudo cryptsetup luksFormat --type luks2 /dev/sdX1

Custom Encryption

sudo cryptsetup luksFormat \
  --cipher aes-xts-plain64 \
  --key-size 512 \
  --hash sha256 \
  --iter-time 5000 \
  /dev/sdX1

⚠️ Non-interactive (NOT recommended):

echo "password" | sudo cryptsetup luksFormat /dev/sdX1 -

---

4. Open & Close (Unlock / Lock)

Open

sudo cryptsetup open /dev/sdX1 secure

Result:

/dev/mapper/secure

Close

sudo cryptsetup close secure

Read Only

sudo cryptsetup open --readonly /dev/sdX1 secure

---

5. Create Filesystem & Mount

sudo mkfs.ext4 /dev/mapper/secure
sudo mkdir -p /mnt/secure
sudo mount /dev/mapper/secure /mnt/secure

Unmount:

sudo umount /mnt/secure

---

6. Password & Keyslot Management

View info:

sudo cryptsetup luksDump /dev/sdX1

Add password:

sudo cryptsetup luksAddKey /dev/sdX1

Remove password:

sudo cryptsetup luksRemoveKey /dev/sdX1

Remove specific slot:

sudo cryptsetup luksKillSlot /dev/sdX1 1

Change password:

sudo cryptsetup luksChangeKey /dev/sdX1

---

7. Keyfile Authentication

Create keyfile:

sudo dd if=/dev/urandom of=/root/luks.key bs=64 count=1
sudo chmod 600 /root/luks.key

Add keyfile:

sudo cryptsetup luksAddKey /dev/sdX1 /root/luks.key

Unlock with keyfile:

sudo cryptsetup open /dev/sdX1 secure --key-file /root/luks.key

---

8. LUKS Header Backup & Restore (CRITICAL)

Backup:

sudo cryptsetup luksHeaderBackup /dev/sdX1 \
--header-backup-file /root/luks-header.img

Restore:

sudo cryptsetup luksHeaderRestore /dev/sdX1 \
--header-backup-file /root/luks-header.img

⚠️ Wrong restore = permanent data loss!

---

9. Resize Encrypted Device

Resize mapping:

sudo cryptsetup resize secure

Resize filesystem:

sudo e2fsck -f /dev/mapper/secure
sudo resize2fs /dev/mapper/secure

---

10. Status, UUID & Recovery

Status:

sudo cryptsetup status secure

LUKS UUID:

sudo cryptsetup luksUUID /dev/sdX1

Filesystem UUID:

sudo blkid /dev/mapper/secure

Repair:

sudo e2fsck -f /dev/mapper/secure

---

11. Auto Unlock at Boot (crypttab & fstab)

/etc/crypttab

secure UUID=<LUKS_UUID> none luks

With keyfile:

secure UUID=<LUKS_UUID> /root/luks.key luks

/etc/fstab

/dev/mapper/secure /mnt/secure ext4 defaults 0 2

Or with UUID:

UUID=<FS_UUID> /mnt/secure ext4 defaults 0 2

---

12. File-Based LUKS Container

Create file:

dd if=/dev/urandom of=secure.img bs=1M count=2048

Encrypt:

sudo cryptsetup luksFormat secure.img

Open:

sudo cryptsetup open secure.img securefile

Create filesystem:

sudo mkfs.ext4 /dev/mapper/securefile
sudo mount /dev/mapper/securefile /mnt/securefile

Close:

sudo umount /mnt/securefile
sudo cryptsetup close securefile

---

13. Suspend & Resume (RAM Lock)

Suspend:

sudo cryptsetup luksSuspend secure

Resume:

sudo cryptsetup luksResume secure

---

14. Security Best Practices

✅ Always backup LUKS header ✅ Use strong passwords (16+ characters) ✅ Never store keyfile on same disk ✅ Encrypt swap partition ✅ Avoid passwords in command history ✅ Always test on VM first ✅ Prefer LUKS2 ✅ Use AES-XTS-512

---

👨‍💻 Author

Created by Mahdi Norouzi Linux Administrator & DevOps Candidate

🌐 Website: https://netpilot.ir 📂 GitHub: https://github.com/

---

⭐ If this repository helps you, please give it a star to support the project!