• Edit
  • Delete

luks cryptsetup linux ubuntu harddisk encryption


Change a password

  • cryptsetup luksDump /dev/sda5
    • Key Slot 0: ENABLED
      Key Slot 1: DISABLED

Add new password as second one (1) and then delete first one (0)

  • cryptsetup luksAddKey --key-slot 1 /dev/sda5
  • cryptsetup luksDump /dev/sda5
  • cryptsetup luksRemoveKey --key-slot 0 /dev/sda5

Encrypt external or separate harddisk

Example for /dev/sdd (use "blkid" to find the right harddisk)

  • Delete partition table (make it like factory new)
    • dd if=/dev/zero of=/dev/sdd bs=512 count=1
  • cfdisk /dev/sdd
    • gpt
    • create linux partition, full space
  • cryptsetup luksFormat --cipher aes-xts-plain64 --verify-passphrase --key-size 256 /dev/sdd1

Open encrypted harddisk

  • cryptsetup luksOpen /dev/sdd1 my-external-disk
  • ls -la /dev/mapper
    • /dev/mapper/my-external-disk: LABEL="my-external-disk" UUID="....

Create filesystem on opened harddisk

For example "ext4"

  • mkfs.ext4 /dev/mapper/my-external-disk
  • mount /dev/mapper/my-external-disk /mnt

Auto Decrypt Harddisk upon Boot

  • mkdir /root/.keyfiles
  • dd if=/dev/urandom of=/root/.keyfiles/my-external-disk.key bs=1024 count=4
  • chmod 400 /root/.keyfiles/my-external-disk.key
  • cryptsetup luksAddKey /dev/sdd1 /root/.keyfiles/my-external-disk.key
  • blkid -> note uuid
  • vi /etc/crypttab
    • my-external-disk_crypt UUID=26d5247e-4358-4089-a4cc-f2f9c37b05be /root/.keyfiles/my-external-disk.key luks,discard

  • mkdir /my-external-disk

  • vi /etc/fstab

    • # my-external-disk

      /dev/mapper/my-external-disk_crypt /my-external-disk ext4 defaults,noatime 0 2

Auto Decrypt Harddisk on a headless, encrypted Server via SSH


my-encrypted-server: A headless server with an encrypted harddisk "my-external-disk"

my-unlock-server: A secure secondary server which provides the decryption key


  • create ssh key
    • ssh-keygen -t rsa -b 4096 -o -a 64
    • cat ~/.ssh/id_rsa.pub
      • copy to clipboard


  • adduser unlock-luks
  • vi /home/unlock-luks/.ssh/authorized_keys
    • paste key from above
    • prepend to the key; this restricts access to this specific ip, and to this specific command
      • restrict,from=111.222.333.444,command="cat ~/.keyfiles/my-encrypted-server_my-external-disk.key"
  • sudo -u unlock-luks mkdir /home/unlock-luks/.keyfiles
  • sudo -u unlock-luks dd if=/dev/urandom of=/home/unlock-luks/.keyfiles/my-encrypted-server_my-external-disk.key bs=1024 count=4
  • chmod o-rwx /home/unlock-luks/.keyfiles -R


  • blkid
    • /dev/sdd1: UUID="204c6379-f0ca-43ff-a0dd-f862528b5931" TYPE="crypto_LUKS" PARTUUID="411379ab-0b35-4f4c-9a51-bfe890c6f261"
  • sshfs unlock-luks@my-unlock-server:/home/unlock-luks/.keyfiles /mnt
  • cryptsetup luksAddKey /dev/sdd1 /mnt/my-encrypted-server_my-external-disk.key
  • cryptsetup luksClose my-external-disk
  • umount /mnt
  • #!/bin/sh -e
    # rc.local
    # This script is executed at the end of each multiuser runlevel.
    # Make sure that the script will "exit 0" on success or any other
    # value on error.
    ssh unlock-luks@my-unlock-server | cryptsetup luksOpen /dev/sdd1 my-external-disk -d -
    mount /dev/mapper/my-external-disk /my-external-disk
    exit 0
  • vi /etc/rc.local
  • chmod 700 /etc/rc.local