Docs / Security / How to Encrypt Data at Rest with dm-crypt

How to Encrypt Data at Rest with dm-crypt

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 213 views · 3 min read

Encrypting data at rest protects your information even if the physical disk is compromised. dm-crypt with LUKS (Linux Unified Key Setup) is the standard Linux solution for full-disk and partition encryption.

When to Encrypt Data at Rest

  • Storing sensitive customer data (PII, financial records)
  • Compliance requirements (HIPAA, PCI-DSS, GDPR)
  • Protecting against physical theft of drives
  • Ensuring data is unreadable when a VPS is decommissioned

Setting Up LUKS Encryption

# Install cryptsetup
sudo apt install cryptsetup

# Create an encrypted partition (WARNING: destroys all data!)
sudo cryptsetup luksFormat /dev/vdb1
# Confirm with YES (uppercase)
# Enter passphrase (use a strong passphrase!)

# Open the encrypted partition
sudo cryptsetup open /dev/vdb1 encrypted_data
# Enter passphrase

# Create a filesystem
sudo mkfs.ext4 /dev/mapper/encrypted_data

# Mount it
sudo mkdir /mnt/encrypted
sudo mount /dev/mapper/encrypted_data /mnt/encrypted

Managing LUKS Keys

# LUKS supports up to 8 key slots
# Add an additional passphrase
sudo cryptsetup luksAddKey /dev/vdb1
# Enter existing passphrase, then new passphrase

# Remove a passphrase
sudo cryptsetup luksRemoveKey /dev/vdb1
# Enter the passphrase to remove

# View key slot information
sudo cryptsetup luksDump /dev/vdb1

# Use a key file instead of passphrase
sudo dd if=/dev/urandom of=/root/.luks-keyfile bs=512 count=1
sudo chmod 400 /root/.luks-keyfile
sudo cryptsetup luksAddKey /dev/vdb1 /root/.luks-keyfile

Auto-Mount at Boot

# Using a key file (for non-interactive boot):
# Add to /etc/crypttab:
# encrypted_data /dev/vdb1 /root/.luks-keyfile luks

# Add to /etc/fstab:
# /dev/mapper/encrypted_data /mnt/encrypted ext4 defaults 0 2

# Test the configuration
sudo cryptdisks_start encrypted_data
sudo mount -a

Encrypting a Data Directory

# Create an encrypted file container (no dedicated partition needed)
# Create a 10GB encrypted file
dd if=/dev/urandom of=/root/encrypted.img bs=1M count=10240

# Set up LUKS on the file
sudo cryptsetup luksFormat /root/encrypted.img
sudo cryptsetup open /root/encrypted.img secure_storage
sudo mkfs.ext4 /dev/mapper/secure_storage
sudo mkdir /mnt/secure
sudo mount /dev/mapper/secure_storage /mnt/secure

# When done, unmount and close
sudo umount /mnt/secure
sudo cryptsetup close secure_storage

Performance Considerations

# Check if your CPU supports AES-NI hardware acceleration
grep -o aes /proc/cpuinfo | head -1
# "aes" means hardware acceleration is available

# With AES-NI: ~5-10% performance overhead (negligible)
# Without AES-NI: ~20-30% performance overhead

# Benchmark encrypted vs unencrypted performance
cryptsetup benchmark
# Shows throughput for different algorithms

Best Practices

  1. Use AES-256-XTS for strong encryption (LUKS2 default)
  2. Store the passphrase/keyfile securely (password manager, HSM)
  3. Keep a backup of the LUKS header: cryptsetup luksHeaderBackup
  4. Use key files for automated boot, passphrases for manual access
  5. Test recovery procedures before relying on encryption
  6. Remember: encryption protects data at rest, not from a running system compromise

Was this article helpful?

Related Articles