Docs / Security / How to Encrypt Disk Partitions with LUKS

How to Encrypt Disk Partitions with LUKS

By Admin · Mar 2, 2026 · Updated Apr 24, 2026 · 26 views · 4 min read

How to Encrypt Disk Partitions with LUKS

Linux Unified Key Setup (LUKS) is the standard for disk encryption on Linux. Encrypting partitions on your Breeze instance ensures that data at rest is protected even if the physical storage is compromised. LUKS provides strong encryption with support for multiple passphrases and key management.

Understanding LUKS Encryption

LUKS encrypts entire block devices (partitions or disks) using AES encryption by default. Key concepts:

  • LUKS header — contains metadata, key slots, and encryption parameters
  • Key slots — LUKS supports up to 8 passphrases per device, each stored in a separate slot
  • dm-crypt — the kernel module that handles the actual encryption/decryption
  • cryptsetup — the userspace tool for managing LUKS volumes

Installing cryptsetup

On Ubuntu or Debian:

sudo apt update
sudo apt install -y cryptsetup

On AlmaLinux or Rocky Linux:

sudo dnf install -y cryptsetup

Encrypting a New Partition

This example encrypts /dev/sdb1. All existing data on the partition will be destroyed.

# Initialize LUKS encryption on the partition
sudo cryptsetup luksFormat /dev/sdb1

You will be prompted to type YES in uppercase and enter a passphrase. Choose a strong passphrase and store it securely.

Opening and Mounting the Encrypted Volume

# Open the LUKS volume (creates /dev/mapper/secure_data)
sudo cryptsetup luksOpen /dev/sdb1 secure_data

# Create a filesystem
sudo mkfs.ext4 /dev/mapper/secure_data

# Create mount point and mount
sudo mkdir -p /mnt/secure
sudo mount /dev/mapper/secure_data /mnt/secure

# Verify
df -h /mnt/secure
lsblk

Managing Key Slots

LUKS supports multiple passphrases through key slots:

# Add a new passphrase (requires an existing passphrase)
sudo cryptsetup luksAddKey /dev/sdb1

# Remove a passphrase from a specific slot
sudo cryptsetup luksRemoveKey /dev/sdb1

# View key slot status
sudo cryptsetup luksDump /dev/sdb1

Using a Key File

For automated unlocking (such as on boot), use a key file instead of a passphrase:

# Generate a random key file
sudo dd if=/dev/urandom of=/root/.luks-keyfile bs=4096 count=1
sudo chmod 400 /root/.luks-keyfile

# Add the key file to a LUKS slot
sudo cryptsetup luksAddKey /dev/sdb1 /root/.luks-keyfile

# Open using the key file
sudo cryptsetup luksOpen /dev/sdb1 secure_data --key-file /root/.luks-keyfile

Automatic Mounting at Boot

Configure /etc/crypttab and /etc/fstab for automatic mounting:

# Find the UUID of the LUKS partition
sudo blkid /dev/sdb1

# Add to /etc/crypttab
# secure_data UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /root/.luks-keyfile luks

# Add to /etc/fstab
# /dev/mapper/secure_data /mnt/secure ext4 defaults 0 2

Closing and Unmounting

# Unmount the filesystem
sudo umount /mnt/secure

# Close the LUKS volume
sudo cryptsetup luksClose secure_data

Backing Up the LUKS Header

The LUKS header is critical. If it is damaged, all data is permanently lost:

# Backup the LUKS header
sudo cryptsetup luksHeaderBackup /dev/sdb1 --header-backup-file /root/luks-header-backup.img

# Restore from backup (emergency only)
sudo cryptsetup luksHeaderRestore /dev/sdb1 --header-backup-file /root/luks-header-backup.img

Store the header backup securely off-server.

Performance Considerations

Check if your Breeze instance supports hardware AES acceleration:

# Check for AES-NI support
grep -o aes /proc/cpuinfo | head -1

# Benchmark encryption performance
sudo cryptsetup benchmark

Modern CPUs with AES-NI typically show minimal performance impact from LUKS encryption.

Best Practices

  • Always backup the LUKS header — store it in a separate, secure location
  • Use strong passphrases — at least 20 characters with mixed character types
  • Protect key files — ensure key files have restrictive permissions (0400) and are stored securely
  • Encrypt sensitive partitions — focus on partitions containing user data, databases, and logs
  • Test recovery — periodically verify you can unlock volumes with backup passphrases or key files

LUKS disk encryption provides robust protection for data at rest on your Breeze instance, meeting compliance requirements and safeguarding sensitive information from physical access threats.

Was this article helpful?

Related Articles