How to Manage Disk Encryption with LUKS

How to Manage Disk Encryption with LUKS

LUKS (Linux Unified Key Setup) provides full-disk encryption for your Breeze, protecting data at rest from unauthorized access. Even if the physical disk is removed, the data remains unreadable without the encryption key.

Installing Required Tools

sudo apt-get install -y cryptsetup

Encrypting a Disk

# Initialize LUKS on the target partition
sudo cryptsetup luksFormat /dev/sdb1

# Open the encrypted volume
sudo cryptsetup open /dev/sdb1 secure-data

# Format and mount
sudo mkfs.ext4 /dev/mapper/secure-data
sudo mkdir -p /mnt/secure
sudo mount /dev/mapper/secure-data /mnt/secure

Managing Keys

LUKS supports up to 8 key slots, allowing multiple passphrases or key files:

# Add a backup passphrase
sudo cryptsetup luksAddKey /dev/sdb1

# Add a key file for automated unlocking
sudo dd if=/dev/urandom of=/root/luks-keyfile bs=512 count=4
sudo chmod 400 /root/luks-keyfile
sudo cryptsetup luksAddKey /dev/sdb1 /root/luks-keyfile

# Remove a key slot
sudo cryptsetup luksRemoveKey /dev/sdb1

Automatic Unlock at Boot

Add an entry to /etc/crypttab:

secure-data /dev/sdb1 /root/luks-keyfile luks

Then add the mount to /etc/fstab:

/dev/mapper/secure-data /mnt/secure ext4 defaults 0 2

Checking Status

sudo cryptsetup luksDump /dev/sdb1
sudo cryptsetup status secure-data

Always keep a secure backup of your LUKS header with cryptsetup luksHeaderBackup — losing the header means losing all data on the encrypted volume.