Skip to content

mahdi-n0rouzi/luks-cheatsheet

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

19 Commits
README.md
README.md
Β 
Β 
google7d6c9a1a82cdac7c.html
google7d6c9a1a82cdac7c.html
Β 
Β 

Repository files navigation

LUKS Cheat Sheet – Complete cryptsetup Guide for Linux Disk Encryption

βœ… Full LUKS1 & LUKS2 Guide
βœ… Complete cryptsetup Commands
βœ… Password & Keyslot Management
βœ… Keyfile Authentication
βœ… LUKS Header Backup & Restore
βœ… Auto Unlock with crypttab & fstab
βœ… File-Based Encrypted Containers
βœ… LPIC-2 & LPIC-3 Ready

This is a complete and professional LUKS Cheat Sheet written for Linux system administrators, DevOps engineers, and security students.

πŸ“‘ Table of Contents

πŸ” SEO Keywords

LUKS cheat sheet
cryptsetup cheat sheet
linux disk encryption
luks encryption guide
luks header backup
luks keyfile
luks fstab crypttab
luks full disk encryption
luks tutorial

πŸ“Œ What is LUKS?

LUKS (Linux Unified Key Setup) is the standard disk encryption system for Linux.
It provides strong encryption at the block-device level and is widely used for:

  • Full Disk Encryption (FDE)
  • Encrypted partitions
  • Encrypted USB drives
  • Secure containers
  • Encrypted virtual machines

βœ… LUKS / cryptsetup – Ultimate Complete Cheat Sheet

1. Basics & Concepts

  • LUKS β†’ Linux disk encryption standard
  • cryptsetup β†’ LUKS management tool
  • Block device encryption β†’ /dev/sdX, /dev/nvmeX, LVM, RAID
  • Keyslot β†’ Each password stored in a separate slot
  • LUKS1 β†’ Legacy compatibility
  • LUKS2 β†’ Modern, secure, flexible metadata
  • Mapping name β†’ /dev/mapper/<name>

2. Installation

Debian / Ubuntu / Kali

sudo apt update
sudo apt install cryptsetup

RHEL / CentOS / Rocky / Alma

sudo dnf install cryptsetup

Arch Linux

sudo pacman -S cryptsetup

Check version:

cryptsetup --version

3. Formatting a Disk with LUKS (ALL DATA ERASED)

Default (LUKS2)

sudo cryptsetup luksFormat /dev/sdX1

Force Version

sudo cryptsetup luksFormat --type luks1 /dev/sdX1
sudo cryptsetup luksFormat --type luks2 /dev/sdX1

Custom Encryption

sudo cryptsetup luksFormat \
  --cipher aes-xts-plain64 \
  --key-size 512 \
  --hash sha256 \
  --iter-time 5000 \
  /dev/sdX1

⚠️ Non-interactive (NOT recommended):

echo "password" | sudo cryptsetup luksFormat /dev/sdX1 -

4. Open & Close (Unlock / Lock)

Open

sudo cryptsetup open /dev/sdX1 secure

Result:

/dev/mapper/secure

Close

sudo cryptsetup close secure

Read Only

sudo cryptsetup open --readonly /dev/sdX1 secure

5. Create Filesystem & Mount

sudo mkfs.ext4 /dev/mapper/secure
sudo mkdir -p /mnt/secure
sudo mount /dev/mapper/secure /mnt/secure

Unmount:

sudo umount /mnt/secure

6. Password & Keyslot Management

View info:

sudo cryptsetup luksDump /dev/sdX1

Add password:

sudo cryptsetup luksAddKey /dev/sdX1

Remove password:

sudo cryptsetup luksRemoveKey /dev/sdX1

Remove specific slot:

sudo cryptsetup luksKillSlot /dev/sdX1 1

Change password:

sudo cryptsetup luksChangeKey /dev/sdX1

7. Keyfile Authentication

Create keyfile:

sudo dd if=/dev/urandom of=/root/luks.key bs=64 count=1
sudo chmod 600 /root/luks.key

Add keyfile:

sudo cryptsetup luksAddKey /dev/sdX1 /root/luks.key

Unlock with keyfile:

sudo cryptsetup open /dev/sdX1 secure --key-file /root/luks.key

8. LUKS Header Backup & Restore (CRITICAL)

Backup:

sudo cryptsetup luksHeaderBackup /dev/sdX1 \
--header-backup-file /root/luks-header.img

Restore:

sudo cryptsetup luksHeaderRestore /dev/sdX1 \
--header-backup-file /root/luks-header.img

⚠️ Wrong restore = permanent data loss!

9. Resize Encrypted Device

Resize mapping:

sudo cryptsetup resize secure

Resize filesystem:

sudo e2fsck -f /dev/mapper/secure
sudo resize2fs /dev/mapper/secure

10. Status, UUID & Recovery

Status:

sudo cryptsetup status secure

LUKS UUID:

sudo cryptsetup luksUUID /dev/sdX1

Filesystem UUID:

sudo blkid /dev/mapper/secure

Repair:

sudo e2fsck -f /dev/mapper/secure

11. Auto Unlock at Boot (crypttab & fstab)

/etc/crypttab

secure UUID=<LUKS_UUID> none luks

With keyfile:

secure UUID=<LUKS_UUID> /root/luks.key luks

/etc/fstab

/dev/mapper/secure /mnt/secure ext4 defaults 0 2

Or with UUID:

UUID=<FS_UUID> /mnt/secure ext4 defaults 0 2

12. File-Based LUKS Container

Create file:

dd if=/dev/urandom of=secure.img bs=1M count=2048

Encrypt:

sudo cryptsetup luksFormat secure.img

Open:

sudo cryptsetup open secure.img securefile

Create filesystem:

sudo mkfs.ext4 /dev/mapper/securefile
sudo mount /dev/mapper/securefile /mnt/securefile

Close:

sudo umount /mnt/securefile
sudo cryptsetup close securefile

13. Suspend & Resume (RAM Lock)

Suspend:

sudo cryptsetup luksSuspend secure

Resume:

sudo cryptsetup luksResume secure

14. Security Best Practices

βœ… Always backup LUKS header βœ… Use strong passwords (16+ characters) βœ… Never store keyfile on same disk βœ… Encrypt swap partition βœ… Avoid passwords in command history βœ… Always test on VM first βœ… Prefer LUKS2 βœ… Use AES-XTS-512

πŸ‘¨β€πŸ’» Author

Created by Mahdi Norouzi Linux Administrator & DevOps Candidate

🌐 Website: https://netpilot.ir πŸ“‚ GitHub: https://github.com/

⭐ If this repository helps you, please give it a star to support the project!

About

Complete LUKS Cheat Sheet for Linux Disk Encryption

mahdi-n0rouzi.github.io/luks-cheatsheet/

Topics

linux open-source encryption cheatsheet information-security luks disk-encryption cryptsetup ethical-hacking red-team full-disk-encryption linux-security blue-team linux-administration cryptsetup-luks

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages