How to Set Up Full-Disk Encryption on Linux with LUKS
A complete walkthrough encrypting a disk or partition with LUKS, from initial setup through mounting it automatically (with a key file) at boot.
LUKS (Linux Unified Key Setup) is the standard disk-encryption format on Linux, handling the key management and header format so tools and distributions can interoperate rather than each inventing their own encryption scheme.
Step 1: install the required tools
sudo apt install cryptsetup # Debian/Ubuntu
sudo dnf install cryptsetup # Fedora/RHEL
Step 2: initialize LUKS encryption on the target device
sudo cryptsetup luksFormat /dev/sdb1
This destroys any existing data on the target partition — confirm you’re targeting the correct device before confirming, since there’s no undo. You’ll be prompted to set a passphrase, which becomes the key protecting access to the encrypted volume.
Step 3: open the encrypted volume
sudo cryptsetup luksOpen /dev/sdb1 mydata
This prompts for the passphrase set in Step 2, and creates a decrypted device mapping at /dev/mapper/mydata — a virtual block device that transparently encrypts/decrypts as it’s used.
Step 4: format the decrypted device with a filesystem
sudo mkfs.ext4 /dev/mapper/mydata
Note this formats the decrypted mapping, not the raw underlying partition — the filesystem itself has no idea it’s sitting on top of encryption.
Step 5: mount and use it normally
sudo mkdir /mnt/mydata
sudo mount /dev/mapper/mydata /mnt/mydata
Step 6: close the encrypted volume when done
sudo umount /mnt/mydata
sudo cryptsetup luksClose mydata
Once closed, the underlying partition is just encrypted, unreadable data — the passphrase is required again to open it.
Step 7: add a backup key slot, in case the primary passphrase is lost
sudo cryptsetup luksAddKey /dev/sdb1
LUKS supports multiple independent passphrases (key slots) for the same volume — adding a second one (perhaps stored securely elsewhere) is cheap insurance against losing access if the primary passphrase is forgotten.
Step 8: set up automatic unlocking at boot with a key file (optional)
sudo dd if=/dev/urandom of=/root/mydata.key bs=1024 count=4
sudo chmod 600 /root/mydata.key
sudo cryptsetup luksAddKey /dev/sdb1 /root/mydata.key
# /etc/crypttab
mydata /dev/sdb1 /root/mydata.key luks
This trades entering a passphrase manually at every boot for automatic unlocking via a key file — appropriate for a server that needs to boot unattended, though it means anyone with access to that key file (and the disk) can decrypt the data, so the key file’s own access permissions matter enormously.
Step 9: add the entry to fstab for automatic mounting
# /etc/fstab
/dev/mapper/mydata /mnt/mydata ext4 defaults 0 2
Why LUKS specifically, rather than encrypting at the filesystem level
LUKS encrypts at the block device level, below the filesystem entirely — meaning the filesystem, and everything above it, has no encryption-awareness at all and just works normally against what looks like an ordinary decrypted block device. This is a meaningfully different, often simpler security model than filesystem-level encryption (which requires filesystem support and can leave certain metadata unencrypted), at the cost of encrypting the entire volume as one unit rather than being able to select individual files or directories for encryption.