Skip to content
daniel@cosenza:~/blog
LinuxHow-To March 19, 2026 3 min read

How to Set Up Full-Disk Encryption on Linux with LUKS

A complete walkthrough encrypting a disk or partition with LUKS, from initial setup through mounting it automatically (with a key file) at boot.

LUKS (Linux Unified Key Setup) is the standard disk-encryption format on Linux, handling the key management and header format so tools and distributions can interoperate rather than each inventing their own encryption scheme.

Step 1: install the required tools

sudo apt install cryptsetup      # Debian/Ubuntu
sudo dnf install cryptsetup      # Fedora/RHEL

Step 2: initialize LUKS encryption on the target device

sudo cryptsetup luksFormat /dev/sdb1

This destroys any existing data on the target partition — confirm you’re targeting the correct device before confirming, since there’s no undo. You’ll be prompted to set a passphrase, which becomes the key protecting access to the encrypted volume.

Step 3: open the encrypted volume

sudo cryptsetup luksOpen /dev/sdb1 mydata

This prompts for the passphrase set in Step 2, and creates a decrypted device mapping at /dev/mapper/mydata — a virtual block device that transparently encrypts/decrypts as it’s used.

Step 4: format the decrypted device with a filesystem

sudo mkfs.ext4 /dev/mapper/mydata

Note this formats the decrypted mapping, not the raw underlying partition — the filesystem itself has no idea it’s sitting on top of encryption.

Step 5: mount and use it normally

sudo mkdir /mnt/mydata
sudo mount /dev/mapper/mydata /mnt/mydata

Step 6: close the encrypted volume when done

sudo umount /mnt/mydata
sudo cryptsetup luksClose mydata

Once closed, the underlying partition is just encrypted, unreadable data — the passphrase is required again to open it.

Step 7: add a backup key slot, in case the primary passphrase is lost

sudo cryptsetup luksAddKey /dev/sdb1

LUKS supports multiple independent passphrases (key slots) for the same volume — adding a second one (perhaps stored securely elsewhere) is cheap insurance against losing access if the primary passphrase is forgotten.

Step 8: set up automatic unlocking at boot with a key file (optional)

sudo dd if=/dev/urandom of=/root/mydata.key bs=1024 count=4
sudo chmod 600 /root/mydata.key
sudo cryptsetup luksAddKey /dev/sdb1 /root/mydata.key
# /etc/crypttab
mydata  /dev/sdb1  /root/mydata.key  luks

This trades entering a passphrase manually at every boot for automatic unlocking via a key file — appropriate for a server that needs to boot unattended, though it means anyone with access to that key file (and the disk) can decrypt the data, so the key file’s own access permissions matter enormously.

Step 9: add the entry to fstab for automatic mounting

# /etc/fstab
/dev/mapper/mydata  /mnt/mydata  ext4  defaults  0  2

Why LUKS specifically, rather than encrypting at the filesystem level

LUKS encrypts at the block device level, below the filesystem entirely — meaning the filesystem, and everything above it, has no encryption-awareness at all and just works normally against what looks like an ordinary decrypted block device. This is a meaningfully different, often simpler security model than filesystem-level encryption (which requires filesystem support and can leave certain metadata unencrypted), at the cost of encrypting the entire volume as one unit rather than being able to select individual files or directories for encryption.