Sensitive information is everywhere:

• from your user databases
• to your accounting software
• inside your backups
• on your smartphones

Names. Password hashes. Emails.
Financials. Customers. Quotes.
Configurations. Passwords.

Every company has their own threat model.

Yet – everyone should protect their most sensitive data.

The Linux Unified Key Setup (LUKS)

LUKS is used for block device encryption.

An unencrypted header is followed by encrypted data.
The encrypted data can be accessed by a master key (volume key).
The master key is encrypted by every active user key.
User keys are derived from passphrases or keys.

This multi-layered encryption model allows users to change their keys – without re-encrypting the entire data block.

A LUKS2 encrypted device can have up to 32 key slots.
Each key slot contains the master key encrypted by the user key.

Creating A LUKS Encrypted Storage

It is not possible to encrypt an already mounted and used device or partition.
Always backup the data before manipulating its configuration.

A LUKS encrypted volume can

1. Reside in a partition
2. Sit in an LVM volume

Creating an encrypted volume and adding LVM inside it simplifies administration without breaking the security.

Step 1: Identify the target device

List all block devices:

lsblk

Assume the new disk is:

/dev/sdb

Ensure it is unmounted:

sudo umount /dev/sdb*

Step 2: Initialize LUKS2 on the device

Set up the LUKS header and key slots:

sudo cryptsetup luksFormat --type luks2 /dev/sdb

You will be prompted to confirm the action and enter a passphrase.
This passphrase will be used to unlock the master key.

Step 3: Open the encrypted device

Map it to a name, e.g., cryptdata:

sudo cryptsetup open /dev/sdb cryptdata

This creates a device mapper device at:

/dev/mapper/cryptdata

Step 4: Optional – Create LVM inside the encrypted volume

If you want logical volumes inside the encrypted container:

Create a physical volume (PV) on the encrypted device:

sudo pvcreate /dev/mapper/cryptdata

Create a volume group (VG):

sudo vgcreate vg_data /dev/mapper/cryptdata

Create logical volumes (LV), e.g., 50G for data:

sudo lvcreate -L 50G -n data vg_data

Step 5: Create filesystem on LV or raw encrypted device

For LVM:

sudo mkfs.ext4 /dev/vg_data/data

Or directly on the LUKS device:

sudo mkfs.ext4 /dev/mapper/cryptdata

Step 6: Mount the encrypted volume

Create a mount point:

sudo mkdir -p /mnt/securedata

Mount the LV or LUKS device:

sudo mount /dev/vg_data/data /mnt/securedata
# Or for non-LVM:
# sudo mount /dev/mapper/cryptdata /mnt/securedata

Step 7: Auto-mount at boot (optional)

Add the LUKS device to /etc/crypttab:

cryptdata /dev/sdb none luks

Add the filesystem to /etc/fstab:

/dev/mapper/cryptdata  /mnt/securedata  ext4  defaults  0  2
# Or for LVM:
# /dev/vg_data/data /mnt/securedata ext4 defaults 0 2

On boot, you will be prompted for the passphrase.

Step 8: Verify

Check mapping:

lsblk
sudo cryptsetup status cryptdata

Adding / Removing LUKS Keys

Using LUKS2 enables the operator to use up to 32 key slots for user keys.

These keys can be:

• passphrases
• binary keys (keyfiles)

Managing keys lets you add users, rotate passwords, or revoke access without re-encrypting the data.

Adding a New Passphrase

To add a passphrase to the next available key slot:

sudo cryptsetup luksAddKey /dev/sdb

You will be prompted to:

1. Enter an existing passphrase to authorize changes.
2. Enter the new passphrase you want to add.

The new passphrase occupies a free key slot automatically.

Adding a Keyfile (Binary Key)

Keyfiles can be stored securely and used instead of typing a passphrase.

Create a keyfile (for example, 32 bytes from /dev/urandom):

sudo dd if=/dev/urandom of=/root/cryptkey.bin bs=32 count=1
sudo chmod 600 /root/cryptkey.bin

Add the keyfile to a free slot:

sudo cryptsetup luksAddKey /dev/sdb /root/cryptkey.bin

You will be prompted for an existing passphrase to authorize the addition.

To open the volume with the keyfile:

sudo cryptsetup open /dev/sdb cryptdata --key-file /root/cryptkey.bin

Removing a Key from a Slot

If a user no longer needs access, or a passphrase/keyfile is compromised, remove it:

List active keyslots:

sudo cryptsetup luksDump /dev/sdb

Note the slot number (e.g., slot 1).

Remove the key from that slot:

sudo cryptsetup luksKillSlot /dev/sdb 1

You will be prompted to enter a valid existing passphrase to authorize the removal.

Best Practices

• Always keep at least one working passphrase/keyfile.
  Losing all keys means permanent data loss.
• Store keyfiles offline or on secure hardware (HSM/USB).
• Rotate passphrases periodically for operational security.
• Test key removal in a safe environment before doing it on production volumes.

Automatic Unlock With USB Keyfile

A LUKS volume can be unlocked automatically at boot using a keyfile on a USB drive.
This is practical for headless servers or remote systems.

Step 1: Prepare the USB key

Insert a USB drive (e.g., /dev/sdc) and format it:

sudo mkfs.ext4 /dev/sdc1
sudo mkdir -p /mnt/usbkey
sudo mount /dev/sdc1 /mnt/usbkey

Copy the LUKS keyfile to the USB drive:

sudo cp /root/cryptkey.bin /mnt/usbkey/
sudo chmod 400 /mnt/usbkey/cryptkey.bin

Unmount the USB:

sudo umount /mnt/usbkey

Step 2: Configure crypttab

Find the UUID of the USB partition containing the key:

sudo blkid /dev/sdc1

Edit /etc/crypttab to reference the keyfile:

cryptdata UUID=<UUID-of-LUKS-device> \
    /dev/disk/by-uuid/<UUID-of-USB-partition>:cryptkey.bin luks,tries=3

Explanation:

• First field: mapper name (cryptdata)
• Second field: device to unlock
• Third field: keyfile location on USB
• Options: luks,tries=3

Step 3: Test the configuration

1. Insert the USB drive.
2. Reboot the server.
3. The LUKS volume should unlock automatically without prompting for a passphrase.

Operational Notes

• If the USB is missing, the system will prompt for a passphrase.
• Secure the USB physically to prevent unauthorized access.
• Periodically test unlocking to ensure reliability after updates.
• For multiple volumes, use separate keyfiles or a single USB with multiple keys.

LUKS Header Backup and Restore

The LUKS header contains metadata and all keyslots.
If it is damaged or lost, the encrypted volume becomes inaccessible.
Regular header backups are essential, especially if you:

• Add or remove keys
• Use external keyfiles
• Rotate passphrases
• Use LUKS volumes on production servers

Backup the LUKS Header

Create a safe backup of the header to a secure location:

sudo cryptsetup luksHeaderBackup /dev/sdb --header-backup-file \
     /root/cryptdata-header-backup.img

Notes:

• Store the backup offline or on a secure network location.
• Test restore procedures on a non-critical system to ensure integrity.

Restore the LUKS Header

If the header is corrupted or lost, restore it from backup:

sudo cryptsetup luksHeaderRestore /dev/sdb --header-backup-file \
     /root/cryptdata-header-backup.img

Important:

• Restoring the header overwrites all keyslots.
• Make sure you are restoring to the correct device.
• After restore, all existing passphrases/keyfiles will work again only if they were valid at the time of backup.

Operational Best Practices

• Backup the header before making key changes.
• Keep multiple copies in physically separated secure locations.
• Rotate passphrases only after a successful header backup.
• Treat the header backup with the same security level as your most sensitive data.
• Test both backup and restore workflows periodically.

Final Thoughts

LUKS protects your data on the device when it’s NOT opened.
Open LUKS devices are readable.
Managing the key slots, rotating the keys and backing up headers are the operator’s responsibility.

What LUKS can protect?

• Servers when they’re turned off.
• Notebooks, mobile devices.
• External drives, pendrives when not attached.

Data security is every operator’s responsibility.