Howto Create LUKS Encrypted Partition
EDIT: use camellia only if you are a Japanese government contractor, like exotic ciphers or are more paranoid and don’t trust NIST. Modern processors accelerate AES, therefore less energy and less CPU power is needed.
cryptsetup --cipher xts-plain64 -h sha256 -s 512 luksFormat /dev/sda22
or just use default settings:
cryptsetup luksFormat /dev/sda22
and then verify what cipher and other settings were used (
cryptsetup luksDump, see More details section), open LUKS partition and format the partition inside:
cryptsetup luksOpen /dev/sda22 topsecret mkfs.xfs /dev/mapper/topsecret -L 'secret files' mount /dev/mapper/topsecret /mnt
A modern setup uses
aes-xts-plain64 which means AES as a cipher, encryption mode XTS (algorithm how vectors for next block is derived from previous one, CBC and others are not sufficient for block encryption) and plain64 is 64-bit initialization vector (IV) in….plain form? The keysize is 512-bit, half goes to XTS, half to AES. I need to read much more about this to sound clever and write notes confidently, just search for it if you want to know details.
The modern installations uses LUKS2 format, but in order to have fulldisk encryption including bootloader, LUKS1 was the only option one year ago. But there has been a support for LUKS2 in GRUB since March 2022, so the latest distros should use that.
All settings here are defaults from openSuse full disk encryption:
cryptsetup status cr_ata-CT1000MX500SSD4_part2 /dev/mapper/cr_ata-CT1000MX500SSD4_part2 is active and is in use. type: LUKS1 cipher: aes-xts-plain64 keysize: 512 bits key location: dm-crypt device: /dev/sda2 sector size: 512 offset: 4096 sectors size: 1951421839 sectors mode: read/write
more information like hash function and iterations can be listed with
cryptsetup luksDump /dev/sda2 LUKS header information for /dev/sda2 Version: 1 Cipher name: aes Cipher mode: xts-plain64 Hash spec: sha256 Payload offset: 4096 MK bits: 512 MK digest: 64 26 4c 7c d2 1e f4 87 8b d9 06 c9 4a fc 51 1e f5 09 bb f0 MK salt: 29 74 24 74 47 d9 f0 b1 d0 b2 fc 6e 2f 8e 4d 4d 0b 46 42 bd 4f 3a 80 fa 94 c3 fd f4 df 7a a4 a3 MK iterations: 256000 UUID: c2eda214-d8b5-4cbf-9f2e-1f1b73e13f18 Key Slot 0: ENABLED Iterations: 4088014 Salt: 8c 93 3e 4e eb 02 3a 69 8b 35 f2 92 14 ee b6 16 5f 52 41 81 1a 46 04 56 a6 49 0c 7d fa b4 00 8b Key material offset: 8 AF stripes: 4000 Key Slot 1: DISABLED Key Slot 2: DISABLED Key Slot 3: DISABLED Key Slot 4: DISABLED Key Slot 5: DISABLED Key Slot 6: DISABLED Key Slot 7: DISABLED
see /etc/crypttab and /etc/fstab to mount it kind of automatically, specify keyfiles and options. crypttab looks like:
cat /etc/crypttab cr_ata-CT1000MX500SSD4_part2 UUID=c2eda214-d8b5-4cbf-9f2e-1f1b73e13f18 none x-initrd.attach
In case of fulldisk encryption the password is asked before grub and then on boot again (can be improved to ask only once). This setup is also a bit complicated, because in addition there is LVM. So LUKS -> LVM -> system partition, swap partition. In comparison with simple
mount, this needs special initrd and modules in GRUB.
Old setup, still can be useful:
cryptsetup --cipher camellia-xts-plain64 -h sha256 -s 256 luksFormat /dev/sda22