Howto Create LUKS Encrypted Partition

EDIT: use camellia only if you are a Japanese government contractor, like exotic ciphers or are more paranoid and don’t trust NIST. Modern processors accelerate AES, therefore less energy and less CPU power is needed.

Setup:

cryptsetup --cipher xts-plain64 -h sha256 -s 512 luksFormat /dev/sda22

or just use default settings:

cryptsetup luksFormat /dev/sda22

and then verify what cipher and other settings were used (cryptsetup status, cryptsetup luksDump, see More details section), open LUKS partition and format the partition inside:

cryptsetup luksOpen /dev/sda22 topsecret
mkfs.xfs /dev/mapper/topsecret -L 'secret files'
mount /dev/mapper/topsecret /mnt

More details

A modern setup uses aes-xts-plain64 which means AES as a cipher, encryption mode XTS (algorithm how vectors for next block is derived from previous one, CBC and others are not sufficient for block encryption) and plain64 is 64-bit initialization vector (IV) in….plain form? The keysize is 512-bit, half goes to XTS, half to AES. I need to read much more about this to sound clever and write notes confidently, just search for it if you want to know details.

The modern installations uses LUKS2 format, but in order to have fulldisk encryption including bootloader, LUKS1 was the only option one year ago. But there has been a support for LUKS2 in GRUB since March 2022, so the latest distros should use that.

All settings here are defaults from openSuse full disk encryption:

cryptsetup status cr_ata-CT1000MX500SSD4_part2
/dev/mapper/cr_ata-CT1000MX500SSD4_part2 is active and is in use.
  type:    LUKS1
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: dm-crypt
  device:  /dev/sda2
  sector size:  512
  offset:  4096 sectors
  size:    1951421839 sectors
  mode:    read/write

more information like hash function and iterations can be listed with luksDump:

cryptsetup luksDump /dev/sda2
LUKS header information for /dev/sda2

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        512
MK digest:      64 26 4c 7c d2 1e f4 87 8b d9 06 c9 4a fc 51 1e f5 09 bb f0 
MK salt:        29 74 24 74 47 d9 f0 b1 d0 b2 fc 6e 2f 8e 4d 4d 
                0b 46 42 bd 4f 3a 80 fa 94 c3 fd f4 df 7a a4 a3 
MK iterations:  256000
UUID:           c2eda214-d8b5-4cbf-9f2e-1f1b73e13f18

Key Slot 0: ENABLED
        Iterations:             4088014
        Salt:                   8c 93 3e 4e eb 02 3a 69 8b 35 f2 92 14 ee b6 16 
                                5f 52 41 81 1a 46 04 56 a6 49 0c 7d fa b4 00 8b 
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

see /etc/crypttab and /etc/fstab to mount it kind of automatically, specify keyfiles and options. crypttab looks like:

cat /etc/crypttab 
cr_ata-CT1000MX500SSD4_part2  UUID=c2eda214-d8b5-4cbf-9f2e-1f1b73e13f18  none  x-initrd.attach

In case of fulldisk encryption the password is asked before grub and then on boot again (can be improved to ask only once). This setup is also a bit complicated, because in addition there is LVM. So LUKS -> LVM -> system partition, swap partition. In comparison with simple luksFormat and mount, this needs special initrd and modules in GRUB.

Old setup, still can be useful:

cryptsetup --cipher camellia-xts-plain64 -h sha256 -s 256 luksFormat /dev/sda22