cryptsetup Command Examples in Linux

The cryptsetup command is used as the front-end to LUKS and dm-crypt. The LUKS extensions to cryptsetup support various actions, including the following.

LUKS Action Used To
luksFormat Format a storage device using the LUKS encryption standard.
isLuks Identify if a given device is a LUKS device.
luksOpen Open a LUKS storage device and set it up for mapping, assuming the provided key material is accurate.
luksClose Remove a LUKS storage device from mapping.
luksAddKey Associate new key material with a LUKS device.
luksDelKey Remove key material from a LUKS device.

Syntax

The syntax of the cryptsetup command is:

# cryptsetup [options] {action} [action arguments]

cryptsetup Command Examples

1. Initialize a LUKS volume (overwrites all data on the partition):

# cryptsetup luksFormat /dev/sda1

2. Open a LUKS volume and create a decrypted mapping at `/dev/mapper/{{target}}`:

# cryptsetup luksOpen /dev/sda1 target

3. Remove an existing mapping:

# cryptsetup luksClose target

4. Change the LUKS volume’s passphrase:

# cryptsetup luksChangeKey /dev/sda1
Note: cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings. These include plain dm-crypt volumes and LUKS volumes. The difference is that LUKS uses a metadata header and can hence offer more features than plain dm-crypt. On the other hand, the header is visible and vulnerable to damage.

Conclusion

With the cryptsetup utility, you can set up your own LUKS-encrypted volumes for storing your most sensitive information. If the disk ever falls into the wrong hands, it won’t be as bad a situation as it would have been if the disk had been unencrypted. Breaking a LUKS-encrypted volume would take considerable effort that wouldn’t be feasible.

Related Post