CryptSetup / LUKS cheat sheet

tags: linux, cryptsetup, luks, security date: 2018-03-31

Check if device is LUKS device

cryptsetup isLuks <device>

Returns 0(zero), if <device> is a LUKS device, 1 otherwise. Use option -v to get human-readable feedback.

‘Command successful.’ means the device is a LUKS device.

Make key for encryptpion

dd bs=512 count=4 if=/dev/urandom of=/boot/sda3.key

Create encrypted partition

cryptsetup -d /boot/sda3.key luksFormat /dev/sda3

cryptsetup -d sv0.jpg -l 4096 luksFormat /dev/sda4


       --key-file, -d name
          Read the passphrase from file.

          If the name given is "-", then the passphrase will be read from stdin.  In this case, reading will not stop  at  newline  characā€
          ters.

          With  LUKS, passphrases supplied via --key-file are always the existing passphrases requested by a command, except in the case of
          luksFormat where --key-file is equivalent to the positional key file argument.

  --keyfile-size, -l value
          Read a maximum of value bytes from the key file.  The default is to read the whole file up to the compiled-in maximum that can be
          queried with --help. Supplying more data than the compiled-in maximum aborts the operation.

          This  option  is useful to cut trailing newlines, for example. If --keyfile-offset is also given, the size count starts after the
          offset.  Works with all commands that accept key files.


cryptsetup open --type luks -d sv0.jpg -l 4096 /dev/sda4 sda4_lvmcrypt

Set up SANS flash

cryptsetup -d inna.jpg -l 1906 luksFormat /dev/sdb3
cryptsetup luksOpen -d inna.jpg -l 1906 /dev/sdb3 sdb3_luks
mount /dev/mapper/sdb3_luks /mnt/home