How to encrypt a partition with DM-Crypt LUKS on Linux

TrueCrypt is no more, and the purpose of this post is to show you straightforward partition encryption with dm-crypt luks.

DM-Crypt is transparent drive encryption that is kernel module and part of the device mapper framework for mapping physical block device onto higher-level virtual block devices, it uses cryptographic routines from the kernel's crypto api. Long story short, device mapping encryption provided by the kernel "linux" crypto api.

Make sure that you have at least one partition with no data in it. If you don't have any partitions available, use parted, gparted or whatever program you like to shrink some of your existing partitions and create a new one.

I'll use partition called /dev/sda3, and our first task will be to overwrite that partition 3 times with random data, that's enough to protect you against forensic investigation. It took me nearly 30 minutes for 20 GB partition to be overwritten 3 times.

shred --verbose --random-source=/dev/urandom --iterations=3 /dev/sda3

Create cryptographic device mapper device in LUKS encryption mode:

cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda3

You'll be asked the following question:



This will overwrite data on /dev/sda3 irrevocably.

Are you sure? (Type uppercase yes): YES

Enter passphrase:

Verify passphrase:

Command successful

Unlock the partition, here "root" is device mapper name, think of it as label.

cryptsetup open --type luks /dev/sda3 root

We have to create filesystem in order to write encrypted data that would be accessible through the device mapper name (label).

mkfs.ext4 /dev/mapper/root

Mount the device and transfer all of your data:

mount -t ext4 /dev/mapper/root /mnt

Unmount and close the device once you are done:

umount /mnt

cryptsetup close root

Last but not least, clear the copy and cache buffers:

sysctl --write vm.drop_caches=3

That was it, simple and straightforward encryption. From now on all you have to do is: unlock, mount, transfer data, unmount and close the device.

If you have couple hours to spare and experiment, feel free to read those pages:

link 1, link 2, link 3, link 4, link 5, link 6, link 7

Protect your /boot partition if you want full disk encryption. Everything is written in great details how to do it in the above links.

Post edit: The things get even better as I just learnt that it is possible to burn LUKS encrypted CD and DVD discs.

Instead using drive partition, we will create a file via dd and the kernel's random number generator /dev/urandom that will fill the initial file with fake entropy.

Create 500MB file that will be used as file system within a single file.

dd if=/dev/urandom of=encrypted.volume bs=1MB count=500

Just replace the first command in this post (shred) with the dd one and type the rest commands as is.

Now you can be sure that no one will get past your data that it is burn within the single file which is entire file system in LUKS encryption, just make sure to unmount and close encrypted.volume before burning it to the disc.

Share this page:

6 Comment(s)

Add comment


From: Rudi Pittman

Veracrypt [ the fork of truecrypt that was created to provide tougher security than truecrypt used ] is still alive and well.  It also still provides features like hidden containers within containers which luks does not.


*I use both luks and veracrypt and both are good but stating that truecrypt is dead ala "The sky is falling" is misleading.

From: David Beckham

@Rudi "The development of TrueCrypt was ended in 5/2014"; source


That was announced by the TrueCrypt DEVELOPERS. The kernel provides you encryption out of the box, also the security audit report of TrueCrypt showed couple vulnerabilities that was easy to exploit and others marked as critical and high.


None of the TrueCrypt forks has managed to fix all of the vulnerabilities mentioned in the audit report so far. Until they are fixed, you will be shooting yourself in the foot.

From: Norman

The hidden container isn't really hidden as if anyone has physical access to your drive and is observing it will notice that there used space and they can spot exactly which sectors have been used.


On the other hand it seems you either haven't read the whole tutorial here or came to troll, because with LUKS as it was stated at the end of the tutorial you can create whole file system in LUKS encryption within prefixed file size, and you may recall it container.


In both cases if anyone has physical access to your drive will notice the encryption, so hidden container or not doesn't really matter.


TrueCrypt has been developed by true cryptography professionals, same goes for the active kernel development where every developer is well acknowledged. I doubt the TrueCrypt forks to be maintained by cryptography professionals.

From: mhogomchungu


zuluCrypt[1] is a simple,feature rich and powerful solution for hard drives encryption capable of handling LUKS,TrueCrypt and VeraCrypt volumes.

@Rudi Pittman,Give zuluCrypt a try since it can manage both your LUKS and VeraCrypt volumes from the same GUI interface.



From: affinity

Truecrypt has problems, but those problems are not really a problem at all; just stick with 7.1a the audit found the problems to be of no concern at atll.

From: Al

Thank you, worked perfectly!