cryptsetup

dm-crypt and LUKS encrypted volume manager

TLDR

Initialize LUKS volume

$ cryptsetup luksFormat /dev/sda1

Open LUKS volume

$ cryptsetup open /dev/sda1 mapping_name

Show mapping status

$ cryptsetup status mapping_name

Close mapping

$ cryptsetup close mapping_name

Change passphrase

$ cryptsetup luksChangeKey /dev/sda1

SYNOPSIS

cryptsetup action [OPTIONS] device [name]

cryptsetup manages dm-crypt and LUKS (Linux Unified Key Setup) encrypted volumes. It provides disk encryption for protecting data at rest, supporting multiple key slots, strong encryption algorithms, and header backup/restore.

PARAMETERS

luksFormat device

Initialize a LUKS encrypted volume (destroys all data)

open device name

Open encrypted device and create mapping at /dev/mapper/name

close name

Remove an existing mapping

status name

Display information about an active mapping

luksChangeKey device

Change the passphrase for a LUKS volume

luksAddKey device

Add a new passphrase to a key slot

luksRemoveKey device

Remove a passphrase from a key slot

luksDump device

Display LUKS header information

luksHeaderBackup device

Backup LUKS header to a file

--type type

Specify encryption type (luks, luks2, plain)

--cipher cipher

Encryption cipher specification

CONFIGURATION

/etc/crypttab

Defines encrypted volumes to unlock at boot.

CAVEATS

Losing all passphrases means permanent data loss. Always backup LUKS headers. Formatting destroys all existing data. The encrypted device must be opened before it can be mounted.

HISTORY

cryptsetup is the standard Linux disk encryption management tool, supporting dm-crypt, LUKS, and LUKS2 formats.