cryptsetup-luksformat

Initialize a LUKS volume with a passphrase

$ cryptsetup luksFormat [/dev/sdXY]

$ cryptsetup luksFormat [/dev/sdXY] [path/to/keyfile]

$ cryptsetup luksFormat --label [label] [/dev/sdXY]

cryptsetup luksFormat [options] <device> [<keyfile>]

--type, -t ARG
    Uses LUKS1 or LUKS2 (default: LUKS2)

--cipher, -c ARG
    Cipher specification (default: aes-xts-plain64)

--key-size, -s BITS
    Key size in bits (default: 256)

--hash, -h ARG
    Hash algorithm (default: sha256)

--hmac ARG
    HMAC transform (LUKS2 only)

--pbkdf ARG
    PBKDF algorithm (argon2id, argon2i, pbkdf2; default: argon2id)

--iter-time, -i MS
    PBKDF benchmark time in ms (default: 2000)

--pbkdf-force-iterations N
    Force exact PBKDF iterations

--pbkdf-minimum-memory KiB
    Minimum memory for Argon2 PBKDF

--pbkdf-parallel-threads N
    Parallel threads for PBKDF

--use-random
    Gather entropy from /dev/random

--use-urandom
    Use /dev/urandom (default)

--verify-passphrase, -y
    Verify passphrase by re-prompting

--key-file, -k FILE
    Read passphrase from file

--key-file-size N
    Limit keyfile read size in bytes

--key-file-offset N
    Keyfile offset in bytes

--header FILE
    Store LUKS header in separate file (detached)

--header-size N
    Detached header size in MiB (default: 32)

--sector-size BYTES
    Filesystem sector size (default: 4096)

--batch-mode, -q
    Disable prompts, no interaction

--verbose, -v
    Verbose output

--debug
    Debug traces

The cryptsetup luksFormat command initializes a Linux Unified Key Setup (LUKS) partition header on a specified block device, enabling full-disk encryption. LUKS is the de facto standard for Linux disk encryption, using dm-crypt kernel module for transparent encryption/decryption.

It prompts for a passphrase (or uses a keyfile) to protect up to 8 keyslots in LUKS1 or 32 in LUKS2 (default). The header stores metadata, salts, and encrypted master key. LUKS2 enhances security with Argon2 PBKDF, integrity via HMAC, and detached headers.

Critical warning: This permanently erases all data on the device, including any existing LUKS header. Verify device with lsblk or fdisk. Post-formatting, use cryptsetup luksOpen to activate, then mkfs for filesystem.

Supports customization of cipher (e.g., aes-xts-plain64), key size (256/512 bits), hash, PBKDF iterations, and sector size. Ideal for USB drives, laptops, or servers requiring data protection at rest.

Danger: Irreversibly wipes all data on device. Triple-check target. Not for mounted devices. Requires root or sudo. LUKS1 incompatible with some kernels/hardware.

cryptsetup luksFormat /dev/sdb1
Interactive passphrase prompt.

cryptsetup luksFormat --type LUKS1 --cipher aes-xts-plain64 --key-size 512 /dev/sdb1
Custom LUKS1 setup.

cryptsetup luksFormat --batch-mode --key-file keyfile.bin /dev/sdb1
Non-interactive with keyfile.

1. cryptsetup luksOpen /dev/sdb1 encrypted
2. mkfs.ext4 /dev/mapper/encrypted
3. mount /dev/mapper/encrypted /mnt

Developed by Clemens Fruhwirth in 2004-2006 for dm-crypt (kernel 2.6.10). LUKS1 stabilized 2006; LUKS2 introduced 2017 with better PBKDF/security. Maintained by Milan Broz et al., part of cryptsetup-ng since v2.0 (2020). Widely used in distros like Ubuntu, Fedora.

cryptsetup(8), cryptsetup-luksOpen(8), cryptsetup-luksClose(8), dmsetup(8), mkfs(8)