cryptsetup-luksformat

Initialize a LUKS volume with a passphrase

$ cryptsetup luksFormat [/dev/sdXY]

$ cryptsetup luksFormat [/dev/sdXY] [path/to/keyfile]

$ cryptsetup luksFormat --label [label] [/dev/sdXY]

cryptsetup luksFormat options device

--key-size bits
    Specifies the key size in bits. Common values include 128, 192, 256 (default).
Larger keys offer stronger security but may impact performance.

--hash hash
    Selects the hash algorithm to use. Common options include sha256 (default), sha512, ripemd160. Different algorithms have different performance and security characteristics.

--type luks1|luks2
    Chooses the LUKS metadata format, luks1 or luks2 (default). LUKS2 offers improved features and scalability, particularly for larger volumes. Backward compatibility should be considered.

--label label
    Sets a label for the LUKS volume. This label can be used to identify the device later.

--uuid uuid
    Sets a specific UUID for the LUKS volume, can be used to configure multiple devices.
If not specified, a random UUID is generated.

--iter-time msecs
    Specifies the PBKDF2 iteration time in milliseconds. Adjusting this value affects the passphrase security. Increasing iteration time improves security, but it will increase unlock time.

--sector-size sectorsize
    Sets the sector size to be used for the encrypted volume.

--offset offset
    Specifies the offset (in sectors) from the beginning of the device where the LUKS header will be written.

--header file
    Specifies the file to use for the LUKS header instead of the device. Enables detached headers.

--key-file file
    Specifies a key file instead of prompting for a passphrase.

--wipe
    Wipes the device after formatting to remove any traces of the previous data. This operation takes additional time.

--debug
    Enables debug output.

The cryptsetup-luksformat command is used to initialize a block device or file for use with LUKS (Linux Unified Key Setup). It prepares the device with the necessary metadata, including key slots and encryption settings. This process effectively erases any existing data on the target device, making it unreadable until unlocked with a valid passphrase or key. It is a crucial step in setting up full disk or partition encryption, providing a robust method for securing sensitive data. The command interacts with the user to set a passphrase for the LUKS volume, which is then used to encrypt the master key. This master key, in turn, is used to encrypt the actual data stored on the device. Multiple key slots can be configured, allowing for different passphrases or key files to unlock the same volume. It's critical to backup LUKS header!

Formatting a device with cryptsetup-luksformat irretrievably erases all existing data on that device. Ensure you have backups of any important information before proceeding.
Incorrect use of this command can result in data loss and system instability.

cryptsetup-luksformat uses Password-Based Key Derivation Function 2 (PBKDF2) or Argon2 to derive the encryption key from the passphrase. The iteration time parameter (--iter-time) controls the computational cost of this process. Increasing the iteration time makes it more difficult for attackers to crack the passphrase through brute-force attacks.

Using the '--header' parameter, LUKS header can be stored separately from the device. This can provide an additional layer of security, as the header can be stored on a different device.

cryptsetup, and thus cryptsetup-luksformat, has become a standard tool for managing encrypted devices on Linux systems. It evolved as a more standardized and feature-rich alternative to earlier encryption methods. LUKS itself provides a standard on-disk format, improving interoperability across different Linux distributions. The development is ongoing with improvements and new versions that add new features and improve security.

cryptsetup(8), crypttab(5)