dm-crypt

Create LUKS encrypted volume

$ sudo cryptsetup luksFormat [/dev/sdX]

$ sudo cryptsetup open [/dev/sdX] [name]

$ sudo cryptsetup close [name]

$ sudo cryptsetup luksDump [/dev/sdX]

$ sudo cryptsetup luksAddKey [/dev/sdX]

$ sudo cryptsetup open --type plain [/dev/sdX] [name]

$ cryptsetup benchmark

cryptsetup action [options] device [name]

dm-crypt is the Linux kernel's device-mapper encryption target, providing transparent disk encryption. cryptsetup is the userspace tool to configure dm-crypt, typically using the LUKS (Linux Unified Key Setup) format.
LUKS provides standardized on-disk format with multiple key slots, allowing multiple passphrases or keyfiles. It stores encryption metadata in a header, enabling key management without re-encrypting data.
Plain dm-crypt provides encryption without a header, useful for plausible deniability but requiring exact parameters to be remembered. Both modes create a mapped device in /dev/mapper/ for normal filesystem operations.

luksFormat device

Initialize LUKS partition.

Open and map encrypted device.

Close mapped device.

Display LUKS header information.

Add new passphrase/keyfile.

Remove a passphrase.

Backup LUKS header.

Restore LUKS header.

Encryption type: luks, luks2, plain.

Encryption cipher (aes-xts-plain64).

Key size in bits.

Hash for key derivation.

Use keyfile instead of passphrase.

LUKS header damage can make data unrecoverable; always backup headers. Encryption has CPU overhead (AES-NI helps significantly). SSDs may require special TRIM considerations. Forgotten passphrases mean permanent data loss.

dm-crypt was merged into the Linux kernel in version 2.6 (2004). LUKS was designed by Clemens Fruhwirth in 2004 to standardize Linux disk encryption. LUKS2, released in 2017, added modern key derivation (Argon2), authenticated encryption, and larger metadata areas.

cryptsetup(8), crypttab(5), luks(8)