luksformat

luksformat

--key-size
    Specify the key size in bits. Example: --key-size 256

--hash
    Specify the hash algorithm (e.g., sha256, sha512). Default: sha256

--cipher
    Specify the encryption cipher (e.g., aes, serpent, twofish). Default: aes

--cipher-mode
    Specify the cipher mode (e.g., xts-plain64, cbc-essiv:sha256). Default: xts-plain64

--type
    Specify the LUKS type (luks, luks1, luks2). Default: luks2

--uuid
    Set the device UUID to a specific value. Usually not needed.

--label
    Set a device label. It's stored in LUKS metadata, allowing for easier identification of the device.

-q, --quiet
    Suppress output.

-v, --verbose
    Verbose output.

-y, --verify-passphrase
    Require passphrase verification.

--iter-time
    Set custom PBKDF2 iteration time in milliseconds. Only necessary for LUKS1.

--use-urandom
    Use /dev/urandom instead of /dev/random. Useful for faster, non-blocking random number generation, but potentially less secure for initial key generation.

--sector-size
    Specify the sector size.

--header
    Specify the location of LUKS header.

--offset
    Specify offset in device.

--data-offset
    Specify the starting point for encrypted data.

--test-passphrase
    Test if password is valid for a specified header. Doesn't format device.


    The block device to be formatted (e.g., /dev/sda1).

The luksformat command is a crucial tool for setting up encrypted storage on Linux systems. It prepares a block device (like a hard drive partition or USB drive) for use with Linux Unified Key Setup (LUKS), a widely used disk encryption specification. This process involves writing a LUKS header containing encryption parameters, key slots, and other metadata to the device.
Using luksformat effectively encrypts the underlying data making it inaccessible without the correct passphrase or key. luksformat offers choices for encryption algorithms, key sizes, and other parameters allowing for fine-grained control over the encryption process. Choose strong passphrases and appropriate encryption settings to maximize data security. Proper use of luksformat, along with subsequent LUKS tools like cryptsetup, is essential for protecting sensitive data at rest.

luksformat will overwrite all existing data on the specified device. Always back up important data before running this command. Ensure that the device is not mounted before formatting it. Choose strong passphrases to ensure data security.

The security of a LUKS-encrypted device depends heavily on the passphrase used. A weak passphrase can be easily cracked, rendering the encryption ineffective.
Consider using a passphrase generator to create strong, random passphrases. Keyfiles can also be used as alternatives to passphrases, and can be secured separately.
It is also very important to protect against cold boot attacks by powering off the device when not used, or if it's stolen.

luksformat supports multiple LUKS versions. LUKS2 is the recommended standard, providing improved flexibility and features compared to LUKS1. For example, it has extended metadata support and enhanced integrity protection.

LUKS (Linux Unified Key Setup) was developed to provide a standard on-disk format for encrypting block devices. luksformat is the primary command-line tool for initializing LUKS-encrypted volumes. The command has evolved alongside the LUKS standard, with newer versions supporting improved features and encryption algorithms. LUKS2 is the newer standard which replaces LUKS1.

cryptsetup(8), losetup(8)