luksformat

cryptsetup luksFormat [OPTIONS] <DEVICE>

<DEVICE>
    The block device to be formatted (e.g., /dev/sdb1). Warning: All data on this device will be erased.

-y, --verify-passphrase
    Prompts the user to enter the passphrase twice to verify correctness.

-q, --quiet
    Suppresses most output messages, useful for scripting.

-v, --verbose
    Increases verbosity, providing more details about the operation.

-d, --key-file <file>
    Reads the passphrase from the specified file instead of prompting interactively.

--type <type>
    Specifies the LUKS header type, either luks1 or luks2. Default is luks2 for modern systems.

--cipher <cipher_spec>
    Defines the encryption cipher and mode (e.g., aes-xts-plain64). Default varies by system and LUKS version.

--hash <hash_alg>
    Sets the password hashing algorithm (e.g., sha256, sha512). Used for PBKDF.

--iter-time <milliseconds>
    Sets the desired time for PBKDF (Password-Based Key Derivation Function) computations. Higher values increase passphrase security but take longer to process.

--pbkdf <alg>
    Specifies the PBKDF algorithm to use (e.g., pbkdf2, argon2id). argon2id is the default for LUKS2 and recommended for security.

--uuid <UUID>
    Assigns a specific UUID to the LUKS volume.

--label <label>
    Assigns a textual label to the LUKS volume (LUKS2 only).

luksformat is not a standalone Linux command but refers to the process of initializing a block device for LUKS (Linux Unified Key Setup) encryption. This critical operation is primarily performed by the cryptsetup utility, specifically using the cryptsetup luksFormat subcommand.

The process sets up the LUKS header on the specified device, which includes essential metadata for managing encrypted data. It securely stores a master key, along with configurable key slots for user passphrases or key files. Each key slot holds an encrypted version of the master key, allowing multiple methods to unlock the volume.

Formatting with LUKS is a destructive operation; it overwrites all existing data on the device and cannot be undone. It is the fundamental first step before an encrypted volume can be opened (cryptsetup luksOpen), a filesystem created on it (e.g., mkfs.ext4), and data stored securely.

luksformat is not a standalone command: The actual tool for LUKS formatting is cryptsetup luksFormat. Rely on cryptsetup documentation for the most accurate and up-to-date information.

Data Loss: This operation is irreversibly destructive. Ensure you have selected the correct device, as formatting the wrong device will result in permanent data loss.

Passphrase Security: A strong, unique passphrase or a secure key file is paramount for the security of your encrypted data. Weak passphrases can be brute-forced.

PBKDF Iteration Time: The --iter-time parameter directly impacts security. A longer iteration time makes brute-forcing passphrases more difficult. It's crucial to balance security with acceptable unlock times.

Header Backup: Consider backing up the LUKS header (cryptsetup luksHeaderBackup) for disaster recovery, as a corrupted header can render data irrecoverable.

The LUKS header is stored at the beginning of the encrypted device and contains all critical metadata, including encryption parameters (cipher, mode, key size), key slots information, and checksums. Its integrity is vital; if the header is corrupted or lost without a backup, the data on the device becomes irrecoverable.

LUKS supports multiple key slots (up to 8 in LUKS1, more flexible in LUKS2), allowing different passphrases or key files to unlock the same volume. Each slot contains a uniquely encrypted copy of the master key. This allows for scenarios like having both a passphrase and a key file, or multiple users with their own passphrases.

LUKS utilizes PBKDFs (like PBKDF2 or Argon2id) to derive the actual encryption key from a user's passphrase. These functions are intentionally computationally intensive (requiring significant time and/or memory) to thwart brute-force attacks against the passphrase. Argon2id (default for LUKS2) is generally recommended over PBKDF2 for its superior resistance against both GPU-based and custom hardware attacks due to its memory-hardness.

The LUKS (Linux Unified Key Setup) specification was created by Clemens Fruhwirth in 2004, providing a standard, platform-independent on-disk format for encrypted volumes. The cryptsetup utility was developed as the primary tool to implement this specification, effectively superseding older, non-standardized disk encryption methods that lacked a consistent header.

The luksFormat subcommand has been a core component of cryptsetup since its early versions, tasked with initializing LUKS volumes. Over time, LUKS evolved from LUKS1 to LUKS2, introducing significant improvements such as the Argon2id PBKDF, flexible key slots, and enhanced metadata storage. cryptsetup continuously adapted to support these advancements. While luksformat itself is not a distinct binary, the conceptual action it represents has been fundamental to disk encryption on Linux since LUKS's inception, consistently performed by the cryptsetup luksFormat command.

cryptsetup(8), cryptsetup-luksOpen(8), cryptsetup-luksClose(8), cryptsetup-luksAddKey(8), cryptsetup-luksRemoveKey(8), mkfs(8), mount(8)