luksformat
Format a block device for LUKS encryption
SYNOPSIS
luksformat
PARAMETERS
--key-size
Specify the key size in bits. Example: --key-size 256
--hash
Specify the hash algorithm (e.g., sha256, sha512). Default: sha256
--cipher
Specify the encryption cipher (e.g., aes, serpent, twofish). Default: aes
--cipher-mode
Specify the cipher mode (e.g., xts-plain64, cbc-essiv:sha256). Default: xts-plain64
--type
Specify the LUKS type (luks, luks1, luks2). Default: luks2
--uuid
Set the device UUID to a specific value. Usually not needed.
--label
Set a device label. It's stored in LUKS metadata, allowing for easier identification of the device.
-q, --quiet
Suppress output.
-v, --verbose
Verbose output.
-y, --verify-passphrase
Require passphrase verification.
--iter-time
Set custom PBKDF2 iteration time in milliseconds. Only necessary for LUKS1.
--use-urandom
Use /dev/urandom instead of /dev/random. Useful for faster, non-blocking random number generation, but potentially less secure for initial key generation.
--sector-size
Specify the sector size.
--header
Specify the location of LUKS header.
--offset
Specify offset in device.
--data-offset
Specify the starting point for encrypted data.
--test-passphrase
Test if password is valid for a specified header. Doesn't format device.
The block device to be formatted (e.g., /dev/sda1).
DESCRIPTION
The luksformat command is a crucial tool for setting up encrypted storage on Linux systems. It prepares a block device (like a hard drive partition or USB drive) for use with Linux Unified Key Setup (LUKS), a widely used disk encryption specification. This process involves writing a LUKS header containing encryption parameters, key slots, and other metadata to the device.
Using luksformat effectively encrypts the underlying data making it inaccessible without the correct passphrase or key. luksformat offers choices for encryption algorithms, key sizes, and other parameters allowing for fine-grained control over the encryption process. Choose strong passphrases and appropriate encryption settings to maximize data security. Proper use of luksformat, along with subsequent LUKS tools like cryptsetup, is essential for protecting sensitive data at rest.
CAVEATS
luksformat will overwrite all existing data on the specified device. Always back up important data before running this command. Ensure that the device is not mounted before formatting it. Choose strong passphrases to ensure data security.
SECURITY CONSIDERATIONS
The security of a LUKS-encrypted device depends heavily on the passphrase used. A weak passphrase can be easily cracked, rendering the encryption ineffective.
Consider using a passphrase generator to create strong, random passphrases. Keyfiles can also be used as alternatives to passphrases, and can be secured separately.
It is also very important to protect against cold boot attacks by powering off the device when not used, or if it's stolen.
LUKS VERSIONS
luksformat supports multiple LUKS versions. LUKS2 is the recommended standard, providing improved flexibility and features compared to LUKS1. For example, it has extended metadata support and enhanced integrity protection.
HISTORY
LUKS (Linux Unified Key Setup) was developed to provide a standard on-disk format for encrypting block devices. luksformat is the primary command-line tool for initializing LUKS-encrypted volumes. The command has evolved alongside the LUKS standard, with newer versions supporting improved features and encryption algorithms. LUKS2 is the newer standard which replaces LUKS1.
SEE ALSO
cryptsetup(8), losetup(8)