Encryption through CLI

matt65 · July 7, 2025, 8:41pm

I am using ubuntu server to encrypt my 3.5" hard drive, and 2.5" hard drives or usb external hard drives. I use this command to do this:

sudo cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha256 --iter-time 2000 --key-size 256 --pbkdf argon2id --use-urandom --verify-passphrase /dev/sda

Source: https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode

After that I run this commands:

sudo cryptsetup luksOpen /dev/sda private
sudo mkfs.ext4 /dev/mapper/private

What do you think of my procedure?
What else do you suggest I do? Is it enough to just encrypt, or should I do more?

Thank you

aljames · July 8, 2025, 1:40am

Hi matt65

The device must be unmounted when performing these steps. With LUKS you can encrypt a whole device or just a partition within a device.

When I LUKS encrypt a whole disk, the command looks like:

sudo cryptsetup luksFormat /dev/sd?  (for example)

I think this basic command implies the long version you used. No biggie.

You may want to read up on how to backup your LUKS header, obviously not to the same encrypted device, and how to restore it if needed. If the header gets corrupted then your data is lost. Knowing how to restore the header could be useful.

Without a header backup, the disk can usually be reused so you don’t have to throw the disk away, but you will not have access to that data if you have botched the header or lost your passphrase(s) or hardware based key(s). This all reminds me to say that you want to have excellent backups.

I think disk encryption is important on devices that are going remote where there is a chance it could be lost or stolen (i.e. laptops, offsite drives, thumb drives, etc.). The rare exception here might be a thumb drive containing photos or other valueless documents. I use it less at home on my LAN.

paddylandau · July 8, 2025, 11:29am

This is interesting, because I thought that you could only encrypt a partition.

Once you’ve encrypted an entire device, can you then mount the device as a device, and partition it? I can experiment with this in a VM with a virtual disk.

edi2681 · July 8, 2025, 12:26pm

Hi matt65,

The encryption process looks pretty solid, to make sure you can also have a back up for it added in process to store critical data separately for convenience.
Secondly if you want could Store recovery keys or passphrases securely in password managers or vaults

matt65 · July 8, 2025, 10:58pm

What do you recommend I do?

Where do you recommend I look up this information?

Do you mean, “With a header…”?

matt65 · July 8, 2025, 11:01pm

I have never tried this, but it sounds interesting. What were the results from your tests?

matt65 · July 8, 2025, 11:03pm

Could you explain what you mean by this advice?

matt65 · July 8, 2025, 11:05pm

I only got the passphrases. Am I supposed to get “recovery keys” from this process?

What do you suggest to use here?

aljames · July 9, 2025, 3:00am

@paddylandau yes you can encrypt a whole disk. As you know luksFormat creates a LUKS volume (an encrypted container) and this can be done on whatever device /dev/sd? or whatever existing partition you may want the LUKS volume to live on, such as /dev/sdc3 for example

Next, when you luksOpen the encrypted volume, you can do whatever you want inside it such as create other partitions (i.e. an LVM scheme can be placed inside the volume).

For example, something like this - we’ll assume we are setting this up on an external, portable 1TB USB SSD

# become root briefly so you don't need to type sudo so much
sudo -i

lsblk  (find your empty disk /dev/sd? - then check to be sure w/fdisk)
fdisk -l  (identify the correct disk - do you have the right one? - last chance)

cryptsetup luksFormat /dev/sdd  (for example)

cryptsetup luksOpen /dev/sdd NAMEYOUPICK (sdd1_crypt for example. you can call it bambi, whatever)
# this opens the drive & maps sdd1_crypt to sdd

# Next create your LVM PV (physical volume) inside the LUKS container. See Man-pages for pvcreate, vgcreate, & lvcreate usage:

# We'll create one PV on sdd1_crypt:
pvcreate /dev/mapper/sdd1_crypt

# Now we need a LVM VG (volume group), we'll call it WD-vg. This is created in the /dev/mapper/sdd1_crypt PV we created in the previous step:
vgcreate WD-vg /dev/mapper/sdd1_crypt

# Now for our LVM LVs (logical volumes). These are logical partitions on the VG as follows:
lvcreate -n cloudy-bak -L 10g WD-vg
lvcreate -n storage-bak -L 200g WD-vg
lvcreate -n projects-bak -L 50g WD-vg
lvcreate -n myhomes-bak -L 300g WD-vg

# Good to verify the output of the following commands now
pvs
vgs
lvs

# We now need a file system on our LVs, we chose ext4:
mkfs.ext4 /dev/WD-vg/cloudy-bak
mkfs.ext4 /dev/WD-vg/storage-bak
mkfs.ext4 /dev/WD-vg/projects-bak
mkfs.ext4 /dev/WD-vg/myhomes-bak

# Create whatever mountpoints you want first, then mount the LVs. Each LV needs it's own mountpoint.
mount /dev/WD-vg/cloudy-bak /media/cloudy
mount /dev/WD-vg/storage-bak /media/storage
mount /dev/WD-vg/projects-bak /media/projects
mount /dev/WD-vg/myhomes-bak  /media/myhomes

So all this LVM structure is inside our LUKS encrypted volume. When we luksClose the volume, we’ll need our passphrase or whatever other key we may have created so we can open the encrypted volume again in the future.

You can do the same thing inside a regular disk partition and have a LUKS volume on some partition, and it can even be alongside other non-LUKS partitions on the same disk.

The above example, LUKS encrypting a whole disk /dev/sd? is not best when the disk is being used to install an Ubuntu OS. I think /boot for example is supposed to be outside a LUKS container, and outside an LVM structure as well if you are using LVM. For Ubuntu OS installs, your Ubuntu installer will handle this for you when you select full disk encryption, or LVM + encryption on your laptop desktop install for example. So I personally only consider “whole disk” encryption, as illustrated above, just for files and other data stuff in transit or which can easily be lost, misplaced, or stolen.

This was a quick “throw together” so test it in a VM or some other old blank disk you want to play around with. You can skip all the LVM steps if you just want to create one big file system inside your LUKS volume. It would be something like (sudo mkfs.ext4 /dev/mapper/sdd1_crypt)

@matt65
https://manpages.ubuntu.com/manpages//lunar/man8/cryptsetup-luksHeaderBackup.8.html

https://manpages.ubuntu.com/manpages/questing/man8/cryptsetup-luksHeaderRestore.8.html

paddylandau · July 9, 2025, 11:26am

That’s brilliant, Allen, thank you for all of the detail!

I shall test this in a VM this weekend — I’m going to be a bit busy, so I might only get to it the following weekend.

I didn’t know that both LUKS and LVM could be created on an entire disk. I thought that both had to be on a partition!

You are correct about /boot needing to be outside LUKS (and, I believe, outside LVM, though I could be wrong). The EFI System Partition for Secure Boot needs to be outside both LUKS and LVM. So, for a system disk rather than a data-only disk, you would indeed need partitions.

Thanks again.

paddylandau · July 15, 2025, 7:36am

I finally got around to testing this, and it works perfectly, thank you.

It’s interesting that I didn’t even need to add a partition table to the hard drive.

system · August 6, 2025, 8:41pm

This topic was automatically closed after 30 days. New replies are no longer allowed.