HOWTO encrypt your filesystems with LUKS

Prerequisites

You need to enable the device-mapper with crypto-support in your kernel.
See my device-mapper HOWTO for details.

Testing LUKS

To test LUKS, you can use loop to make a blockdev out of any container file. The only requirement is that it's larger than 2 MiB. I'll use /dev/loop5 in the following examples.

root@osiris:~# cryptsetup luksFormat /dev/loop5 Enter LUKS password: foobar root@osiris:~# cryptsetup luksOpen /dev/loop5 myvolumename Enter LUKS password: foobar key slot 0 unlocked. root@osiris:~# ls -l /dev/mapper/myvolumename brw-r----- 1 root root 254, 0 Jan 1 1970 /dev/mapper/myvolumename

Then you can work with this device like with any harddisk partition:

root@osiris:~# mke2fs /dev/mapper/myvolumename root@osiris:~# mount -t ext2 /dev/mapper/myvolumename /mnt

When you are done, don't forget to remove the device:

root@osiris:~# cryptsetup luksClose myvolumename

Backup Header

cryptsetup luksHeaderBackup --header-backup-file backup-file /dev/sdd1

Convert LUKS1 to LUKS2

cryptsetup convert --type=luks2 /dev/sdd1

Convert old Keys

cryptsetup luksConvertKey --key-slot 0 --pbkdf argon2id /dev/sdd1