cryptsetup

cryptsetup is a command-line utility used for managing disk encryption on Linux systems. It is primarily used with LUKS (Linux Unified Key Setup), a standard for disk encryption that provides support for encrypting entire block devices such as hard drives and partitions.

Key Features

• LUKS Support: Provides support for LUKS, allowing for the secure encryption of disk volumes.

• Volume Management: Facilitates the creation, opening, closing, and removal of encrypted volumes.

• Multiple Encryption Methods: Supports a variety of encryption algorithms and modes.

• Password Management: Manages passphrases for encrypted volumes and allows key slot management.

Basic Usage

The general syntax for cryptsetup is:

cryptsetup [command] [options] <device> [arguments]

• [command]: The operation to perform (e.g., luksFormat, open, close).

• [options]: Command-specific options.

• <device>: The block device or file to operate on (e.g., /dev/sda1, /dev/mapper/my_volume).

Common Commands and Options

1. luksFormat

Formats a device with LUKS encryption.

cryptsetup luksFormat /dev/sdX

• /dev/sdX: The block device to format.

Options:

• --cipher <cipher>: Specifies the encryption cipher (e.g., aes-xts-plain64).

• --hash <hash>: Specifies the hash function for key derivation (e.g., sha256).

• --key-size <size>: Sets the size of the encryption key.

2. luksOpen

Opens an encrypted device and maps it to a virtual device.

cryptsetup luksOpen /dev/sdX my_volume

• /dev/sdX: The encrypted block device.

• my_volume: The name for the mapped virtual device.

Options:

• --key-file <file>: Specifies a file containing the passphrase.

• --key-slot <slot>: Selects a specific key slot for opening the volume.

3. luksClose

Closes an open encrypted device.

cryptsetup luksClose my_volume

• my_volume: The name of the mapped virtual device to close.

4. luksAddKey

Adds a new passphrase to an existing encrypted device.

cryptsetup luksAddKey /dev/sdX

• Prompts for the existing passphrase and the new passphrase to add.

Options:

• --key-file <file>: Specifies a file containing the new passphrase.

5. luksRemoveKey

Removes an existing passphrase from an encrypted device.

cryptsetup luksRemoveKey /dev/sdX

• Prompts for the passphrase to remove.

Options:

• --key-file <file>: Specifies a file containing the passphrase to remove.

6. luksDump

Displays information about a LUKS-encrypted device.

cryptsetup luksDump /dev/sdX

• /dev/sdX: The encrypted block device.

Advanced Features

• LUKS2 Support: cryptsetup supports LUKS2, an updated version of LUKS with additional features and improved security.

• Key Management: Manage multiple key slots, allowing different passphrases to access the same encrypted volume.

• Device Mapper Integration: Works with the device mapper to provide transparent encryption.

Examples

Format a Device with LUKS

cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 512 /dev/sdX

Formats /dev/sdX with AES encryption using a 512-bit key.

Open an Encrypted Device

cryptsetup luksOpen /dev/sdX my_volume

Maps the encrypted device /dev/sdX to /dev/mapper/my_volume.

Close an Encrypted Device

cryptsetup luksClose my_volume

Unmaps /dev/mapper/my_volume and closes the encrypted device.

Summary

cryptsetup is a versatile and essential tool for managing disk encryption on Linux systems. It supports LUKS and various encryption options, making it suitable for securing data on both physical and virtual disks. By understanding its commands and options, users can effectively create, manage, and secure encrypted volumes.