Recently, I bought a 2 TB Western Digital My Book to use for backups. I wanted to encrypt it, so I did a little research on dm-crypt/cryptsetup and LUKS. This guide is based on Debian Stretch. I suggest you read the cryptsetup(8) man page and the cryptsetup FAQ.


  1. Create the encrypted container.
  2. Open the encrypted container.
  3. Create a filesystem within the container.


Create the encrypted volume on the raw disk by using the cryptsetup tool. The cryptsetup FAQ addresses encrypting partitions vs raw disks.
The options below require the password to be entered twice, increase the key size from the default of 256 to 512 bits, use /dev/random (limited but more secure) instead of /dev/urandom (unlimited but less secure), and increase the iteration time to 60 seconds (higher is more secure, but feel free to shorten this length of time as it will take 60 seconds to open the container).
Remember to replace /dev/foo with the raw disk that you want to encrypt.

~$ sudo cryptsetup --verbose --verify-passphrase --key-size 512 --use-random --iter-time 60000 luksFormat /dev/foo

This will overwrite data on /dev/foo irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Command successful.

You can confirm that the disk is now an encrypted container using the luksDump command.
NOTE: If you're concerned that SHA1 is considered insecure, please read the cryptsetup FAQ.

~$ sudo cryptsetup luksDump /dev/foo
LUKS header information for /dev/foo

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha1
Payload offset: 4096
MK bits:        512
MK digest:      3e 84 58 e1 69 85 f3 3f e5 ae 13 be 0d 78 60 82 10 bf 66 7f
MK salt:        02 65 40 1f f5 13 41 ef 03 bb 24 7c 69 18 e0 9a
                c0 14 c6 9a 0b d4 a6 90 a5 5e 98 00 bd 8e 96 00
MK iterations:  6570000
UUID:           73dc2efd-d448-4646-94f2-3a7a565ac738

Key Slot 0: ENABLED
        Iterations:             26301328
        Salt:                   56 9c a6 15 b4 ff 07 97 15 30 28 45 9e 7e b8 29
                                18 9d 50 a1 45 12 22 b9 a0 69 c0 59 58 ca 94 d6
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

As you can see, there are 8 key slots. Meaning, you can have up to 8 different passwords/keyfiles to access the volume. Setting up the other key slots as well as using keyfiles is beyond the scope of this document.

Now, we want to open up this encrypted container. Remember, no filesystem exists on it yet. It will take 60 seconds after typing your passphrase before the container is opened due to the --iter-time. You can reduce this time by decreasing --iter-time when creating the encrypted container above.

~$ sudo cryptsetup open --type luks /dev/foo backup
Enter passphrase for /dev/foo:

As you can see, cryptsetup creates a device-mapper map automatically with the name you provided (in this case, "backup").

~$ ls -al /dev/mapper/backup
lrwxrwxrwx 1 root root 7 Apr 16 17:03 /dev/mapper/backup -> ../dm-7

Now that the encrypted volume is opened, create a filesystem. I chose ext4, but you can choose anything here.

~$ sudo mkfs.ext4 -c -L Backup -m 0 /dev/mapper/backup
mke2fs 1.42.12 (29-Aug-2014)
Creating filesystem with 488369920 4k blocks and 122093568 inodes
Filesystem UUID: 1ee5c6a0-aa9f-487b-9e29-592f62b04bc7
Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
    4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
    102400000, 214990848

Checking for bad blocks (read-only test): 49.74% done, 2:22:09 elapsed. (0/0/0 errors)
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

The encrypted volume is now open and mounted to /mnt/backup. To unmount and close it, run the following:

sudo umount /mnt/backup
sudo cryptsetup close backup

In order to allow a user to mount this easily without sudo, add the following line to your /etc/fstab

/dev/mapper/backup    /mnt/backup    ext4    noatime,noauto,nodev,nodiratime,noexec,nosuid,rw,user

Useful Commands

For quick reference: Open, mount, unmount, and close an encrypted volume (assuming backup is the name of the mapper):

sudo cryptsetup open --type luks /dev/foo backup
sudo mount /dev/mapper/backup /mnt/backup
sudo umount /mnt/backup
sudo cryptsetup close backup

Commands to manage a LUKS encrypted volume, including adding/removing keys (password slots), backing up and restoring the encryption header, repairing and benchmarking.

For more information, see the cryptsetup(8) man page.