Table of Contents
Managing LUKS on Debian
LUKS (Linux Unified Key Setup) is the disk encryption software that's available on Debian. It sits between the file system and the block device, and encrypts all data as it passes through.
Since LUKS works directly on the block device, all commands listed below must be executed as root.
Installing cryptsetup
Cryptsetup is the command used to manage LUKS. You can install it like this:
apt-get install cryptsetup
Creating an encrypted volume
cryptsetup -v --type luks2 luksFormat /dev/DEVICE
You can also create an encrypted volume on a disk image instead. In that case, first create the disk image with a command like the following:
touch disk.img fallocate -v -l 100MiB disk.img
Don't use sparse images. LUKS will consider them too small.
Opening an encrypted volume
cryptsetup luksOpen /dev/DEVICE volumename
The volume should then become available at /dev/mapper/volumename
Closing an encrypted volume
cryptsetup luksClose volumename
Listing slots
Each method that can unlock a disk is stored in a slot, in a header on the LUKS partition. You can list all slots (and other metadata) by issuing the following command:
cryptsetup luksDump /dev/sda3
This would list the slots for disk sda3.
Adding a password slot
You can add an additional password that can unlock the disk by executing:
cryptsetup luksAddKey /dev/sda3
This will add a new password for disk sda3. You will be prompted for an existing password!
Adding a keyfile slot
This method uses a file to unlock the disk. You can add it entirely the same as a new password, with just an additional parameter for the file:
cryptsetup luksAddKey /dev/sda3 /home/keyfile.txt
This will add a new keyfile (located in /home/keyfile.txt) for disk sda3. You will be prompted to authenticate with an existing method!
Adding a Yubikey slot
Clearing a slot
If you want to remove an authentication method, you need to clear the corresponding slot. You can do so by issuing the following command:
cryptsetup -v luksKillSlot /dev/sda3 0
This would clear slot 0 (slots are zero-based) on disk sda3. Note that you will be asked to authenticate with an authentication method stored in another slot.