LUKS — Linux Disk Encryption

Mon, 01 Jan 2024 00:00:00 +0000

LUKS (Linux Unified Key Setup) is the standard for full-disk encryption on Linux. It uses dm-crypt in the kernel to encrypt block devices transparently — the filesystem sits on top of an encrypted layer, and the encryption happens below it. The LUKS header stores the encrypted key material and metadata, supporting up to eight independent key slots (passphrases or keyfiles) that all unlock the same volume.

Setup

# Encrypt a device (destroys existing data)
cryptsetup luksFormat /dev/sdb

# Open the encrypted device, exposing it as a plaintext mapper device
cryptsetup luksOpen /dev/sdb data-encrypted

# Format and use the plaintext device normally
mkfs.ext4 /dev/mapper/data-encrypted
mount /dev/mapper/data-encrypted /mnt/data

# Close when done
umount /mnt/data
cryptsetup luksClose data-encrypted

Key slots

LUKS supports multiple passphrases or keyfiles — useful for adding a recovery key alongside an operational passphrase:

# Add a second key slot (e.g. a recovery keyfile)
cryptsetup luksAddKey /dev/sdb /path/to/recovery.key

# Remove a key slot
cryptsetup luksRemoveKey /dev/sdb

# List key slot usage
cryptsetup luksDump /dev/sdb

Auto-unlock at boot

For encrypted root or data partitions that should unlock automatically on boot, add the device to /etc/crypttab with a keyfile path:

data-encrypted /dev/sdb /etc/keys/data.key luks

Then add the plaintext device to /etc/fstab as normal. On servers, the keyfile is stored on a separate volume or fetched from a secrets manager (Vault, Tang/Clevis for network-bound disk encryption).

Use in Kubernetes

Node-level disk encryption with LUKS protects data at rest on Kubernetes worker nodes — persistent volume data stored on the node’s disks is encrypted before it leaves the kernel. Talos Linux enables LUKS encryption for its state and ephemeral partitions by default.

Disk on Backend Engineering Strategy Tools

LUKS — Linux Disk Encryption

Setup

Key slots

Auto-unlock at boot

Use in Kubernetes

Resources