LUKS can be used for seamless full-drive encryption under Linux and, in combination with dm-crypt and cryptsetup, encrypting a drive is fairly straightforward.

cryptsetup under Debian can be installed with:

aptitude install cryptsetup

Depending on the required balance between speed and security, you probably want to run:

cryptsetup benchmark

in order to benchmark the available ciphers and pick whatever is suitable.

Supposing that the partition you want to encrypt is located at /dev/sdb1, you would issue:

cryptsetup -v --cipher serpent-xts-plain64 --key-size 1024 --hash sha512 --iter-time 8000 --use-urandom --verify-passphrase luksFormat /dev/sdb1

this will wipe the partition and set-up LUKS. You can pick the cipher, key-size, hash, etc…

Now that the LUKS volume has been created, you need to instruct the kernel to mount the encrypted drive. In order to do that, issue:

cryptsetup luksOpen /dev/sdb1 sparse

where:

• /dev/sdb1 is the partition where the LUKS volume has been created,
• sparse is a descriptive mount-point name.

To create a filesystem after opening the LUKS volume, you now issue:

mkfs.ntfs /dev/mapper/sparse

where:

• /dev/mapper/sparse is the path created by the luksOpen command.

After the filesystem has been created, the easiest of all steps that remain now is to mount the partition:

mount /dev/mapper/sparse /mnt/sparse

and you can use the partition right away.

To clean-up and close the LUKS volume, you would have to first unmount the partition:

umount /mnt/sparse

followed by luksClose:

cryptsetup luksClose sparse

In some situation such as a RAID arrays, it may be desirable to expand the filesystem in case, say, a new drive has been added and needs to be used. The procedure is, in order:

1. open the LUKS volume using luksOpen: cryptsetup luksOpen /dev/sdb1 sparse
2. extend the LUKS volume using resize: cryptsetup resize sparse
3. finally, extend the underlying filesystem using tools such as resize2fs for ext filesystems.

Now that you have a password setup, you can additionally use a keyfile to avoid having to manually type the password and mount the LUKS volume every time you need to mount the filesystem.

The following command:

dd bs=1024 count=8 if=/dev/urandom of=/etc/store/sparse.key

will generate a random keyfile at /etc/store/sparse.key.

This keyfile can then be stored somewhere else securely.

With the keyfile generated, it has to be added to the volume as a valid key - this can be done by issuing:

cryptsetup luksAddKey /dev/sdb1 /etc/store/sparse.key

and you should be prompted for your password.

To check that the keyfile is working, issue:

cryptsetup luksOpen /dev/sdb1 sparse --key-file /etc/store/sparse.key

and the volume should be mounted and available at /etc/mapper/sparse.

To have the partition unlocked on boot, a new entry has to be added in /etc/crypttab:

# <target name>	<source device>		<key file>	<options>
sparse UUID="cf2e23f8-cf0d-4acf-8f88-be4deeaef958" /etc/store/sparse.key

where:

• sparse is the LUKS volume name used in the previous sections.
• the UUID cf2e23f8-cf0d-4acf-8f88-be4deeaef958 is obtained by issuing blkid and looking for the partition UUID - an UUID is preferable due to the Linux device mapper that may suddenly change device names (such as /dev/sdb1).
• /etc/store/sparse.key is the path to the keyfile created in this section.

The final step is to add the LUKS mounted volume to the good old fstab to have the underlying filesystem mounted on boot:

UUID=0adc7b4e-14b1-4d19-abd1-2e7340f613fc        /mnt/sparse   ntfs        defaults        0       2

Once again, you would have to issue blkid and search for /dev/mapper/sparse - it will be a different UUID than the one for the LUKS volume.