How to enable LUKS disk encryption with keyfile on Linux

We can easily add a key file to LUKS disk encryption on Linux when running the cryptsetup command. A key file is used as the passphrase to unlock an encrypted volume. The passphrase allows Linux users to open encrypted disks utilizing a keyboard or over an ssh-based session. There are different types of key files we can add and enable LUKS disk encryption on Linux as per our needs:

  1. Passphrase keyfile – It is a key file holding a simple passphrase.
  2. Random text keyfile – This is a key file comprising a block of random characters which is much more resistant to dictionary attacks than a simple passphrase-based key file.
  3. Binary keyfile – We can defile an image, video, or any other static binary file as key file for LUKS. It makes it harder to identify as a key file. It would look like a regular image file or video clip to the attacker instead of a random text keyfile.

Let us see how to enable LUKS disk encryption with a key file.

This post explains how to add and enable LUKS disk encryption with a key file on Linux and a backup passphrase to open encrypted disk volume.

How to enable LUKS disk encryption with keyfile on Linux

I strongly suggest that you create both keyfile and a passphrase for backup purposes if the defined keyfile is lost or changed. This way, you will be able to reaccess your data stored on encrypted volumes.

Step 1 – Creating a key file with random characters

WARNING! The selection of LUKS key type and storage medium depends upon your threat model. I am going to use a random text key and USB pen drive for storing the key. All commands must run as the root user. Be careful with Linux device names, as wrong device names will result in data loss. The author or nixCraft is not responsible for any such actions.

We can use the standard Linux command such as dd command or openssl command to create strong LUKS key. For instance:
For USB pen mounted at /mnt/usb/:
Use the dd command:
dd bs=512 count=4 if=/dev/random of=$DEST iflag=fullblock
As I said earlier, you can use the openssl command to generate strong LUKS key file as follows:
openssl genrsa -out $DEST 4096
Make sure only root user can access our key file using the chmod command/chown command:
chmod -v 0400 $DEST
chown root:root $DEST

See how to use chmod and chown commands for more info.

Step 2 – Stuff random data to the device

Let us set up device name:
Use the shred command overwrite a file ($DEVICE) to hide its contents:
shred -v --iterations=1 $DEVICE

Step 3 – Format device (hard drive)

The syntax is as follows to format and add a backup passphrase:
cryptsetup luksFormat $DEVICE

This will overwrite data on /dev/sdc irrevocably.

Are you sure? (Type uppercase yes): YES

Add and enable a key to LUKS disk encryption

Next, we are going add the keyfile to the LUKS header as follows:
cryptsetup luksAddKey $DEVICE $DEST

Verify that both backup passphrase and keyfile set for /dev/sdc:
cryptsetup luksDump $DEVICE

Two key slots are indicating that we have a backup passphrase and key file to unlock /dev/sdc using any one of the methods.

Step 3 – Open the device

We use the luksOpen option as follows to open our device using the keyfile:
cryptsetup luksOpen $DEVICE $DEV_NAME --key-file $DEST

For some reason, if your key file destroyed or corrupted, then we can use a backup passphrase as follows:
cryptsetup luksOpen $DEVICE $DEV_NAME

Enter passphrase for /dev/sdc:

You will see the device at /dev/mapper/$DEV_NAME using the ls command/file command:
ls -l /dev/mapper/$DEV_NAME
file -L /dev/mapper/$DEV_NAME

Step 4 – Format the device

Use the mkfs.ext4 command or mkfs.xfs command as follows:
mkfs.ext4 /dev/mapper/$DEV_NAME
# OR #
mkfs.xfs /dev/mapper/$DEV_NAME

Step 5 – Mount the device

Use the combination of mkdir command and mount command as follow to mount the /dev/sdc:
mkdir /backup2
mount /dev/mapper/$DEV_NAME /backup2

Verify it using the mount command:
df -HT /backup2
mount | grep ^/backup2

Step 6 – Persistent (permanent) LUKS mounting at boot time using a key file

Append the following line to /etc/crypttab file:
backup2 /dev/sdc /mykeyfile luks
Add/Edit the following line to /etc/fstab file:
/dev/mapper/backup2 /backup2 ext4 defaults 1 2

Step 7 – Closing the device

First unmount it using the umount command and then close it as follows:
umount /backup2/
cryptsetup close backup2

Step 8 – Emergency access when key enabled LUKS disk encryption damaged

Since we added a backup passphrase at slot # 0, all you have to do is type the following commands:
cryptsetup luksOpen $DEVICE $DEV_NAME
mount /dev/mapper/$DEV_NAME /backup2
df -HT /backup2

Summing up

This page described how to use a random LUKS key file along with a backup passphrase for unlocking encrypted volumes on Linux. It is also possible to encrypt your key file using 2FA, which we will cover next time. Please note that always keep verified backup in the 3-2-1 method. See cryptsetup project home page for more info and read the following man page:
man cryptsetup

This entry is 5 of 5 in the The Linux Unified Key Setup (LUKS) is a disk encryption Tutorial series. Keep reading the rest of the series:
  1. Linux Hard Disk Encryption With LUKS
  2. Backup and restore LUKS header on Linux
  3. Change LUKS disk encryption passphrase on Linux
  4. Unlock LUKS using Dropbear SSH keys remotely in Linux
  5. Add/enable LUKS disk encryption with keyfile on Linux

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 0 comments... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum