Removable disk encryption with dm-crypt/LUKS


dm-crypt is a device-mapper target that provides transparent encryption of block devices using the new Linux 2.6 cryptoapi. We will not use dm-crypt directly to setup the block device mappings because of its complexity, but instead we’ll use an enhanced version of a program called cryptsetup, which has the LUKS(Linux Unified Key Setup) extension enabled.

LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly.

Cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings.

Install cryptsetup

Debian/Ubuntu users can install cryptsetup via apt.

$ sudo apt-get install cryptsetup

Encryption Preparation

You can encrypt contents of removable mass devices, e.g. USB memory stick on “/dev/sdx”, using dm-crypt/LUKS. You simply formatting it as the following.

Re-writing information to the entire device will ensure the integrity of the encryption if the disk is attempted to be “cracked” into. We will use the ‘badblocks‘ command to perform a badblock scan on the hard disk to detect an early failure while overwriting the hard drive with random data at the same time. Remember this operation is very time consuming.

$ sudo badblocks -c 10240 -s -w -t random -v /dev/sdx

-c is the number of blocks which are tested at a time. The default is 64.
-w is the write-mode test. With this option, badblocks scans for bad blocks by writing some patterns (0xaa, 0x55, 0xff, 0x00) on every block of the device, reading every block and comparing the contents.
-t specify a test pattern to be read (and written) to disk blocks.
-s show progress
Read man badblocks(8) for more details.

Now we will use shred to overwrite the disk repeatedly, in order to make it harder for even very expensive hardware probing to recover the data.

$ sudo shred -v -n 1 /dev/sdx

-n is number of iterations. Default is 3.

If you are really paranoid for the security of data, you may need to overwrite multiple times in the above example. This operation is very time consuming though.

Read man shred(1) for more details.

Filesystem Preparation

The file system will need to be partitioned prior to running the cryptsetup commands. In the example setup, one partition is created that spans the entire disk:

$ sudo fdisk /dev/sdx
[sudo] password for segfault:
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x9f9bbbd7.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
Command (m for help):

Once we get the fdisk prompt we will use the following commands to create our partition. “n” “p” “1” “return” “return” “w“.
n for adding a new partion, p for primary partition, 1 is the partition number. Press “return” to use the default values for partition geometry. Finally press “w” to write changes to disk.

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
Partition number (1-4): 1
First cylinder (1-1020, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-1020, default 1020):
Using default value 1020
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.

Filesystem Encryption

Now we will initialize a LUKS partition and sets the initial key. This will prompt you for a passphrase. This passphrase will be used as a password for our device. Enter and confirm the passphrase.

$ sudo cryptsetup luksFormat /dev/sdx1
This will overwrite data on /dev/sdx1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

Now use the following command to open the LUKS partition sdx1 and sets up a mapping. You will need to enter the passphrase for proceeding.

$ sudo cryptsetup luksOpen /dev/sdx1 sdx1
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

You can see the mapping by

$ ls -l /dev/mapper/
total 0
crw-rw---- 1 root root  10, 60 2010-03-25 20:04 control
brw-rw---- 1 root disk 252,  0 2010-03-25 23:36 sdx1

Format media in ext3 file format

$ sudo mkfs.ext3 /dev/mapper/sdx1

You may alternatively format media in different file format, e.g., vfat with “mkfs.vfat /dev/sdx1”.

Finally remove our mapping.

$ sudo cryptsetup luksClose sdx1

Our device can be now mounted just like normal one, except for asking password under modern desktop environment, such as GNOME. The difference is that every data written to it is encrypted.


You can see our device will be shown as encrypted in the file manger side bar.


If you are using the mount command, you will need to set the mapping before you can mount.

# cryptsetup luksOpen /dev/sdx1 sdx1
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
# mount /dev/sdx1 /mnt/
# umount /mnt
# cryptsetup luksClose sdx1

Happy encrypting 🙂


Eric Moore March 26, 2010

I noticed you tested for bad sectors, but didn't comment on how tolerant dm-crypt/LUKS would be if any occur later on.

The reason I ask is TrueCrypt has a reputation for being very error tolerant of bad sectors. It also has a option for backing up volume headers. Could you elaborate on how robust dm-crypt/LUKS is and if there anything practical you can do to make it more tolerant?

I'm far more concerned about losing my data than the possibility of “very expensive hardware probing to recover the data. “

note: I used a bogus email address as your commenting system requires a valid email address to even post as a guest, and doesn't state anywhere whether the email address will be displayed.

I also saw a red square that said: “Warning: A browser setting is preventing you from logging in. Fix this setting to log in.” However, clicking on that link just displayed the article again.

Iswar Cse June 14, 2010

dm command for hard disk

Abhishek Shrivastava February 11, 2011

Thanks, worked like a charm !