Set up LUKS full disk encryption during Linux installation

Verify hardware compatibility

Modern systems support LUKS encryption without issues, but older hardware may have performance limitations.

# Check if your CPU supports AES-NI acceleration
grep -m1 -o aes /proc/cpuinfo

Check available entropy for key generation
cat /proc/sys/kernel/random/entropy_avail

Choose your encryption method

You can encrypt the entire disk or just specific partitions. Full disk encryption is more secure but requires unlocking during boot.

Create installation media

Download the latest ISO for your chosen distribution and create bootable installation media.

# Create bootable USB on Linux
sudo dd if=ubuntu-24.04-desktop-amd64.iso of=/dev/sdX bs=4M status=progress
sudo sync

Boot from installation media

Start your system from the USB drive and begin the installation process. The encryption setup varies slightly between distributions.

Configure disk partitioning with encryption

During the partitioning step, select manual partitioning or advanced options to enable LUKS encryption.

Set up recommended partition scheme

For servers, use this partition layout for optimal security and recovery options.

# Unencrypted boot partition (required for GRUB)
/boot     - 1GB ext4 (unencrypted)

Encrypted LVM physical volume
/dev/sda2 - Remaining space (LUKS encrypted)
  /         - 20-50GB ext4 (root filesystem)
  /home     - 10-100GB ext4 (user data)
  swap      - 2-8GB swap (encrypted swap)

Configure encryption parameters

Modern installers use secure defaults, but you can specify stronger encryption if needed.

# Default LUKS2 parameters (automatically set)
Cipher: aes-xts-plain64
Key size: 256 bits
Hash: sha256
Iterations: ~4 seconds of PBKDF2

Complete installation

Continue with the standard installation process. The system will automatically configure GRUB to prompt for the LUKS passphrase during boot.

Verify LUKS configuration

After rebooting, check that encryption is working correctly.

# Check LUKS device status
sudo cryptsetup status /dev/mapper/dm_crypt-0

View LUKS header information
sudo cryptsetup luksDump /dev/sda2

List active mapped devices
ls -la /dev/mapper/

Create backup recovery keys

Add additional passphrases or key files to avoid being locked out if you forget the primary passphrase.

# Add a second passphrase to key slot 1
sudo cryptsetup luksAddKey /dev/sda2

Generate and add a random key file
sudo dd if=/dev/urandom of=/root/luks-key bs=1024 count=4
sudo chmod 400 /root/luks-key
sudo cryptsetup luksAddKey /dev/sda2 /root/luks-key

Backup LUKS headers

The LUKS header contains encryption metadata. If corrupted, your data becomes unrecoverable even with the correct passphrase.

# Backup LUKS header to external storage
sudo cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file /media/backup/luks-header-backup

Verify backup integrity
sudo cryptsetup luksHeaderRestore /dev/sda2 --header-backup-file /media/backup/luks-header-backup --test

Configure automatic unlocking for additional drives

If you have multiple encrypted drives, set up key files to avoid entering multiple passphrases during boot.

# Generate key file for secondary drive
sudo dd if=/dev/urandom of=/etc/luks-keys/data-drive-key bs=1024 count=4
sudo chmod 600 /etc/luks-keys/data-drive-key

Add key to secondary encrypted drive
sudo cryptsetup luksAddKey /dev/sdb1 /etc/luks-keys/data-drive-key

Update crypttab for automatic mounting

Configure the system to automatically decrypt and mount additional encrypted drives using key files.

# Add entry for secondary encrypted drive
data_crypt /dev/sdb1 /etc/luks-keys/data-drive-key luks,discard

Enable SSD optimizations

For SSD drives, enable TRIM support to maintain performance and extend drive lifespan.

# Check if TRIM is supported
sudo fstrim -v /

Enable automatic TRIM (if supported)
sudo systemctl enable fstrim.timer

Monitor encryption performance

Measure the performance impact of encryption on your system.

# Test disk encryption/decryption speed
sudo cryptsetup benchmark

Monitor I/O performance with iostat
sudo apt install -y sysstat  # Ubuntu/Debian
sudo dnf install -y sysstat  # AlmaLinux/Rocky
iostat -x 1 5

Tune encryption parameters for performance

Adjust kernel parameters if you experience performance issues with encrypted storage.

# Increase maximum AIO requests for encrypted devices
fs.aio-max-nr = 1048576

Optimize dirty page writeback for encrypted filesystems
vm.dirty_ratio = 15
vm.dirty_background_ratio = 5

Apply sysctl changes

Load the new kernel parameters without rebooting.

sudo sysctl -p /etc/sysctl.d/99-luks-performance.conf

Set up TPM-based unlocking

For servers with TPM 2.0 chips, you can automatically unlock LUKS using hardware-backed keys.

# Install TPM tools
sudo apt install -y tpm2-tools clevis clevis-luks clevis-tpm2  # Ubuntu/Debian
sudo dnf install -y tpm2-tools clevis clevis-luks clevis-tpm2  # AlmaLinux/Rocky

Bind LUKS to TPM
sudo clevis luks bind -d /dev/sda2 tpm2 '{}'

Update initramfs to include clevis
sudo update-initramfs -u  # Ubuntu/Debian
sudo dracut -f  # AlmaLinux/Rocky

Network-based key escrow with Tang

For automated server deployments, set up network-based key escrow using Tang servers.

# Install Tang client tools
sudo apt install -y clevis clevis-luks clevis-tang  # Ubuntu/Debian
sudo dnf install -y clevis clevis-luks clevis-tang  # AlmaLinux/Rocky

Bind LUKS to Tang server
sudo clevis luks bind -d /dev/sda2 tang '{"url":"http://tang.example.com"}'

Test LUKS functionality

Verify that encryption is working properly and recovery options are available.

# Check LUKS device status
sudo cryptsetup status /dev/mapper/dm_crypt-0

Verify all key slots
sudo cryptsetup luksDump /dev/sda2 | grep "Key Slot"

Test backup passphrase
sudo cryptsetup luksOpen --test-passphrase /dev/sda2

Check filesystem encryption status
sudo blkid | grep crypto_LUKS

Performance verification

Measure encryption overhead and ensure performance is acceptable.

# Simple write performance test
dd if=/dev/zero of=/tmp/testfile bs=1M count=1024 conv=fsync

Check if hardware acceleration is working
grep aes /proc/cpuinfo
dmesg | grep -i aes

Emergency recovery procedures

If you're locked out or experiencing boot issues, boot from live media and manually unlock the drive.

# Boot from live USB and install cryptsetup
sudo apt update && sudo apt install -y cryptsetup

Manually unlock encrypted drive
sudo cryptsetup luksOpen /dev/sda2 recovery_root

Mount filesystem for repair
sudo mkdir /mnt/recovery
sudo mount /dev/mapper/recovery_root /mnt/recovery
sudo mount /dev/sda1 /mnt/recovery/boot

Chroot into system for repairs
sudo chroot /mnt/recovery

Reset forgotten passphrase

If you have a backup key but forgot the primary passphrase, you can reset it.

# Remove old passphrase (using backup key)
sudo cryptsetup luksRemoveKey /dev/sda2

Add new passphrase
sudo cryptsetup luksAddKey /dev/sda2

Regular maintenance tasks

Perform these tasks periodically to maintain security and prevent data loss.

• Test backup passphrases and key files monthly
• Verify LUKS header backups are accessible
• Monitor key slot usage and remove unused keys
• Update encryption if new vulnerabilities are discovered

Integrate with monitoring systems

Set up monitoring to detect encryption-related issues before they become critical.

# Create script to check LUKS status
cat > /usr/local/bin/check-luks.sh << 'EOF'
#!/bin/bash
if ! cryptsetup status /dev/mapper/dm_crypt-0 > /dev/null 2>&1; then
    echo "CRITICAL: LUKS device not active"
    exit 2
fi
echo "OK: LUKS encryption active"
EOF

chmod +x /usr/local/bin/check-luks.sh

Backup encrypted data

Back up the encrypted block device directly or decrypt first depending on your security requirements.

# Option 1: Backup encrypted block device (preserves encryption)
sudo dd if=/dev/sda2 of=/backup/encrypted-disk.img bs=64K

Option 2: Backup decrypted filesystem (requires unlocked LUKS)
sudo rsync -avx / /backup/root-backup/