How to enable LUKS disk encryption with keyfile on Linux

We can easily add a key file to LUKS disk encryption on Linux when running the cryptsetup command. A key file is used as the passphrase to unlock an encrypted volume. The passphrase allows Linux users to open encrypted disks utilizing a keyboard or over an ssh-based session. There are different types of key files we can add and enable LUKS disk encryption on Linux as per our needs:

how to use chmod and chown commands for more info.

Step 2 – Stuff random data to the device

Let us set up device name:
DEVICE=/dev/sdc
Use the shred command overwrite a file ($DEVICE) to hide its contents:
shred -v --iterations=1 $DEVICE
Enable LUKS disk encryption with a key file and use shred command

Enable LUKS disk encryption with a key file and use shred command

Step 3 – Format device (hard drive)

The syntax is as follows to format and add a backup passphrase:
cryptsetup luksFormat $DEVICE

WARNING!
========
This will overwrite data on /dev/sdc irrevocably. Are you sure? (Type uppercase yes): YES

Add and enable a key to LUKS disk encryption

Next, we are going add the keyfile to the LUKS header as follows:
cryptsetup luksAddKey $DEVICE $DEST
Adding both backup passphrase and key file using cryptsetup on Linux LUKS hard disk

Adding both backup passphrase and key file using cryptsetup on Linux LUKS hard disk
Verify that both backup passphrase and keyfile set for /dev/sdc:
cryptsetup luksDump $DEVICE

Linux cryptsetup luksformat key file dumpingLinux cryptsetup luksformat key file dumping

Two key slots are indicating that we have a backup passphrase and key file to unlock /dev/sdc using any one of the methods.

Step 3 – Open the device

We use the luksOpen option as follows to open our device using the keyfile:
DEV_NAME="backup2"
cryptsetup luksOpen $DEVICE $DEV_NAME --key-file $DEST

For some reason, if your key file destroyed or corrupted, then we can use a backup passphrase as follows:
DEV_NAME="backup2"
cryptsetup luksOpen $DEVICE $DEV_NAME

Enter passphrase for /dev/sdc:

You will see the device at /dev/mapper/$DEV_NAME using the ls command/file command:
ls -l /dev/mapper/$DEV_NAME
file -L /dev/mapper/$DEV_NAME

How to use a file as a LUKS device key

How to use a file as a LUKS device key

Step 4 – Format the device

Use the mkfs.ext4 command or mkfs.xfs command as follows:
mkfs.ext4 /dev/mapper/$DEV_NAME
# OR #
mkfs.xfs /dev/mapper/$DEV_NAME

Step 5 – Mount the device

Use the combination of mkdir command and mount command as follow to mount the /dev/sdc:
mkdir /backup2
mount /dev/mapper/$DEV_NAME /backup2

Verify it using the mount command:
df -HT /backup2
mount | grep ^/backup2

Add LUKS disk encryption with keyfile on Linux and format it with ext4

Add LUKS disk encryption with keyfile on Linux and format it with ext4

Step 6 – Persistent (permanent) LUKS mounting at boot time using a key file

Append the following line to /etc/crypttab file:
backup2 /dev/sdc /mykeyfile luks
Add/Edit the following line to /etc/fstab file:
/dev/mapper/backup2 /backup2 ext4 defaults 1 2

Step 7 – Closing the device

First unmount it using the umount command and then close it as follows:
umount /backup2/
cryptsetup close backup2

Step 8 – Emergency access when key enabled LUKS disk encryption damaged

Since we added a backup passphrase at slot # 0, all you have to do is type the following commands:
DEVICE=/dev/sdc
DEV_NAME="backup2"
cryptsetup luksOpen $DEVICE $DEV_NAME
mount /dev/mapper/$DEV_NAME /backup2
df -HT /backup2

Summing up

This page described how to use a random LUKS key file along with a backup passphrase for unlocking encrypted volumes on Linux. It is also possible to encrypt your key file using 2FA, which we will cover next time. Please note that always keep verified backup in the 3-2-1 method. See cryptsetup project home page for more info and read the following man page:
man cryptsetup

Posted by Contributor