cryptsetup — quick reference
LUKS format and open/close
Create LUKS2 containers, unlock them as /dev/mapper/name, and tear down mapper devices when you are done.
| When to use | Command |
|---|---|
| Format a partition as LUKS2 (destroys existing data) | sudo cryptsetup luksFormat --type luks2 /dev/sdc1 |
Same — skip the uppercase YES confirmation prompt |
sudo cryptsetup -q luksFormat --type luks2 /dev/sdc1 |
| Pick cipher and key size at format time | sudo cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/sdc1 |
| Open a LUKS device under a mapper name | sudo cryptsetup open /dev/sdc1 secure_data |
| Open with a key file instead of a typed passphrase | sudo cryptsetup open --key-file=/path/to/keyfile /dev/sdc1 secure_data |
| Check a passphrase without activating the mapper | sudo cryptsetup open --test-passphrase /dev/sdc1 |
| Close (remove) an active mapper | sudo cryptsetup close secure_data |
| Test whether a block device has a LUKS header | sudo cryptsetup isLuks /dev/sdc1 |
| Print the LUKS UUID | sudo cryptsetup luksUUID /dev/sdc1 |
Key management (luksAddKey, luksRemoveKey, luksChangeKey, luksKillSlot)
Rotate passphrases, add backup keys, and retire compromised key slots on an existing LUKS volume.
| When to use | Command |
|---|---|
| Add a new passphrase or key file (prompts for an existing key first) | sudo cryptsetup luksAddKey /dev/sdc1 |
| Add a key file into a specific empty slot | sudo cryptsetup luksAddKey -S 2 /dev/sdc1 /path/to/new-keyfile |
| Remove a passphrase or key file from the device | sudo cryptsetup luksRemoveKey /dev/sdc1 |
| Change an existing passphrase (old key, then new key) | sudo cryptsetup luksChangeKey /dev/sdc1 |
| Wipe one key slot by number (irreversible for that slot) | sudo cryptsetup luksKillSlot /dev/sdc1 1 |
| Target a slot when removing a key | sudo cryptsetup luksRemoveKey -S 1 /dev/sdc1 |
Inspection (luksDump, status, benchmark)
Read header metadata, check an open mapper, and measure cipher throughput on the host CPU.
| When to use | Command |
|---|---|
| Dump LUKS header, cipher, and key slot details | sudo cryptsetup luksDump /dev/sdc1 |
| Dump LUKS2 metadata as JSON | sudo cryptsetup luksDump --dump-json-metadata /dev/sdc1 |
| Show cipher, size, and backing device for an open mapper | sudo cryptsetup status secure_data |
| Benchmark a cipher (memory only, no disk I/O) | sudo cryptsetup benchmark -c aes-xts-plain64 -s 512 |
| List supported actions and global flags | cryptsetup --help |
| Show installed version | cryptsetup --version |
Header backup/restore (luksHeaderBackup, luksHeaderRestore)
Copy the LUKS header and key slots to a file so you can recover from header corruption — not a substitute for full-disk backup.
| When to use | Command |
|---|---|
| Back up header and key slots to a file | sudo cryptsetup luksHeaderBackup --header-backup-file /root/sdc1-luks-header.bin /dev/sdc1 |
| Restore header from backup (dangerous if the wrong file) | sudo cryptsetup luksHeaderRestore --header-backup-file /root/sdc1-luks-header.bin /dev/sdc1 |
| Restore without interactive confirmation | sudo cryptsetup -q luksHeaderRestore --header-backup-file /root/sdc1-luks-header.bin /dev/sdc1 |
See LUKS header backup and restore for a full walkthrough.
Resize and reencrypt mention
Grow or shrink the encrypted payload after partition changes, or reencrypt a LUKS2 volume in place (cryptsetup 2.x).
| When to use | Command |
|---|---|
| Resize an open mapper after the partition grew | sudo cryptsetup resize secure_data |
| Resize to an explicit sector count | sudo cryptsetup resize --size 1048576 secure_data |
| Shrink encrypted payload before shrinking the partition (LUKS2) | sudo cryptsetup --reduce-device-size 32M resize secure_data |
| Start LUKS2 online reencryption (encrypt, reencrypt, or decrypt) | sudo cryptsetup reencrypt /dev/sdc1 |
| Initialize reencryption metadata only (no data movement yet) | sudo cryptsetup reencrypt --init-only /dev/sdc1 |
| Resume an interrupted LUKS2 reencryption | sudo cryptsetup reencrypt --resume-only /dev/sdc1 |
Partition-level resize workflows live in resize a LUKS partition.
Tokens (LUKS2)
LUKS2 tokens automate unlock with external handlers (TPM, PKCS#11, FIDO2, and plugins). Requires LUKS2 and token support in your cryptsetup build.
| When to use | Command |
|---|---|
| Export one token definition as JSON | sudo cryptsetup token export --token-id 0 /dev/sdc1 |
| Import a token JSON file into the header | sudo cryptsetup token import --json-file token.json /dev/sdc1 |
| Add a token from JSON on stdin | sudo cryptsetup token import --token-id 0 /dev/sdc1 |
| Remove a token by ID | sudo cryptsetup token remove --token-id 0 /dev/sdc1 |
| Open using tokens only (no direct passphrase prompt) | sudo cryptsetup open --token-id 0 /dev/sdc1 secure_data |
cryptsetup — command syntax
Synopsis from cryptsetup --help on Ubuntu 26.04 (cryptsetup 2.8.4):
cryptsetup <action> <action-specific>
Common LUKS actions:
luksFormat <device> [<key file>] format device as LUKS
open <device> [<name>] open LUKS device as mapper <name>
close <name> remove mapper device
luksDump <device> dump LUKS header information
luksAddKey <device> [<new key file>] add key to LUKS device
luksRemoveKey <device> [<key file>] remove key from LUKS device
luksChangeKey <device> [<key file>] change existing key
luksKillSlot <device> <key slot> wipe key slot
luksHeaderBackup <device> backup header and keyslots
luksHeaderRestore <device> restore header and keyslots
status <name> show active mapper status
benchmark [--cipher <cipher>] benchmark cipher
reencrypt <device> reencrypt LUKS2 device
token <import|export|remove> <device> manage LUKS2 tokens
isLuks <device> test for LUKS header
luksUUID <device> print LUKS UUIDcryptsetup writes LUKS metadata on the block device (or a detached header file with --header) and creates /dev/mapper/ nodes through device-mapper. Most actions need sudo. After open, create filesystems on /dev/mapper/name, not on the raw LUKS partition — see encrypt a partition with LUKS2.
cryptsetup — command examples
Essential Inspect a LUKS2 header with luksDump
Run luksDump when you need the LUKS version, UUID, cipher, and which key slots are in use — before adding keys or after luksFormat.
On the lab volume /dev/sdc1 (LUKS2 UUID 5f452b2f-3b11-4494-890b-d6c3e509c0ef):
sudo cryptsetup luksDump /dev/sdc1Sample output (trimmed):
LUKS header information
Version: 2
UUID: 5f452b2f-3b11-4494-890b-d6c3e509c0ef
Label: (no label)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
PBKDF: argon2id
1: luks2
Key: 512 bits
PBKDF: argon2id
Tokens:
Digests:
0: pbkdf2Confirm the partition type with blkid:
sudo blkid /dev/sdc1Sample output:
/dev/sdc1: UUID="5f452b2f-3b11-4494-890b-d6c3e509c0ef" TYPE="crypto_LUKS" PARTLABEL="primary" PARTUUID="b2ec5a76-8585-4e6b-9926-3ca5094fcea1"Two active luks2 key slots means a backup passphrase is already configured. An empty Tokens: section is normal until you add LUKS2 token handlers.
Essential Check an open LUKS mapper with status
After cryptsetup open, the cleartext block device lives at /dev/mapper/name. Use status to see cipher, size, and the backing LUKS partition.
sudo cryptsetup status secure_dataSample output:
/dev/mapper/secure_data is active.
type: LUKS2
cipher: aes-xts-plain64
keysize: 512 [bits]
key location: keyring
device: /dev/sdc1
sector size: 512 [bytes]
offset: 32768 [512-byte units] (16777216 [bytes])
size: 10448896 [512-byte units] (5349834752 [bytes])
mode: read/writePair with lsblk to see the mapper and filesystem stack:
lsblk -f /dev/sdc1Sample output:
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
sdc1 crypto_LUKS 2 5f452b2f-3b11-4494-890b-d6c3e509c0ef
└─secure_data ext4 1.0 secure-data 9fe05bbb-e530-48ed-a8f7-461febc7329fMount workflows are covered in mount a LUKS encrypted partition.
Essential Validate a passphrase without opening the device
Use --test-passphrase when you want to confirm a password before reboot or before scripting open, without creating a mapper device.
Wrong passphrase (safe to run on a live volume):
sudo cryptsetup open --test-passphrase /dev/sdc1 <<< 'wrong-passphrase-test'Sample output:
No key available with this passphrase.When the passphrase matches a key slot, cryptsetup exits 0 and prints nothing. That silent success is the signal you want before updating crypttab or rebooting.
Common Benchmark cipher speed before luksFormat
benchmark measures CPU encryption throughput in memory — useful when choosing between aes-xts-plain64 and other ciphers supported by /proc/crypto.
sudo cryptsetup benchmark -c aes-xts-plain64 -s 512Sample output:
# Tests are approximate using memory only (no storage IO).
# Algorithm | Key | Encryption | Decryption
aes-xts 512b 2569.4 MiB/s 2524.7 MiB/sNumbers vary by CPU and kernel crypto API. Disk I/O during real LUKS use is usually lower than these peaks.
Common Back up the LUKS header and key slots
Header backup protects against metadata corruption. It does not copy encrypted file data — pair this with a full backup strategy.
sudo cryptsetup luksHeaderBackup \
--header-backup-file /root/sdc1-luks-header.bin \
/dev/sdc1
ls -lh /root/sdc1-luks-header.bin
file /root/sdc1-luks-header.binSample output:
-r-------- 1 root root 16M Jul 4 21:06 /root/sdc1-luks-header.bin
/root/sdc1-luks-header.bin: LUKS encrypted file, ver 2, header size 16384, ID 4, algo sha256, ... UUID: 5f452b2f-3b11-4494-890b-d6c3e509c0ef, ...Store the file offline with restrictive permissions (600 or tighter). Restore only onto the matching device — see LUKS header backup and restore.
Common luksAddKey fails when the existing key is wrong
Adding a backup passphrase requires proof of an existing key first. This shows the error you get when the current passphrase does not match any slot.
printf 'wrong-pass\nwrong-pass\n' | sudo cryptsetup luksAddKey /dev/sdc1Sample output:
No key available with this passphrase.When the first passphrase is valid, cryptsetup prompts for the new key (twice if typed interactively) and allocates the next free slot. Verify with sudo cryptsetup luksDump /dev/sdc1 — a third luks2 line under Keyslots: confirms success.
Common luksKillSlot on an empty slot
luksKillSlot wipes one key slot. Trying to kill a slot that was never used returns a clear error instead of changing the header.
sudo cryptsetup luksKillSlot /dev/sdc1 7Sample output:
Keyslot 7 is not active.To retire an active backup slot, pick the slot number from luksDump (for example slot 1) and run sudo cryptsetup luksKillSlot /dev/sdc1 1 after confirming you still have another working key.
Advanced Export LUKS2 metadata as JSON
LUKS2 stores structured metadata. --dump-json-metadata prints it for auditing, automation, or comparing headers across hosts.
sudo cryptsetup luksDump --dump-json-metadata /dev/sdc1 | head -20Sample output:
{
"keyslots":{
"0":{
"type":"luks2",
"key_size":64,
"af":{
"type":"luks1",
"stripes":4000,
"hash":"sha256"
},
"area":{
"type":"raw",
"offset":"32768",
"size":"258048",
"encryption":"aes-xts-plain64",
"key_size":64
},
"kdf":{
"type":"argon2id",
"time":4,Pipe the full JSON to a file for diffing. This read-only dump never exposes passphrases or volume keys.
Advanced isLuks probe and token export without tokens
Scripts often gate on isLuks before calling luksDump. Token export fails cleanly when no LUKS2 tokens are configured.
Test for a LUKS header:
sudo cryptsetup isLuks /dev/sdc1
echo "luks exit: $?"
sudo cryptsetup isLuks /dev/sda1 2>/dev/null
echo "non-luks exit: $?"Sample output:
luks exit: 0
non-luks exit: 1Try exporting a token when the header has none:
sudo cryptsetup token export /dev/sdc1 2>&1 | tail -1Sample output:
cryptsetup: Action requires specific token. Use --token-id parameter.After you token import a handler (TPM2, FIDO2, etc.), pass --token-id N to export or use open --token-id N for automated unlock.
cryptsetup — when to use / when not
| Use cryptsetup when | Use something else when |
|---|---|
|
|
cryptsetup vs dmsetup
| cryptsetup | dmsetup | |
|---|---|---|
| Role | High-level LUKS and dm-crypt helper | Low-level device-mapper table manager |
| Metadata | LUKS header with key slots on disk | None unless you manage keys yourself |
| Typical admin | luksFormat, open, luksDump, key rotation |
create, remove, suspend, manual tables |
| Best for | Standard disk encryption on Linux | Custom maps, debugging, non-LUKS setups |
Day-to-day LUKS work stays in cryptsetup; reach for dmsetup when you already have a mapped table and need low-level control.
Related commands
Block devices, filesystems, and storage layout around LUKS workflows.
| Command | One line |
|---|---|
| lsblk | Tree view of disks, LUKS containers, and mapper children |
| parted | Create or resize GPT/MBR partitions before luksFormat |
| losetup | Attach loop devices when testing image files |
| cryptsetup | LUKS format, open, key management (this page) |
Browse the full index in our Linux commands reference.
cryptsetup — interview corner
Practice these before exams or storage standups. Each card explains the idea in plain language, then ends with a short answer you can say aloud.
What does cryptsetup do in Linux?
cryptsetup is the user-space tool for LUKS disk encryption on Linux. It formats block devices with a LUKS header, derives keys from passphrases or key files, and asks the kernel dm-crypt layer to expose a /dev/mapper/ device you can partition, format, and mount.
Typical flow:
luksFormatwrites LUKS2 metadata on/dev/sdXNopenunlocks the volume as/dev/mapper/namemkfsandmountrun on the mapper — not on the raw LUKS partitioncloseremoves the mapper when unmounted
It ships on Ubuntu, Debian, and Fedora as the cryptsetup package.
A strong answer is:
"cryptsetup manages LUKS encryption through dm-crypt — format with luksFormat, unlock with open to /dev/mapper, manage keys in the header, and close when done. Filesystems always sit on the mapper device."
What is the difference between LUKS1 and LUKS2?
Both store encrypted volume keys in on-disk key slots, but LUKS2 is the modern default (cryptsetup 2.x on current distros).
| LUKS1 | LUKS2 | |
|---|---|---|
| Metadata | Fixed legacy layout | JSON-based, extensible |
| Key derivation | PBKDF2 common | Argon2id default on Ubuntu 26.04 |
| Extra features | Limited | Tokens, online reencryption, detached headers |
| Format flag | --type luks1 |
--type luks2 (default) |
luksDump reports Version: 2 for LUKS2 volumes. New installs should use LUKS2 unless something legacy requires LUKS1.
A strong answer is:
"LUKS2 is the current default — flexible JSON metadata, stronger KDF defaults, tokens, and online reencrypt. LUKS1 is legacy; I only pick it when an old system cannot read LUKS2."
Should you mkfs on /dev/sdc1 or /dev/mapper/name after LUKS?
Always /dev/mapper/name after cryptsetup open.
/dev/sdc1 holds the LUKS container (header + encrypted payload). Formatting it directly destroys the header or writes an unencrypted filesystem beside LUKS metadata.
Correct sequence:
sudo cryptsetup open /dev/sdc1 secure_data
sudo mkfs.ext4 /dev/mapper/secure_data
sudo mount /dev/mapper/secure_data /mnt/secure-dataA strong answer is:
"After open, mkfs and mount go on /dev/mapper/name — the cleartext device. The raw partition is only for luksFormat and cryptsetup key operations."
How do LUKS key slots work?
LUKS stores up to several key slots in the header. Each slot holds key material wrapped by a passphrase or key file. Any active slot that unlocks grants access to the same volume key.
Common operations:
| Task | Command |
|---|---|
| Inspect slots | sudo cryptsetup luksDump /dev/sdc1 |
| Add backup passphrase | sudo cryptsetup luksAddKey /dev/sdc1 |
| Change a passphrase | sudo cryptsetup luksChangeKey /dev/sdc1 |
| Remove one key | sudo cryptsetup luksRemoveKey /dev/sdc1 |
| Wipe a slot by number | sudo cryptsetup luksKillSlot /dev/sdc1 1 |
Keep at least one working slot before luksKillSlot. Header backup covers metadata loss, not forgotten passphrases with no remaining slots.
A strong answer is:
"LUKS key slots are independent wrappers around the same volume key — luksAddKey adds backup passphrases, luksChangeKey rotates one, luksKillSlot wipes a slot. I always confirm another slot still works before killing one."
Why back up the LUKS header?
The LUKS header stores key slots and encryption parameters. If that metadata is corrupted — bad sectors, mistaken dd, partial clone — the encrypted payload may be intact but unreadable without the header.
luksHeaderBackup copies header + key slot blobs to a file. luksHeaderRestore writes them back to the same physical device UUID.
Important limits:
- Header backup does not replace full-disk backup of ciphertext
- Restore must target the matching device and backup file
- Passphrases still required after restore — backup is not a master key
A strong answer is:
"I luksHeaderBackup after luksFormat and whenever I change keys — it protects metadata corruption. It is not a data backup, and restore only works with the correct header file on the same volume."
What is cryptsetup reencrypt for LUKS2?
cryptsetup reencrypt performs online LUKS2 reencryption — change cipher, encrypt an unencrypted region, or decrypt in place — while the volume can stay mapped (with restrictions documented in the man page).
Typical flags:
| Flag | Purpose |
|---|---|
--encrypt |
Add encryption to an existing LUKS2 payload |
--decrypt |
Remove encryption (destructive planning required) |
--init-only |
Stage metadata without moving data yet |
--resume-only |
Continue after interruption |
Always read the man page and have backups before starting. Partition shrink/grow coordination is in resize a LUKS partition.
A strong answer is:
"reencrypt is LUKS2 online reencryption — rotate ciphers or encrypt/decrypt in place with init and resume steps. I treat it as a planned maintenance window with full backups, not a casual flag."
Troubleshooting
Common cryptsetup failures on Ubuntu — symptom, likely cause, and the fix to try first.
| Symptom | Likely cause | Fix |
|---|---|---|
No key available with this passphrase |
Wrong password or key file; slot disabled | Retry with --test-passphrase; check luksDump for active slots |
Device secure_data already exists |
Mapper name in use | sudo cryptsetup close secure_data or pick another name |
Device is still active on close |
Mount or swap still open | umount / swapoff the mapper, then close |
Not a valid LUKS device / isLuks exit 1 |
No LUKS header on partition | Confirm device with lsblk -f; rerun luksFormat only if data loss is acceptable |
Keyslot N is not active |
Empty slot in luksKillSlot |
Pick an active slot from luksDump |
Option --header-backup-file is required |
Old positional backup syntax | Use luksHeaderBackup --header-backup-file FILE DEVICE |
Command not found: cryptsetup |
Package missing | sudo apt install cryptsetup |
| Filesystem missing after reboot | Mapper not opened at boot | Add an /etc/crypttab entry; see mount LUKS encrypted partition |

