Wednesday, January 3, 2024

Cryptsetup basic cheatsheet

To format a partition (e.g. sda1) as LUKS with an HMAC integrity layer:

cryptsetup luksFormat --type=luks2 --integrity hmac-sha256 /dev/sda1

Or without an integrity layer: (you probably want this for most usecases)

cryptsetup luksFormat --type=luks2 /dev/sda1

To open the encrypted partition:

cryptsetup open /dev/sda1 sda1_crypt

Alternative was to open it while permanently marking the LUKS device to accept discard (TRIM) operations:

cryptsetup open /dev/sda1 sda1_crypt --allow-discards --persistent 

This will create a decrypted device for the same partition which you can format like so: (-i 4M for storing files around 4MiB each, -m 0 to avoid reserving space for the root user, change the Label to whatever you like)

mkfs.ext4 -i 4M -m 0 -L Label /dev/mapper/sda1_crypt

Then close it:

cryptsetup close /dev/mapper/sda1_crypt

Disconnect the device and reconnect it (or mount it however you normally do) to see if everything works.

No comments:

Post a Comment

Popular Posts