Using LUKS to encrypt private data

Mar 16, 2025

Linux Unified Key Setup (LUKS) is a disk-encryption specification used in Linux to provide a standard and secure way of encrypting storage devices. It defines a platform-independent format on-disk that facilitates multiple user key management, helping secure the data.

Step 1: Create a Sparse File

A sparse file allows you to define a large size (like 100GB) without immediately allocating all that space on disk. It will grow as data is written.

truncate -s 100G encrypted_file.img

This creates a file called encrypted_file.img with an apparent size of 100GB, but it only takes up minimal space until you add data.

Step 2: Set Up LUKS Encryption

Now, initialize the sparse file as a LUKS-encrypted container.

sudo cryptsetup luksFormat encrypted_file.img

You’ll be prompted to confirm with YES (in all caps) and set a passphrase.
This encrypts the file using LUKS.

Step 3: Open the LUKS Container

Map the encrypted file to a device so you can work with it.

sudo cryptsetup luksOpen encrypted_file.img encrypted_volume

encrypted_volume is the name of the mapped device (e.g., /dev/mapper/encrypted_volume).
Enter the passphrase when prompted.

Step 4: Create a Filesystem

Format the mapped device with a filesystem that supports resizing, like ext4.

sudo mkfs.ext4 /dev/mapper/encrypted_volume

Step 5: Mount the Filesystem

Create a mount point and mount the encrypted volume.

sudo mkdir /mnt/encrypted
sudo mount /dev/mapper/encrypted_volume /mnt/encrypted

Now you can use /mnt/encrypted to store files, and it will initially support up to 100GB of data.

Step 6: Extending the File When Needed

When you run out of space and want to extend the container beyond 100GB, you can resize the sparse file and the filesystem. Here’s how:

Unmount the volume:
Terminal window
```
sudo umount /mnt/encrypted
```

Close the LUKS container:

sudo cryptsetup luksClose encrypted_volume

Extend the sparse file size (e.g., add another 50GB):
Terminal window
```
truncate -s +50G encrypted_file.img
```

Reopen the LUKS container:

sudo cryptsetup luksOpen encrypted_file.img encrypted_volume

Resize the filesystem to use the new space:
Terminal window
```
sudo resize2fs /dev/mapper/encrypted_volume
```

Remount it:

sudo mount /dev/mapper/encrypted_volume /mnt/encrypted

The filesystem will now recognize the additional space (150GB total in this example), and you can keep extending it this way as needed.

Addition information

Sparse Files: The file only consumes disk space as you write data, so it’s efficient until you fill it up.
Security: Always back up your LUKS header (cryptsetup luksHeaderBackup) in case of corruption.
Automation: If you want this to resize automatically, you’d need a more complex setup (e.g., using LVM on a loop device), but the above method is simpler and manual.