This is an old revision of the document!

LUKS

LUKS Encrypted Partition/Drive

Test passphrase:

sudo cryptsetup --verbose open --test-passphrase /dev/sda5

Change Keyslot 0's key:

sudo cryptsetup luksChangeKey /dev/sda5 -S 0

Verify new passphrase:

sudo cryptsetup --verbose open --test-passphrase /dev/sda5

Insert luks module:
```
grub rescue> insmod luks
```
List all divices:
```
grub rescue> ls
```
Mount encrypted /boot/ partition:
```
grub rescue> cryptomount (hd0,gpt2)
```
- To use uuid instead, use the -u option

Enter passphrase:

Attempting to decrypt master key...
Enter passphrase for hd0,gpt2 (<disk uuid>):

Output on success:
```
Slot 3 opened
```
Insert LVM Module:
```
grub rescue> insmod lvm
```
Load module for normal boot:
```
grub rescue> insmod normal
```
Boot:
```
grub rescue> normal
```
https://www.gnu.org/software/grub/manual/grub/html_node/Commands.html#Commands
https://www.gnu.org/software/grub/manual/grub/html_node/GRUB-only-offers-a-rescue-shell.html#GRUB-only-offers-a-rescue-shell

With cryptsetup 2.1.0, the LUKS header takes up just under 16MiB, so the partition size must be 16MiB + the size of the data you want to store in it.

Create a 20Mb file filled with random data: ¹⁾

sudo dd if=/dev/urandom of=encrypted.luks.img iflag=fullblock bs=1M count=20

Configure encryption:

cryptsetup --verbose luksFormat encrypted.luks.img
cryptsetup --verbose --use-random luksFormat encrypted.luks.img

Open the encrypted container:

cryptsetup --verbose luksOpen encrypted.luks.img encrypted

Mount the container:

mount -t ext4 -o journal_checksum /dev/mapper/encrypted /mnt/encrypted

If you want/need to change the password:

sudo cryptsetup luksChangeKey encrypted.luks.img

¹⁾