Setting up an encrypted partition using LUKS and dm-crypt

This page is a short how-to on setting up a securely encrypted partition in Linux+GNU. This partition will not be used as a secure place to put sensitive files and as such will not be automatically mounted by the OS (for this just use the full disk encryption of the host OS). Rather, the partition will need to be mounted every time you require access and unmounted (and fully encrypted) after you are done using it.

Creating the encrypted partition

You will need an unused partition to use for your encrypted disk. Make a partition with fdisk (no file system yet) and write random data to the partition using dd from /dev/urandom. Now, instead of making the file system, use cryptsetup to format the parition (sdX# should be replaced with your drive and partition. ex: sdf2).

 cryptsetup -v --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdX#

This will prompt you for a password (should be very strong) and then create the encrypted partion, the details of which can be checked with

cryptsetup luksDump /dev/sdX#

Accessing your encrypted partition

the device must now be mapped to /dev/mapper in order to be used by LUKS.

cryptsetup open --type luks /dev/sdaX data

Now the device can be used like any other regular device; ie: mkfs, mount etc...

mkfs.xfs /dev/mapper/data
mount /dev/mapper/data /mnt

Closing the encryption channel

First unmount the partition and then close the encryption

cryptsetup close data