Linux Install & setup

Full-disk encryption with LUKS

Practical Linux guide: full-disk encryption with LUKS without the usual guesswork.

18 min read Advanced Updated 9 Jun 2026
Linux library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

Warning

Back up important data before repartitioning, encrypting disks, or restoring backups. Wrong commands can destroy partitions or overwrite live files.

What you will achieve

Full-disk encryption with LUKS so data at rest is protected if a laptop or drive is stolen — unlock at boot with passphrase or TPM (distro-dependent).

1) Choose installer option (easiest)

Debian: Guided — use entire disk and set up encrypted LVM. Ubuntu: tick Encrypt the new Ubuntu installation. Fedora: enable encryption in Anaconda custom partitioning.

2) Manual LUKS during advanced install

# Example: encrypt partition before LVM
cryptsetup luksFormat /dev/sda3
cryptsetup open /dev/sda3 cryptroot
pvcreate /dev/mapper/cryptroot
vgcreate vg0 /dev/mapper/cryptroot
lvcreate -L 8G -n swap vg0
lvcreate -l 100%FREE -n root vg0

3) Boot loader and initramfs

The installer configures /etc/crypttab and rebuilds initramfs. Debian/Ubuntu:

sudo update-initramfs -u

Fedora: sudo dracut -f. If the system does not prompt for passphrase, the initramfs hook is usually missing.

4) Backup LUKS header

sudo cryptsetup luksHeaderBackup /dev/sda3 --header-backup-file luks-header-backup.img

Store this offline — losing the header with a forgotten passphrase means permanent data loss.

Verify

lsblk -f
sudo cryptsetup status cryptroot

5) TPM auto-unlock (systemd-cryptenroll)

Recent Ubuntu and Fedora support enrolling TPM2 for automatic LUKS unlock on trusted hardware:

sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sda3

Still keep passphrase recovery — TPM PCR changes after firmware updates can block auto-unlock.

6) Secondary drives

sudo cryptsetup luksFormat /dev/sdb1
sudo cryptsetup open /dev/sdb1 data
sudo mkfs.ext4 /dev/mapper/data
echo 'data /dev/sdb1 none luks' | sudo tee -a /etc/crypttab

7) Performance notes

LUKS adds minimal overhead on modern CPUs with AES-NI. Check with grep aes /proc/cpuinfo. Without hardware acceleration, consider lighter ciphers only if benchmarks prove it matters.

Recovery planning

Store header backup and passphrase in separate physical locations. Document initramfs rebuild procedure — without it, kernel updates can occasionally break unlock prompts until you regenerate initrd.

8) Unlock over SSH (dropbear initramfs)

Advanced: Debian can run dropbear in initramfs for remote LUKS unlock on headless servers — requires careful initramfs hooks and SSH host keys in initrd.

Prerequisites

Strong passphrase stored offline. LUKS header backup plan. If dual-booting Windows, leave Windows partitions untouched — encrypt only Linux LVM PV. Install media must support initramfs with your storage drivers (NVMe, RAID).

Passphrase vs keyfile

dd if=/dev/urandom of=/root/.luks-key bs=4096 count=1
cryptsetup luksAddKey /dev/sda3 /root/.luks-key

Keyfiles suit servers in locked racks; laptops should stick to memorised passphrases.

Related guides

disk encrypt install linux luks

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Install & setup
Install Debian minimal server
Practical Linux guide: install Debian minimal server without the usual guesswork.
Read guide
Install & setup
Install Fedora Workstation
Practical Linux guide: install Fedora Workstation without the usual guesswork.
Read guide