Create an encrypted partition on an existing disk device or partition. This will overwrite any data previously on the device or partition.
cryptsetup luksFormat /dev/sdxY
Open the LUKS encrypted device:
cryptsetup luksOpen /dev/sdxY any-name
The device is now available as any other non-encrypted disk at
For the first time, you need to install a filesystem:
Then you may mount the filesystem:
mount /dev/mapper/any-name /mnt
Any files at the given mountpoint (
/mnt) are now encrypted when written to disk.
In order to properly close the filesystem, which will make the files inaccessible without entering the passphrase.
sync /mnt umount /dev/mapper/any-name cryptsetup luksClose /dev/sdxY
You may also want to keep a backup of the LUKS header. This is some information which contains data about the filesystem, the encryption method, and some larger keys. The passphrase actually only decrypts the larger keys which are in turn used to encrypt/decrypt the data. If the header becomes corrupt, broken, or lost in any way, all other data must be considered lost. Similarly, if the passphrase is forgotten, all data is pretty much lost.
cryptsetup luksHeaderBackup /dev/sdxY --header-backup-file /path/to/backup.luks.bin
In order to restore a header:
cryptsetup luksHeaderRestore /dev/sdxY --header-backup-file /path/to/backup.luks.bin
Keep the header safe, in the same way you would not hand over your disk to a hacker. If the passphrase is random and long enough, it is less of a problem of getting in the hands of a hacker. The header contains salt, by keeping it hidden, the salt becomes pepper.