LUKS (Linux Unified Key Setup) is the standard disk encryption framework on Linux, providing transparent block-level encryption that protects data at rest even if physical media is stolen. On RHEL 9, LUKS is backed by the cryptsetup tool and integrates tightly with the kernel’s device mapper subsystem. This tutorial walks through encrypting a new disk partition with LUKS2, creating a filesystem on the encrypted container, configuring automatic unlocking at boot via /etc/crypttab, and managing multiple passphrase slots. Encrypting sensitive partitions — especially those storing database files, application secrets, or user data — is a critical control for compliance frameworks like PCI-DSS and HIPAA.
Prerequisites
- RHEL 9 server with root or sudo access
- An unformatted disk or partition available (e.g.,
/dev/sdbor/dev/sdb1) - Familiarity with Linux block devices and partitioning tools
- Warning:
luksFormatis destructive — all existing data on the target partition will be erased
Step 1 — Install cryptsetup
Install the cryptsetup package, which provides the cryptsetup command-line tool for creating and managing LUKS encrypted volumes. On most RHEL 9 systems it is installed by default, but verify or install it explicitly.
dnf install -y cryptsetup
# Verify the version — LUKS2 requires cryptsetup >= 2.0
cryptsetup --versionIf you need to create a new partition on a raw disk first, use fdisk or parted:
# Create a new partition on /dev/sdb interactively
fdisk /dev/sdb
# Inside fdisk: n (new), p (primary), 1, default start, default end, w (write)
# Confirm the new partition exists
lsblk /dev/sdbStep 2 — Initialise a LUKS2 Container on the Partition
Use cryptsetup luksFormat to initialise the LUKS2 container on the target partition. You will be asked to type YES in uppercase to confirm, then set a passphrase. LUKS2 is the default format on RHEL 9 and offers better metadata integrity than LUKS1.
# Initialise LUKS2 container — DESTRUCTIVE, erases partition
cryptsetup luksFormat --type luks2 /dev/sdb1
# You will see:
# WARNING!
# ========
# This will overwrite data on /dev/sdb1 irrevocably.
# Are you sure? (Type 'yes' in capital letters): YES
# Enter passphrase for /dev/sdb1: [enter strong passphrase]
# Verify passphrase: [repeat passphrase]Inspect the LUKS header to confirm the container was created successfully:
cryptsetup luksDump /dev/sdb1Step 3 — Open the LUKS Container and Create a Filesystem
Open (unlock) the LUKS container using cryptsetup open. This creates a virtual block device at /dev/mapper/<name> through which you read and write unencrypted data — LUKS handles the encryption transparently. Replace myencrypteddisk with a meaningful name for your use case.
# Open the LUKS container — prompts for passphrase
cryptsetup open /dev/sdb1 myencrypteddisk
# Confirm the mapper device was created
ls -la /dev/mapper/myencrypteddiskCreate an ext4 filesystem on the decrypted mapper device, then mount it:
# Create filesystem on the decrypted device
mkfs.ext4 /dev/mapper/myencrypteddisk
# Create a mount point and mount
mkdir -p /mnt/secure
mount /dev/mapper/myencrypteddisk /mnt/secure
# Verify the mount
df -h /mnt/secureStep 4 — Unmount and Close the LUKS Container
When finished using the encrypted partition, unmount the filesystem first, then close the LUKS container. Closing the container removes the /dev/mapper device and ensures the encryption key is purged from memory.
# Unmount the filesystem
umount /mnt/secure
# Close the LUKS container — key is removed from memory
cryptsetup close myencrypteddisk
# Verify the mapper device is gone
ls /dev/mapper/Step 5 — Configure Auto-Mount at Boot via /etc/crypttab and /etc/fstab
To automatically unlock and mount the LUKS partition at boot, add entries to both /etc/crypttab (which handles unlocking) and /etc/fstab (which handles mounting). For servers requiring unattended boot, you can store the passphrase in a key file; for interactive boot, use the none keyword to prompt for the passphrase at the console.
# Get the UUID of the LUKS partition (use UUID, not device name, for reliability)
cryptsetup luksUUID /dev/sdb1
# or:
blkid /dev/sdb1Add to /etc/crypttab — format is: name device keyfile options
# /etc/crypttab
# "none" prompts for passphrase at boot (interactive)
# Replace UUID with output from blkid
myencrypteddisk UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luksAdd to /etc/fstab to mount after unlocking:
# /etc/fstab
/dev/mapper/myencrypteddisk /mnt/secure ext4 defaults 0 2Test the configuration without rebooting:
systemctl daemon-reload
systemctl start [email protected]
mount /mnt/secureStep 6 — Add a Backup Passphrase Key Slot
LUKS2 supports up to 32 key slots, allowing multiple passphrases or key files to unlock the same container. Add a backup passphrase (e.g., for a recovery key stored securely offline) and optionally add a key file for automated unlocking on trusted servers.
# Add a second passphrase to a new key slot
cryptsetup luksAddKey /dev/sdb1
# Prompted for: existing passphrase, then new passphrase twice
# Verify the key slots in use
cryptsetup luksDump /dev/sdb1 | grep -A2 "Keyslot"
# Add a key file for automated unlocking (store key file securely)
dd if=/dev/urandom of=/root/luks-keyfile bs=512 count=8
chmod 400 /root/luks-keyfile
cryptsetup luksAddKey /dev/sdb1 /root/luks-keyfile
# Update /etc/crypttab to use the key file
# myencrypteddisk UUID=xxxx /root/luks-keyfile luks
# Remove a key slot (slot 1 in this example) — use with caution
# cryptsetup luksKillSlot /dev/sdb1 1Conclusion
You have successfully encrypted a disk partition with LUKS2 on RHEL 9 using cryptsetup, created a filesystem on the encrypted container, configured automatic boot-time unlocking via /etc/crypttab, and added backup key slots for recovery. LUKS encryption ensures that data on the partition is unreadable without the correct passphrase or key file, providing essential protection against physical media theft and unauthorised offline access. For full-disk encryption on new system deployments, the RHEL 9 installer supports LUKS natively during partitioning.
Next steps: How to Rotate LUKS Encryption Keys and Re-Encrypt Volumes on RHEL 9, How to Use Tang and Clevis for Network-Bound Disk Encryption on RHEL 9, and How to Audit Encrypted Volumes with NBDE Policy Compliance on RHEL 9.
