How to Manage Disk Encryption with LUKS and cryptsetup on RHEL 8

December 25, 2025
Linux
Comment off

Disk encryption is a critical layer of defense-in-depth for any Linux server handling sensitive data. LUKS (Linux Unified Key Setup) is the standard on-disk format for Linux disk encryption, and cryptsetup is the user-space tool that manages it. On RHEL 8, LUKS2 is the default format, bringing improved metadata handling, larger headers, and support for Argon2 key derivation. This tutorial walks you through benchmarking, creating and managing LUKS2 containers, automating unlock at boot, adding keyfiles, and safely backing up or wiping encrypted devices.

Prerequisites

RHEL 8 server with a spare block device (e.g., /dev/sdb1) for testing
Root or sudo access
cryptsetup installed: dnf install -y cryptsetup
Basic familiarity with partitioning and the Linux filesystem hierarchy

Step 1 — Benchmark Your Hardware

Before committing to a cipher, benchmark available options to find the best throughput for your hardware. cryptsetup benchmark tests AES-XTS and other ciphers against your CPU.

cryptsetup benchmark

Review the output for AES-XTS 256-bit speeds. On modern x86_64 CPUs with AES-NI hardware acceleration, throughput typically exceeds 1 GB/s. Choose aes-xts-plain64 with a 512-bit key (which gives 256-bit effective AES) for the best balance of security and performance.

Step 2 — Create a LUKS2 Container

Format the target partition as LUKS2. You will be prompted to confirm by typing YES (uppercase) and then entering a passphrase. Back up any existing data first — this operation is destructive.

cryptsetup luksFormat --type luks2 /dev/sdb1

To specify the cipher, key size, and a stronger key derivation function explicitly:

cryptsetup luksFormat --type luks2 
  --cipher aes-xts-plain64 
  --key-size 512 
  --hash sha256 
  --pbkdf argon2id 
  /dev/sdb1

Verify the header was written correctly:

cryptsetup luksDump /dev/sdb1

Step 3 — Open, Format, and Mount the Container

luksOpen maps the decrypted device to a name under /dev/mapper/. After opening, treat it like any regular block device: create a filesystem, then mount it.

cryptsetup luksOpen /dev/sdb1 secure_data
mkfs.xfs /dev/mapper/secure_data
mkdir -p /mnt/secure
mount /dev/mapper/secure_data /mnt/secure
df -h /mnt/secure

When finished with the volume, unmount and close the device to re-encrypt it:

umount /mnt/secure
cryptsetup luksClose secure_data

Step 4 — Add a Keyfile for Automated Boot Unlock

Entering a passphrase at every boot is impractical for servers. A keyfile stored in the initramfs allows automatic unlock. Generate a random keyfile, restrict its permissions, and add it as a LUKS key slot.

dd if=/dev/urandom of=/etc/luks-keys/secure_data.key bs=4096 count=1
chmod 0400 /etc/luks-keys/secure_data.key
chown root:root /etc/luks-keys/secure_data.key
cryptsetup luksAddKey /dev/sdb1 /etc/luks-keys/secure_data.key

You will be prompted for the existing passphrase to authorize adding the new key slot. LUKS2 supports up to 32 key slots.

Step 5 — Configure Boot-Time Unlock via /etc/crypttab and /etc/fstab

Two files control automatic decryption at boot: /etc/crypttab tells the system how to open the LUKS device, and /etc/fstab tells it where to mount the resulting plaintext device.

# /etc/crypttab
# name          device              keyfile                             options
secure_data     /dev/sdb1           /etc/luks-keys/secure_data.key      luks,discard

Then add the mount entry to /etc/fstab. Use the mapper path, not the raw device:

# /etc/fstab entry
/dev/mapper/secure_data    /mnt/secure    xfs    defaults    0 2

Rebuild the initramfs so the keyfile is included at boot:

dracut --force

Step 6 — Back Up and Wipe LUKS Headers

The LUKS header contains your key slots. If it is corrupted, all data on the device becomes permanently unrecoverable. Always back up the header to a secure, offline location immediately after creating the container.

cryptsetup luksHeaderBackup /dev/sdb1 
  --header-backup-file /root/sdb1-luks-header.bak
chmod 0400 /root/sdb1-luks-header.bak

To restore a damaged header:

cryptsetup luksHeaderRestore /dev/sdb1 
  --header-backup-file /root/sdb1-luks-header.bak

To securely decommission a device, erase all key slots, making the data cryptographically unrecoverable (this does not wipe the ciphertext, but without the master key it is effectively destroyed):

cryptsetup luksErase /dev/sdb1

Conclusion

You have configured full-disk encryption on RHEL 8 using LUKS2 and cryptsetup, covering everything from initial benchmarking and container creation to keyfile-based automated boot unlock, /etc/crypttab and /etc/fstab integration, header backup, and secure device decommissioning. This setup ensures data-at-rest protection with minimal operational overhead. Remember to store keyfiles and header backups in a separate, secured location — a keyfile on the same device it unlocks provides no protection.

Next steps: How to Configure LVM Thin Provisioning on RHEL 8, How to Encrypt LVM Logical Volumes with LUKS on RHEL 8, and How to Manage Storage with Stratis on RHEL 8.