Linux Unified Key Setup (LUKS) is the standard disk encryption layer on RHEL 8, built on the dm-crypt kernel module and managed through the cryptsetup utility. Encrypting partitions with LUKS ensures that data is unreadable without the correct passphrase or key file, even if physical media is stolen or a drive is decommissioned without secure erasure. This tutorial covers formatting a partition with LUKS2, mounting it, configuring auto-mount on boot via /etc/crypttab, managing multiple passphrases, backing up the LUKS header, and verifying encryption status. Full-disk or partition-level encryption is a mandatory baseline for any RHEL 8 server handling sensitive data.
Prerequisites
- RHEL 8 server with an unformatted block device or spare partition (e.g.,
/dev/sdb1) - Root or sudo access
cryptsetupinstalled:dnf install -y cryptsetup- A backup of any existing data on the target partition — luksFormat is destructive
- Sufficient entropy:
cat /proc/sys/kernel/random/entropy_avail(should be > 256)
Step 1 — Format the Partition with LUKS
cryptsetup luksFormat overwrites the partition header and encrypts it with the passphrase you provide. LUKS2 (the default on RHEL 8) supports Argon2 key derivation for stronger brute-force resistance.
# Confirm the target device (do NOT run this on the wrong device)
lsblk /dev/sdb
fdisk -l /dev/sdb
# Format with LUKS2 (default on RHEL 8 / cryptsetup >= 2.x)
cryptsetup luksFormat --type luks2 /dev/sdb1
# WARNING: This will overwrite data on /dev/sdb1 irrevocably.
# Type YES (uppercase) to proceed, then enter a strong passphrase.
# Verify the LUKS header
cryptsetup luksDump /dev/sdb1The luksDump output shows the cipher (aes-xts-plain64), key size (512-bit for XTS mode = 256-bit effective), and the number of active key slots.
Step 2 — Open the Encrypted Device and Create a Filesystem
luksOpen maps the encrypted partition to a device-mapper name under /dev/mapper/. All reads and writes to the mapper device are transparently encrypted and decrypted.
# Open (decrypt) the partition, naming the mapper device "secure_data"
cryptsetup luksOpen /dev/sdb1 secure_data
# Enter passphrase:
# Verify the mapper device exists
ls -l /dev/mapper/secure_data
cryptsetup status secure_data
# Create an ext4 filesystem on the decrypted device
mkfs.ext4 /dev/mapper/secure_data
# Mount the filesystem
mkdir -p /mnt/secure
mount /dev/mapper/secure_data /mnt/secure
df -h /mnt/secureStep 3 — Configure Auto-Mount on Boot with /etc/crypttab and /etc/fstab
To automatically unlock and mount the partition at boot, add entries to both /etc/crypttab (which runs cryptsetup luksOpen at boot time) and /etc/fstab.
# Get the UUID of the LUKS device (not the mapper device)
blkid /dev/sdb1
# Example: /dev/sdb1: UUID="a1b2c3d4-..." TYPE="crypto_LUKS"
# Add to /etc/crypttab:
# Format: mapper_name device_UUID key_file options
# Use "none" for interactive passphrase at boot, or path to a keyfile
echo "secure_data UUID=a1b2c3d4-e5f6-7890-abcd-ef1234567890 none luks"
>> /etc/crypttab
# Add to /etc/fstab for automatic mounting after unlock
echo "/dev/mapper/secure_data /mnt/secure ext4 defaults,nofail 0 2"
>> /etc/fstab
# Test without rebooting
systemctl daemon-reload
mount -aStep 4 — Use a Key File for Unattended Boot
Servers that must reboot without human interaction can use a key file stored on a separate, access-controlled location (or in a TPM/network key escrow for higher security).
# Generate a random 4096-byte key file
dd if=/dev/urandom of=/etc/luks-keys/secure_data.key bs=1 count=4096
chmod 600 /etc/luks-keys/secure_data.key
chown root:root /etc/luks-keys/secure_data.key
# Add the key file as a LUKS key slot
cryptsetup luksAddKey /dev/sdb1 /etc/luks-keys/secure_data.key
# Enter any existing passphrase to authorize the addition
# Update /etc/crypttab to reference the key file
# Replace "none" with the key file path
sed -i 's|none luks|/etc/luks-keys/secure_data.key luks|' /etc/crypttab
# Verify key slots (should show 2 active slots: passphrase + key file)
cryptsetup luksDump /dev/sdb1 | grep -i "key slot"Step 5 — Add Extra Passphrases and Back Up the LUKS Header
LUKS supports up to 8 (LUKS1) or 32 (LUKS2) key slots, allowing multiple authorized passphrases. Back up the header before any key management operation — header corruption makes the partition permanently unrecoverable.
# Add a second passphrase (e.g., for a backup administrator)
cryptsetup luksAddKey /dev/sdb1
# Enter existing passphrase to authorize, then enter and confirm new passphrase
# Remove a passphrase (by passphrase)
cryptsetup luksRemoveKey /dev/sdb1
# Enter the passphrase to remove
# Back up the LUKS header to a secure, offline location
cryptsetup luksHeaderBackup /dev/sdb1
--header-backup-file /root/luks-header-backup-sdb1.bin
chmod 600 /root/luks-header-backup-sdb1.bin
# Restore a header if ever needed (DANGEROUS — use only for recovery)
# cryptsetup luksHeaderRestore /dev/sdb1
# --header-backup-file /root/luks-header-backup-sdb1.binStep 6 — Verify Encryption Status and Close the Device
Confirm the encrypted device details and securely close it when not in use.
# Show cipher, key size, and device status
cryptsetup status secure_data
# Expected: type: LUKS2, cipher: aes-xts-plain64, keysize: 512 bits, device: /dev/sdb1
# Check if LUKS2 is being used
cryptsetup luksDump /dev/sdb1 | grep "Version:"
# Unmount and close (lock) the device
umount /mnt/secure
cryptsetup luksClose secure_data
# Confirm device is no longer listed
ls /dev/mapper/ | grep secure_dataConclusion
Your RHEL 8 partition is now encrypted with LUKS2, automatically unlocked at boot, and protected by multiple key slots with a backed-up header. LUKS encryption ensures that even physical access to a drive does not expose sensitive data. Store the header backup and key files in separate, secure locations — ideally encrypted removable media kept offline. Combine LUKS with SELinux and filesystem-level permissions for a defense-in-depth storage security strategy.
Next steps: How to Set Up Tripwire for File Integrity Monitoring on RHEL 8, How to Configure DNSSEC on RHEL 8, and How to Harden Web Servers with Security Headers on RHEL 8.
