Frequently Asked Question

What is LUKS full-disk encryption and when do I need it?

LUKS, the Linux Unified Key Setup, is the standard on-disk format for block-device encryption on Linux, sitting on top of the kernel's dm-crypt driver. It encrypts a partition (or whole disk) using AES-XTS by default, derives the data-encryption key from a passphrase via a deliberately slow key-derivation function (Argon2id in LUKS2), and supports up to eight passphrase or keyfile slots so multiple admins can each have their own credential. The userland tool is cryptsetup.

The threat LUKS addresses is physical: a stolen laptop, a decommissioned server whose disks were not wiped, a phone left in a taxi. Once the machine is powered off, the data on disk is a meaningless block of ciphertext until someone supplies a valid key. What LUKS does not protect against is a running machine with the volume already unlocked, at that point the data is plaintext to the kernel, or an attacker who can coerce or capture the passphrase.

For laptops and any machine that physically leaves a controlled facility, encrypt the root volume during installation; every major distribution has a check-box for it. For servers in a datacentre, encrypt at least the volumes that hold private keys, customer data, and backups, and consider TPM-backed automatic unlocking (systemd-cryptenroll --tpm2-device=auto) so reboots do not require a human at the console.