Last week we learned how to create and use an encrypted, password-protected hard-drive partition using cryptsetup-luks. Today we're going to learn how to mount it automatically at boot, how to encrypt a USB stick, and some slick password-management hacks.

You may add up to seven passwords to your encrypted partition. While you shouldn't go too crazy, having a second password could save you if you ever lose your first password. Or maybe you need to ensure that you always have access to your users' data. The encrypted partition must be unmounted and closed first. These examples use the partition we created in Part 1:

# umount crypted
# cryptsetup luksClose sda2

Then run the cryptsetup luksAddKey command to create a new password. Note that you must use the /dev name of your partition and not the /dev/mapper name. There is no cryptsetup-luks device because it is closed; this is a common error that is responsible for a lot of hair loss. Run the password-creation command like this:

# cryptsetup luksAddKey /dev/sda2
Enter any LUKS passphrase:
key slot 1 unlocked.
Enter new passphrase for key slot:
Verify passphrase:
Command successful.

Then you can try out your new password:

# cryptsetup luksOpen /dev/sda2 sda2
Enter LUKS passphrase:
key slot 1 unlocked.
Command successful.

You now have two keys slots, 0 and 1.

Removing a password is done with this command:

# cryptsetup luksDelKey  /dev/sda2  1
Enter any remaining LUKS passphrase:
key slot 2 unlocked.
Command successful.

Next: Query Commands »