Home

LUKS2

LUKS2, short for Linux Unified Key Setup version 2, is the second generation format for disk encryption on Linux. It is designed to replace LUKS1 as the standard for full-disk encryption managed by the dm-crypt subsystem and the cryptsetup user-space tool. LUKS2 introduces a more flexible and robust header format that is self-describing and separate from the encrypted data, facilitating upgrades and feature extensions without altering the data layout.

Key management in LUKS2 centers on multiple key slots that store the master key encrypted under different

LUKS2 also emphasizes resilience and future-proofing. The header is designed with added redundancy, including copies of

Usage and ecosystem: LUKS2 is supported by the Linux kernel's dm-crypt driver and the cryptsetup user-space

passphrases
or
key
files.
The
header
contains
the
parameters
for
deriving
the
encryption
key
from
a
chosen
passphrase,
including
modern
key
derivation
functions.
Argon2id
is
supported
among
the
available
KDFs,
replacing
older,
less
memory-hard
options,
which
enhances
resistance
to
offline
attacks
while
allowing
older
setups
to
continue
to
function
with
compatible
options.
critical
metadata
across
the
device
to
aid
recovery
if
a
portion
of
the
header
becomes
unreadable.
The
metadata
is
more
extensible,
permitting
new
features
and
options
to
be
added
over
time
without
breaking
compatibility
with
the
encrypted
data
layout.
tool,
making
it
the
default
choice
for
new
Linux
installations
that
require
full-disk
encryption.
It
remains
interoperable
with
modern
Linux
distributions
and
is
widely
adopted
for
laptops,
desktops,
and
servers
seeking
transparent
encryption
of
storage.